本文档风哥主要介绍MariaDB的初始安全加固与权限最小化配置,包括安全加固措施、权限管理、安全审计等内容。风哥教程参考MariaDB官方文档Security内容,适合数据库管理员学习和实施。
Part01-基础概念与理论知识
1.1 安全加固概述
MariaDB安全加固包括:
- 密码策略
- 访问控制
- 网络安全
- 数据加密
- 审计日志
1.2 权限管理基础
MariaDB权限管理包括:
- 用户管理
- 权限授予
- 权限撤销
- 权限检查
1.3 最小权限原则
最小权限原则是指:
- 只授予用户必要的权限
- 避免使用root用户
- 定期检查和清理权限
- 使用角色管理权限
更多视频教程www.fgedu.net.cn
Part02-生产环境规划与建议
2.1 安全规划
风哥提示:生产环境应制定全面的安全规划,包括访问控制、数据保护、审计监控等方面。
2.2 权限规划
权限规划建议:
- 按角色分配权限
- 按业务需求分配权限
- 定期审查权限
- 使用权限继承
2.3 安全最佳实践
安全最佳实践:
- 使用强密码
- 限制远程访问
- 启用SSL/TLS
- 定期备份
- 更新软件版本
学习交流加群风哥微信: itpux-com
Part03-生产环境项目实施方案
3.1 初始安全加固
更多学习教程公众号风哥教程itpux_com
# 运行安全初始化脚本
[root@fgedu.net.cn ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
… Success!
Normally, root should only be allowed to connect from ‘fgedu.localhost’. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
… Success!
By default, MariaDB comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
… Success!
Cleaning up…
All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure. Thanks for using MariaDB!
[root@fgedu.net.cn ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
… Success!
Normally, root should only be allowed to connect from ‘fgedu.localhost’. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
… Success!
By default, MariaDB comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
… Success!
Cleaning up…
All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure. Thanks for using MariaDB!
3.2 权限配置
# 创建用户并分配最小权限
[root@fgedu.net.cn ~]# mysql -u root -p
Enter password:
# 创建只读用户
MariaDB [(none)]> CREATE USER ‘fgedu_read’@’fgedu.localhost’ IDENTIFIED BY ‘ReadPassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT SELECT ON fgedudb.* TO ‘fgedu_read’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 创建读写用户
MariaDB [(none)]> CREATE USER ‘fgedu_write’@’fgedu.localhost’ IDENTIFIED BY ‘WritePassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON fgedudb.* TO ‘fgedu_write’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 创建管理员用户
MariaDB [(none)]> CREATE USER ‘fgedu_admin’@’fgedu.localhost’ IDENTIFIED BY ‘AdminPassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON fgedudb.* TO ‘fgedu_admin’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 刷新权限
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
# 查看用户权限
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_read’@’fgedu.localhost’;
+————————————————————————————————————-+
| Grants for fgedu_read@fgedu.localhost |
+————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_read`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT SELECT ON `fgedudb`.* TO `fgedu_read`@`fgedu.localhost` |
+————————————————————————————————————-+
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_write’@’fgedu.localhost’;
+——————————————————————————————————————-+
| Grants for fgedu_write@fgedu.localhost |
+——————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_write`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `fgedudb`.* TO `fgedu_write`@`fgedu.localhost` |
+——————————————————————————————————————-+
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_admin’@’fgedu.localhost’;
+——————————————————————————————————————-+
| Grants for fgedu_admin@fgedu.localhost |
+——————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_admin`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT ALL PRIVILEGES ON `fgedudb`.* TO `fgedu_admin`@`fgedu.localhost` |
+——————————————————————————————————————-+
[root@fgedu.net.cn ~]# mysql -u root -p
Enter password:
# 创建只读用户
MariaDB [(none)]> CREATE USER ‘fgedu_read’@’fgedu.localhost’ IDENTIFIED BY ‘ReadPassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT SELECT ON fgedudb.* TO ‘fgedu_read’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 创建读写用户
MariaDB [(none)]> CREATE USER ‘fgedu_write’@’fgedu.localhost’ IDENTIFIED BY ‘WritePassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON fgedudb.* TO ‘fgedu_write’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 创建管理员用户
MariaDB [(none)]> CREATE USER ‘fgedu_admin’@’fgedu.localhost’ IDENTIFIED BY ‘AdminPassword!123’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON fgedudb.* TO ‘fgedu_admin’@’fgedu.localhost’;
Query OK, 0 rows affected (0.00 sec)
# 刷新权限
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
# 查看用户权限
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_read’@’fgedu.localhost’;
+————————————————————————————————————-+
| Grants for fgedu_read@fgedu.localhost |
+————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_read`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT SELECT ON `fgedudb`.* TO `fgedu_read`@`fgedu.localhost` |
+————————————————————————————————————-+
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_write’@’fgedu.localhost’;
+——————————————————————————————————————-+
| Grants for fgedu_write@fgedu.localhost |
+——————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_write`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `fgedudb`.* TO `fgedu_write`@`fgedu.localhost` |
+——————————————————————————————————————-+
MariaDB [(none)]> SHOW GRANTS FOR ‘fgedu_admin’@’fgedu.localhost’;
+——————————————————————————————————————-+
| Grants for fgedu_admin@fgedu.localhost |
+——————————————————————————————————————-+
| GRANT USAGE ON *.* TO `fgedu_admin`@`fgedu.localhost` IDENTIFIED BY PASSWORD ‘*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29’ |
| GRANT ALL PRIVILEGES ON `fgedudb`.* TO `fgedu_admin`@`fgedu.localhost` |
+——————————————————————————————————————-+
3.3 安全审计
# 启用审计日志
[root@fgedu.net.cn ~]# cat >> /etc/my.cnf << 'EOF'
# 审计日志
general_log = 1
general_log_file = /mariadb/logs/general.log
# 慢查询日志
slow_query_log = 1
slow_query_log_file = /mariadb/logs/slow.log
long_query_time = 1
# 错误日志
log_error = /mariadb/logs/mariadb.err
EOF
# 重启服务
[root@fgedu.net.cn ~]# systemctl restart mariadb
# 查看连接日志
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/general.log
2026-04-07 17:00:00 10 [Note] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Note] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Note] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Note] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
# 查看错误日志
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/mariadb.err
2026-04-07 17:00:00 10 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Warning] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Warning] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
[root@fgedu.net.cn ~]# cat >> /etc/my.cnf << 'EOF'
# 审计日志
general_log = 1
general_log_file = /mariadb/logs/general.log
# 慢查询日志
slow_query_log = 1
slow_query_log_file = /mariadb/logs/slow.log
long_query_time = 1
# 错误日志
log_error = /mariadb/logs/mariadb.err
EOF
# 重启服务
[root@fgedu.net.cn ~]# systemctl restart mariadb
# 查看连接日志
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/general.log
2026-04-07 17:00:00 10 [Note] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Note] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Note] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Note] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
# 查看错误日志
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/mariadb.err
2026-04-07 17:00:00 10 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Warning] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Warning] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
学习交流加群风哥QQ113257174
Part04-生产案例与实战讲解
4.1 安全加固实战
# 配置网络访问控制
[root@fgedu.net.cn ~]# cat >> /etc/my.cnf << 'EOF'
# 网络安全
bind-address = 127.0.0.1
skip-networking = 0
EOF
# 重启服务
[root@fgedu.net.cn ~]# systemctl restart mariadb
# 检查网络监听
[root@fgedu.net.cn ~]# netstat -tlnp | grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 6789/mysqld
# 测试远程连接
[root@remote-server ~]# mysql -h 192.168.1.10 -u root -p
Enter password:
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘192.168.1.10’ (111)
# 测试本地连接
[root@fgedu.net.cn ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 8
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]>
[root@fgedu.net.cn ~]# cat >> /etc/my.cnf << 'EOF'
# 网络安全
bind-address = 127.0.0.1
skip-networking = 0
EOF
# 重启服务
[root@fgedu.net.cn ~]# systemctl restart mariadb
# 检查网络监听
[root@fgedu.net.cn ~]# netstat -tlnp | grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 6789/mysqld
# 测试远程连接
[root@remote-server ~]# mysql -h 192.168.1.10 -u root -p
Enter password:
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘192.168.1.10’ (111)
# 测试本地连接
[root@fgedu.net.cn ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 8
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]>
4.2 权限配置实战
# 测试只读用户权限
[root@fgedu.net.cn ~]# mysql -u fgedu_read -pReadPassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 9
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
MariaDB [fgedudb]> SELECT * FROM fgedu_users;
+—-+——–+———————-+———————+
| id | name | email | created_at |
+—-+——–+———————-+———————+
| 1 | 张三 | zhangsan@fgedu.net.cn | 2026-04-07 15:10:00 |
| 2 | 李四 | lisi@fgedu.net.cn | 2026-04-07 15:10:00 |
| 3 | 王五 | wangwu@fgedu.net.cn | 2026-04-07 15:10:00 |
+—-+——–+———————-+———————+
3 rows in set (0.00 sec)
# 测试插入操作(应该失败)
MariaDB [fgedudb]> INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’);
ERROR 1142 (42000): INSERT command denied to user ‘fgedu_read’@’fgedu.localhost’ for table ‘fgedu_users’
# 测试读写用户权限
[root@fgedu.net.cn ~]# mysql -u fgedu_write -pWritePassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 10
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
# 测试插入操作(应该成功)
MariaDB [fgedudb]> INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’);
Query OK, 1 row affected (0.00 sec)
# 测试创建表操作(应该失败)
MariaDB [fgedudb]> CREATE TABLE fgedu_test (id INT PRIMARY KEY);
ERROR 1142 (42000): CREATE command denied to user ‘fgedu_write’@’fgedu.localhost’ for table ‘fgedu_test’
# 测试管理员用户权限
[root@fgedu.net.cn ~]# mysql -u fgedu_admin -pAdminPassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 11
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
# 测试创建表操作(应该成功)
MariaDB [fgedudb]> CREATE TABLE fgedu_test (id INT PRIMARY KEY);
Query OK, 0 rows affected (0.01 sec)
[root@fgedu.net.cn ~]# mysql -u fgedu_read -pReadPassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 9
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
MariaDB [fgedudb]> SELECT * FROM fgedu_users;
+—-+——–+———————-+———————+
| id | name | email | created_at |
+—-+——–+———————-+———————+
| 1 | 张三 | zhangsan@fgedu.net.cn | 2026-04-07 15:10:00 |
| 2 | 李四 | lisi@fgedu.net.cn | 2026-04-07 15:10:00 |
| 3 | 王五 | wangwu@fgedu.net.cn | 2026-04-07 15:10:00 |
+—-+——–+———————-+———————+
3 rows in set (0.00 sec)
# 测试插入操作(应该失败)
MariaDB [fgedudb]> INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’);
ERROR 1142 (42000): INSERT command denied to user ‘fgedu_read’@’fgedu.localhost’ for table ‘fgedu_users’
# 测试读写用户权限
[root@fgedu.net.cn ~]# mysql -u fgedu_write -pWritePassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 10
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
# 测试插入操作(应该成功)
MariaDB [fgedudb]> INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’);
Query OK, 1 row affected (0.00 sec)
# 测试创建表操作(应该失败)
MariaDB [fgedudb]> CREATE TABLE fgedu_test (id INT PRIMARY KEY);
ERROR 1142 (42000): CREATE command denied to user ‘fgedu_write’@’fgedu.localhost’ for table ‘fgedu_test’
# 测试管理员用户权限
[root@fgedu.net.cn ~]# mysql -u fgedu_admin -pAdminPassword!123
Enter password:
Welcome to the MariaDB monitor. Commands end with;
or \g.
Your MariaDB connection id is 11
Server version: 10.11.8-MariaDB Source distribution
MariaDB [(none)]> USE fgedudb;
Database changed
# 测试创建表操作(应该成功)
MariaDB [fgedudb]> CREATE TABLE fgedu_test (id INT PRIMARY KEY);
Query OK, 0 rows affected (0.01 sec)
4.3 安全审计实战
# 查看审计日志
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/general.log
2026-04-07 17:10:00 9 Connect fgedu_read@fgedu.localhost on fgedudb
2026-04-07 17:10:00 9 Query SELECT * FROM fgedu_users
2026-04-07 17:10:05 9 Query INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’)
2026-04-07 17:10:05 9 Quit
2026-04-07 17:10:10 10 Connect fgedu_write@fgedu.localhost on fgedudb
2026-04-07 17:10:10 10 Query INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’)
2026-04-07 17:10:15 10 Query CREATE TABLE fgedu_test (id INT PRIMARY KEY)
2026-04-07 17:10:15 10 Quit
2026-04-07 17:10:20 11 Connect fgedu_admin@fgedu.localhost on fgedudb
2026-04-07 17:10:20 11 Query CREATE TABLE fgedu_test (id INT PRIMARY KEY)
2026-04-07 17:10:25 11 Quit
# 分析安全日志
[root@fgedu.net.cn ~]# grep “Access denied” /mariadb/logs/mariadb.err
2026-04-07 17:00:00 10 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Warning] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Warning] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
# 定期清理日志
[root@fgedu.net.cn ~]# cat > /mariadb/scripts/clean_logs.sh << 'EOF'
#!/bin/bash
# clean_logs.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: `http://www.fgedu.net.cn`
# 清理日志文件
find /mariadb/logs -name “*.log” -mtime +7 -delete
find /mariadb/logs -name “*.err” -mtime +7 -delete
# 清理二进制日志
mysql -u root -p -e “PURGE BINARY LOGS BEFORE DATE_SUB(NOW(), INTERVAL 7 DAY);
”
echo “日志清理完成!”
EOF
# 执行清理脚本
[root@fgedu.net.cn ~]# chmod +x /mariadb/scripts/clean_logs.sh
[root@fgedu.net.cn ~]# /mariadb/scripts/clean_logs.sh
Enter password:
日志清理完成!
[root@fgedu.net.cn ~]# tail -f /mariadb/logs/general.log
2026-04-07 17:10:00 9 Connect fgedu_read@fgedu.localhost on fgedudb
2026-04-07 17:10:00 9 Query SELECT * FROM fgedu_users
2026-04-07 17:10:05 9 Query INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’)
2026-04-07 17:10:05 9 Quit
2026-04-07 17:10:10 10 Connect fgedu_write@fgedu.localhost on fgedudb
2026-04-07 17:10:10 10 Query INSERT INTO fgedu_users (name, email) VALUES (‘赵六’, ‘zhaoliu@fgedu.net.cn’)
2026-04-07 17:10:15 10 Query CREATE TABLE fgedu_test (id INT PRIMARY KEY)
2026-04-07 17:10:15 10 Quit
2026-04-07 17:10:20 11 Connect fgedu_admin@fgedu.localhost on fgedudb
2026-04-07 17:10:20 11 Query CREATE TABLE fgedu_test (id INT PRIMARY KEY)
2026-04-07 17:10:25 11 Quit
# 分析安全日志
[root@fgedu.net.cn ~]# grep “Access denied” /mariadb/logs/mariadb.err
2026-04-07 17:00:00 10 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: YES)
2026-04-07 17:00:10 11 [Warning] Access denied for user ‘fgedu_read’@’fgedu.localhost’ (using password: NO)
2026-04-07 17:00:20 12 [Warning] Access denied for user ‘root’@’192.168.1.100’ (using password: YES)
2026-04-07 17:00:30 13 [Warning] Access denied for user ‘anonymous’@’fgedu.localhost’ (using password: NO)
# 定期清理日志
[root@fgedu.net.cn ~]# cat > /mariadb/scripts/clean_logs.sh << 'EOF'
#!/bin/bash
# clean_logs.sh
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: `http://www.fgedu.net.cn`
# 清理日志文件
find /mariadb/logs -name “*.log” -mtime +7 -delete
find /mariadb/logs -name “*.err” -mtime +7 -delete
# 清理二进制日志
mysql -u root -p -e “PURGE BINARY LOGS BEFORE DATE_SUB(NOW(), INTERVAL 7 DAY);
”
echo “日志清理完成!”
EOF
# 执行清理脚本
[root@fgedu.net.cn ~]# chmod +x /mariadb/scripts/clean_logs.sh
[root@fgedu.net.cn ~]# /mariadb/scripts/clean_logs.sh
Enter password:
日志清理完成!
风哥提示:安全开发是防止SQL注入的第一道防线
Part05-风哥经验总结与分享
5.1 常见安全问题与解决
- 弱密码:使用强密码策略,定期更换密码
- 权限过大:遵循最小权限原则,定期审查权限
- 远程访问:限制远程访问,使用SSL加密
- 审计缺失:启用审计日志,定期分析
- 版本过时:及时更新MariaDB版本
5.2 权限管理最佳实践
风哥提示:生产环境应建立完善的权限管理体系,包括用户管理、权限分配、定期审查等环节。
5.3 安全检查清单
- 密码策略:使用强密码,定期更换
- 访问控制:限制远程访问,使用防火墙
- 权限管理:遵循最小权限原则
- 审计监控:启用审计日志,定期分析
- 数据保护:定期备份,加密敏感数据
- 系统安全:更新系统和软件版本
from MariaDB视频:www.itpux.com
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息