|
When you connect to a MySQL server, you should normally use
a password. The password is not transmitted in clear text over the connection.
All other information is transferred as text that can be read by anyone that
is able to watch the connection. If you are concerned about this, you can
use the compressed protocol (in MySQL 3.22 and above) to make things
much harder. To make things even more secure you should install ssh
(see http://www.cs.hut.fi/ssh). With this, you can get an encrypted
TCP/IP connection between a MySQL server and a MySQL
client.
To make a MySQL system secure, you should strongly consider the
following suggestions:
The following mysqld options affect security:
--secure
-
IP numbers returned by the
gethostbyname() system call are checked to
make sure they resolve back to the original hostname. This makes it harder
for someone on the outside to get access by simulating another host. This
option also adds some sanity checks of hostnames. The option is turned off
by default in MySQL 3.21 since it sometimes takes a long time to
perform backward resolutions. MySQL 3.22 caches hostnames and has
this option enabled by default.
--skip-grant-tables
-
This option causes the server not to use the privilege system at all. This
gives everyone full access to all databases! (You can tell a running
server to start using the grant tables again by executing
mysqladmin
reload .)
--skip-name-resolve
-
Hostnames are not resolved. All
Host column values in the grant
tables must be IP numbers or localhost .
--skip-networking
-
Don't allow TCP/IP connections over the network. All connections to
mysqld must be made via Unix sockets. This option is unsuitable for
systems that use MIT-pthreads, because the MIT-pthreads package doesn't
support Unix sockets.
|