MariaDB 数据库服务器
先决条件¶
- 一台 Rocky Linux 服务器
- 熟练使用命令行编辑器(本示例中使用 vi)
- 对从命令行发出命令、查看日志和其他一般的系统管理员职责有很高的熟悉度
- 了解 mariadb-server 数据库会有帮助
- 以 root 用户身份或使用 sudo 运行所有命令
简介¶
mariadb-server 及其客户端 mariadb 是 mysql-server 和 mysql 的开源替代品,它们共享命令结构。mariadb-server 在许多 Web 服务器上运行,因为它被流行的 WordPress CMS 所需要。但是,此数据库还有许多其他用途。
如果您想将此与用于加固 Web 服务器的其他工具一起使用,请参考 Apache 加固 Web 服务器指南。
安装 mariadb-server¶
您需要安装 mariadb-server
dnf install mariadb-server
安全加固 mariadb-server¶
要加强 mariadb-server 的安全性,您需要运行一个脚本,但在运行之前,您需要启用并启动 mariadb
systemctl enable --now mariadb
接下来,运行此命令
mysql_secure_installation
这将弹出一个对话框
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
由于这是全新安装,未设置 root 密码。只需在此处按 Enter。
对话框的下一部分继续
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n]
回答 n 并按 Enter
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n]
实际上,您尚未为 root 用户设置密码 **或** 使用 unix_socket 身份验证,因此在此处回答 Y 并按 Enter。
这将弹出密码对话框
New password:
Re-enter new password:
输入您选择的密码,然后再次输入以确认。如果成功,您将看到以下对话框
Password updated successfully!
Reloading privilege tables..
... Success!
将此密码保存在密码管理器或安全的存储位置。
接下来,对话框处理匿名用户
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
这里的答案是“Y”,所以只需按 Enter 接受默认设置。
对话框继续到处理允许 root 用户远程登录的部分
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
root 用户通常只需要在本机上使用。因此,通过按 Enter 接受此默认设置。
对话框然后移至与 mariadb-server 自动安装的“test”数据库相关的部分
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
同样,这里的答案是默认值,所以只需按 Enter 将其删除。
最后,对话框询问您是否要重新加载权限
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
同样,按 Enter 进行此操作。如果一切顺利,您将收到此消息
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
MariaDB 现在已准备就绪。
结论¶
像 mariadb-server 这样的数据库服务器可用于多种用途。由于 WordPress CMS 的普及,它经常出现在 Web 服务器上。但在生产环境中运行数据库之前,最好加强其安全性。
作者:Steven Spencer
贡献者:Ezequiel Bruni, William Perron, Ganna Zhyrnova, Joseph Brinkman