Create user xxx@IP
means create a user and only allows to connect if user is from this IP
it is different than MYSQL connection string -H (host IP)
this host IP means where the MYSQL server is
----------------------------------
|
GRANT ALL PRIVILEGES ON `db1`.*
TO `xxxx`@`IP`; |
FLUSH PRIVILEGES;
means grant all privlege of db 1 to user
--------------------------------------------------------------------
sudo
netstat -tulnp | grep 3306
tcp 0
0 127.0.0.1:33060 0.0.0.0:* LISTEN 2985660/mysqld
tcp 0
0 127.0.0.1:3306 0.0.0.0:* LISTEN 2985660/mysqld
This means MYSQL only listen to localhost, to make it listen to server IP
do
/etc/mysql/mysql.conf.d
Bind-address 0.0.0.0 so it listens on serverip or it will only listen to local host
---------------------------
Enforce SSL
MYSQL TLS cert
location and specificaiton
check where config file is
cat /etc/mysql/my.cnf
go to /etc/mysql/conf.d/
if u found the config is above
check custom-mysqld-ssl.cnf (make your own custom file for TLS)
need chmod 644 this file
[mysqld]
# Use server.chain for "requires
SSL" authentication
ssl_ca=myca.chain
# Use combined.chain for "requires
x509" authentication
#ssl_ca=combined.chain
ssl_cert=myserver.cert
ssl_key=myserver.key
#require_secure_transport=ON
·
Need 644
on all certs, need mysql:mysql on certs
Check:
SHOW VARIABLES LIKE 'ssl%';
SHOW VARIABLES LIKE 'tls_version';
------------------------------------------------------------------------------------------------------------------------
sudo systemctl restart mysql
sudo systemctl status mysql
No comments:
Post a Comment