mariadb_securisation
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
| mariadb_securisation [2023/07/05 19:20] – [Suite de la commande] pascal | mariadb_securisation [2023/07/05 19:46] (Version actuelle) – [Mot de passe root] pascal | ||
|---|---|---|---|
| Ligne 6: | Ligne 6: | ||
| Cette commande fait partie des packages mysql-server et mariadb-server. | Cette commande fait partie des packages mysql-server et mariadb-server. | ||
| ===== Exécution de la commande ===== | ===== Exécution de la commande ===== | ||
| + | ==== Saisie du mot de passe root actuel ==== | ||
| < | < | ||
| + | NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB | ||
| + | SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! | ||
| + | |||
| + | In order to log into MariaDB to secure it, we'll need the current | ||
| + | password for the root user. If you've just installed MariaDB, and | ||
| + | haven' | ||
| + | |||
| + | Enter current password for root (enter for none): | ||
| + | OK, successfully used password, moving on... | ||
| </ | </ | ||
| + | Pas de mot de passe. le user root se connecte via socket sans mot de passe. | ||
| - | ==== Suite de la commande | + | ==== Définition d'un mot de passe pour root ==== |
| - | < | + | < |
| + | |||
| + | Setting the root password or using the unix_socket ensures that nobody | ||
| + | can log into the MariaDB root user without the proper authorisation. | ||
| + | |||
| + | You already have your root account protected, so you can safely answer ' | ||
| + | |||
| + | Switch to unix_socket authentication [Y/n] n | ||
| + | ... skipping. | ||
| </ | </ | ||
| - | ==== Liste des utilisateurs | + | Il ne faut pas définir de mot de passe pour root afin de n' |
| - | < | + | ==== Définition d'un mot de passe pour root ==== |
| - | MariaDB [(none)]> | + | < |
| - | MariaDB [mysql]> use mysql; | + | You already have your root account protected, so you can safely answer ' |
| - | Database changed | + | |
| - | MariaDB [mysql]> select Host, User, Password from user; | + | |
| - | +-----------+-------------+----------+ | + | |
| - | | Host | User | Password | | + | |
| - | +-----------+-------------+----------+ | + | |
| - | | localhost | mariadb.sys | | | + | |
| - | | localhost | root | invalid | + | |
| - | | localhost | mysql | invalid | + | |
| - | +-----------+-------------+----------+ | + | |
| - | 3 rows in set (0,002 sec) | + | |
| - | MariaDB | + | Change the root password? |
| + | ... skipping. | ||
| </ | </ | ||
| - | ===== Configuration ===== | + | < |
| - | < | + | By default, a MariaDB installation has an anonymous user, allowing anyone |
| - | [mysqld] | + | to log into MariaDB without having to have a user account created for |
| - | # Instead of skip-networking the default is now to listen only on | + | them. This is intended only for testing, |
| - | # localhost which is more compatible | + | go a bit smoother. You should remove them before moving into a |
| - | bind-address | + | production environment. |
| + | |||
| + | Remove anonymous users? [Y/n] Y | ||
| + | | ||
| </ | </ | ||
| - | Object, autoriser | + | < |
| + | Normally, root should only be allowed to connect from ' | ||
| + | ensures that someone cannot guess at the root password from the network. | ||
| + | |||
| + | Disallow root login remotely? [Y/n] n | ||
| + | ... skipping. | ||
| + | </ | ||
| + | ==== Suite de la commande ==== | ||
| + | < | ||
| + | |||
| + | Setting the root password or using the unix_socket ensures that nobody | ||
| + | can log into the MariaDB root user without the proper authorisation. | ||
| + | |||
| + | You already have your root account protected, so you can safely answer ' | ||
| + | |||
| + | Switch to unix_socket authentication [Y/n] n | ||
| + | ... skipping. | ||
| + | |||
| + | You already have your root account protected, so you can safely answer ' | ||
| + | |||
| + | Change the root password? [Y/n] n | ||
| + | ... skipping. | ||
| + | |||
| + | By default, a MariaDB installation has an anonymous user, allowing anyone | ||
| + | to log into MariaDB without having to have a user account created for | ||
| + | them. This is intended only for testing, and to make the installation | ||
| + | go a bit smoother. | ||
| + | production environment. | ||
| + | |||
| + | Remove anonymous users? [Y/n] Y | ||
| + | ... Success! | ||
| + | |||
| + | Normally, root should only be allowed to connect from ' | ||
| + | ensures that someone cannot guess at the root password from the network. | ||
| + | |||
| + | Disallow root login remotely? [Y/n] n | ||
| + | ... skipping. | ||
| + | |||
| + | By default, MariaDB comes with a database named ' | ||
| + | access. | ||
| + | before moving into a production environment. | ||
| + | |||
| + | Remove test database and access to it? [Y/n] Y | ||
| + | - Dropping test database... | ||
| + | ... Success! | ||
| + | - Removing privileges on test database... | ||
| + | ... Success! | ||
| + | |||
| + | Reloading the privilege tables will ensure that all changes made so far | ||
| + | will take effect immediately. | ||
| + | |||
| + | Reload privilege tables now? [Y/n] Y | ||
| + | ... Success! | ||
| + | |||
| + | Cleaning up... | ||
| + | |||
| + | All done! If you've completed all of the above steps, your MariaDB | ||
| + | installation should now be secure. | ||
| + | |||
| + | </ | ||
| ===== Suite ===== | ===== Suite ===== | ||
mariadb_securisation.1688584820.txt.gz · Dernière modification : 2023/07/05 19:20 de pascal