阿里云-云小站(无限量代金券发放中)
【腾讯云】云服务器、云数据库、COS、CDN、短信等热卖云产品特惠抢购

CentOS 6.5安装MySQL 5.6.10及安全配置

175次阅读
没有评论

共计 7044 个字符,预计需要花费 18 分钟才能阅读完成。

注:以下所有操作均在 CentOS 6.5 x86_64 位系统下完成。

# 准备工作 #

在安装 MySQL 之前,请确保已经使用 yum 安装了各类基础组件,具体见下面的《CentOS 安装 LNMP 环境的基础组件》。

然后创建 mysql 的用户组和用户,并且不允许登录权限:

# id mysql
id: mysql:无此用户
# groupadd mysql
# useradd -g mysql -s /sbin/nologin mysql
# id mysql
uid=500(mysql) gid=500(mysql) 组 =500(mysql) 

#MySQL 的 安装#

给 MySQL 的安装准备目录:

# mkdir -p /data/mysql/data
# chown -R mysql:mysql /data/mysql

开始源码安装 MySQL:

# cd /usr/local/src
# wget http://dev.mysql.com/get/Downloads/MySQL-5.6/mysql-5.6.10.tar.gz
# tar zxf mysql-5.6.10.tar.gz
# cd mysql-5.6.10

# cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql-5.6.10 -DSYSCONFDIR=/usr/local/mysql-5.6.10/etc -DMYSQL_UNIX_ADDR=/usr/local/mysql-5.6.10/tmp/mysql.sock -DMYSQL_TCP_PORT=3306 -DMYSQL_USER=mysql -DMYSQL_DATADIR=/data/mysql/data -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci -DWITH_MYISAM_STORAGE_ENGINE=1 -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITH_BLACKHOLE_STORAGE_ENGINE=1 -DENABLED_LOCAL_INFILE=1

...
CMake Warning:
  Manually-specified variables were not used by the project:

    MYSQL_USER

-- Build files have been written to: /usr/local/src/mysql-5.6.10

# make && make install
# mkdir -p /usr/local/mysql-5.6.10/etc
# mkdir -p /usr/local/mysql-5.6.10/tmp
# ln -s /usr/local/mysql-5.6.10/ /usr/local/mysql
# chown -R mysql:mysql /usr/local/mysql-5.6.10
# chown -R mysql:mysql /usr/local/mysql

给当前环境添加 MySQL 的 bin 目录:

# vim /etc/profile

export MYSQL_HOME=/usr/local/mysql
export PATH=$PATH:$MYSQL_HOME/bin

$ source /etc/profile

执行初初始化配置脚本并创建系统自带的数据库和表:

# cd /usr/local/mysql
# scripts/mysql_install_db --user=mysql --datadir=/data/mysql/data
...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

  ./bin/mysqladmin -u root password 'new-password'
  ./bin/mysqladmin -u root -h iZ94mobdenkZ password 'new-password'

Alternatively you can run:

  ./bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

  cd . ; ./bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

  cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the ./bin/mysqlbug script!

The latest information about MySQL is available on the web at

  http://www.mysql.com

Support MySQL by buying support/licenses at http://shop.mysql.com

WARNING: Found existing config file ./my.cnf on the system.
Because this file might be in use, it was not replaced,
but was used in bootstrap (unless you used --defaults-file)
and when you later start the server.
The new default config file was created as ./my-new.cnf,
please compare it with your file and take the changes you need.

WARNING: Default config file /etc/my.cnf exists on the system
This file will be read by default by the MySQL server
If you do not want to use this, either remove it, or use the
--defaults-file argument to mysqld_safe when starting the server

注:由于 MySQL 在启动的时候,会先去 /etc/my.cnf 找配置文件,如果没有找到则搜索 $basedir/my.cnf,也即 /usr/local/mysql-5.6.10/my.cnf,所以必须确保 /etc/my.cnf 没有存在,否则可能导致无法启动。

实际操作上发现系统上存在该文件,所以这里可能需要将该文件先备份改名,然后再根据上面的配置写配置文件:

# mv /etc/my.cnf /etc/my.cnf.bak

# vim /usr/local/mysql-5.6.10/my.cnf
[mysqld]

basedir=/usr/local/mysql-5.6.10
datadir=/data/mysql/data
socket=/usr/local/mysql-5.6.10/tmp/mysql.sock
user=mysql

sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES

修改 MySQL 用户 root 的密码,这里使用 mysqld_safe 安全模式启动:

# mysqld_safe --user=mysql --skip-grant-tables --skip-networking &

[1] 3970
[root@iZ94mobdenkZ ~]# 141230 19:02:31 mysqld_safe Logging to '/data/mysql/data/centos.err'.
141230 19:02:32 mysqld_safe Starting mysqld daemon with databases from /data/mysql/data

这个时候已经启动了 mysqd_safe 安全模式,另开一个窗口作为客户端连入 MySQL 服务器:

# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.10 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
mysql> update user set password=password('yourpassword') where user='root';
mysql> flush privileges;
mysql> exit;

修改完毕之后使用 kill 把 mysqld_safe 进程杀死:

# ps aux | grep mysql
root      3970  0.0  0.2 106308  1492 pts/1    S    19:02   0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --user=mysql --skip-grant-tables --skip-networking
mysql     4143  0.1 18.0 558280 90316 pts/1    Sl   19:02   0:00 /usr/local/mysql-5.6.10/bin/mysqld --basedir=/usr/local/mysql-5.6.10 --datadir=/data/mysql/data --plugin-dir=/usr/local/mysql-5.6.10/lib/plugin --user=mysql --skip-grant-tables --skip-networking --log-error=/data/mysql/data/centos.err --pid-file=/data/mysql/data/centos.pid --socket=/usr/local/mysql-5.6.10/tmp/mysql.sock
root      4313  0.0  0.1 103252   836 pts/0    S+   19:05   0:00 grep mysql

# kill -9 3970
# kill -9 4143

或者回到刚才启动 mysqld_safe 的窗口 ctrl+ c 将进程杀死也行。

复制服务启动脚本:

# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
# chmod +x /etc/init.d/mysqld

设置开机启动 MySQL 服务并正常开启 MySQL 服务(非必要项):

# chkconfig mysqld on

# service mysqld
Usage: mysqld  {start|stop|restart|reload|force-reload|status}  [MySQL server options]

# service mysqld start
Starting MySQL.      

以后就可以直接通过 service mysqld 命令来开启 / 关闭 MySQL 数据库了。

最后,建议生产环境下运行安全设置脚本,禁止 root 用户远程连接,移除 test 数据库和匿名用户等:

# /usr/local/mysql-5.6.10/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):

注:上面输入的 root 密码指的是前面设置的 MySQL 的 root 账户的密码。

至此,MySQL 数据库已经安装完毕。

#MySQL 的安全配置 #

1、确保启动 MySQL 不能使用系统的 root 账号,必须是新建的 mysql 账号,比如:

# mysqld_safe --user=mysql

2、MySQL 安装好运行初始化数据库后,默认的 root 账户密码为空,必须给其设置一个密码,同时保证该密码具有较高的安全性。比如:

mysql> user mysql;
mysql> update user set password=password('yourpassword') where user='root';
mysql> flush privileges;

3、删除默认数据库及用户:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+
mysql> drop daabase test;
mysql> use mysql;
mysql> select host,user from user;
+--------------+------+
| host         | user |
+--------------+------+
| 127.0.0.1    | root |
| ::1          | root |
| centos       |      |
| centos       | root |
| localhost    |      |
| localhost    | root |
+--------------+------+
mysql> delete from user where not(host='localhost' and user='root');
mysql> flush privileges;

注:上面的 user 表中的数据可能会有所不同。

4、当开发网站连接数据库的时候,建议建立一个用户只针对某个库有 update/select/delete/insert/drop table/create table 等权限,减小某个项目的数据库的用户名和密码被窃取后造成其他项目受影响,比如:

mysql>create database yourdbname default charset utf8 collate utf8_general_ci;
mysql>create user 'yourusername'@'localhost' identified by 'yourpassword';
mysql> grant select,insert,update,delete,create,drop privileges on yourdbname.* To 'yourusername'@localhost identified by 'yourpassword';

5、数据库文件所在的目录不允许未经授权的用户访问,需要控制对该目录的访问,比如:

# chown -R mysql:mysql /data/mysql/data
# chmod -R go-rwx /data/mysql/data

CentOS 安装 LNMP 环境的基础组件

在安装 LNMP 环境之前,请确保已经使用 yum 安装了以下各类基础组件(如果系统已自带,还可以考虑 yum update 下基础组件):

  • gcc
  • cmake
  • openssl+openssl-devel
  • pcre+pcre-devel
  • bzip2+bzip2-devel
  • libcurl+curl+curl-devel
  • libjpeg+libjpeg-devel
  • libpng+libpng-devel
  • freetype+freetype-devel
  • php-mcrypt+libmcrypt+libmcrypt-devel
  • libxslt+libxslt-devel
  • gmp+gmp-devel
  • libxml2+libxml2-devel
  • mhash
  • ncurses+ncurses-devel
  • xml2

本文永久更新链接地址:http://www.linuxidc.com/Linux/2016-12/137981.htm

正文完
星哥玩云-微信公众号
post-qrcode
 0
星锅
版权声明:本站原创文章,由 星锅 于2022-01-22发表,共计7044字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
【腾讯云】推广者专属福利,新客户无门槛领取总价值高达2860元代金券,每种代金券限量500张,先到先得。
阿里云-最新活动爆款每日限量供应
评论(没有评论)
验证码
【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中