Security of Oracle listeners

Source: Internet
Author: User

1. Set the listener password [mandatory]
Setting the listener password can prevent most attacks. This is usually a simple process. You can use LSNRCTL to set a password. The password will be encrypted and stored in the listener. ora file. You can also manually edit the listener. ora file and add the "passwords _ <listener Name>" parameter, but the plaintext password is stored in this way.

LSNRCTL> set current_listener <listener Name>
LSNRCTL> change_password
Old password: New Password: <enter new listener password>
Reenter new password: <enter new listener password again>
LSNRCTL> SET Password
Password: <enter listener password>
LSNRCTL> save_config

Check the passwords _ <listener Name> parameter of the listener. ora file.

2. Enable log [force]
Enable the log tracing listener command and brute force password cracking for all listeners.

LSNRCTL> set current_listener <listener Name>
LSNRCTL> SET Password
Password: <enter listener password>
LSNRCTL> set log_directory <ORACLE_HOME path>/Network/admin
LSNRCTL> SET LOG_FILE <SID Name>. Log
LSNRCTL> set log_status on
LSNRCTL> save_config

3. Set admin_restrictions [mandatory] In listener. ora.
You can set admin_restrictions _ <listener Name> to on in the listener. ora file to prevent all modifications to the listener during runtime. This parameter disables all set commands, whether local or remote. All modifications to the listener must be done by manually modifying the listener. ora file.

Listener. ora
Admin_restrictions _ <listener Name> = on

Use the lsnrctl reload command to restart the listener to make the above changes take effect. After you modify the listener. ora file, run the lsnrctl reload command (or stop lsnrctl before lsnrctl start)

4. Apply the listener Patch [mandatory]
The latest listener patch for the database version used by the application.

5. Restrict SQL * Net [mandatory] on the firewall
Unless absolutely required, SQL * Net communication is not allowed through the firewall. The firewall filtering mechanism should be designed to allow only known applications and web servers to communicate with SQL * Net. If the application needs to directly access SQL * Net over the internet, you should configure the specified host and port on the firewall.

6. ensure the security of the $ TNS_ADMIN directory [mandatory]
The listener password is stored in the listener. ora file. Manually edit files, and easily Delete and modify passwords. If the password is manually added to the file, the plaintext is stored. If it is added through lsnrctl, a simple hash algorithm is used to encrypt it and store it in the file (this encryption is easy to crack ).
The read, write, and execute permissions of the $ TNS_ADMIN directory (usually $ ORACLE_HOME/network/admin) must be granted to the primary oracle user account. Other accounts do not have permissions.

7. Delete useless services [mandatory]
Many default installations have a listening entry for PL/SQL External Procedures (ExtProc. The entry name is usually ExtProc or PLSExtProc, which is installed by default, but is not used in most cases.
Check the application or document to check whether ExtProc is used. If no, delete it from the listener. ora file. ExtPro has some security vulnerabilities.
Because listener. ora files are often copied between instances, they may contain old or useless entries. Check all services to determine whether they are used. Delete unused services.

8. Set node validity check [Optional]
Depending on the application type and network configuration, node validity check may be a powerful tool to restrict communication with listeners. Most web applications only need to access listeners from the application server and a certain number of clients for management purposes.
The simplest way to check IP address validity is to use database audit. We recommend that you enable audit at the session level.
For Oracle 9i, add the node validity check row to $ ORACLE_HOME/network/admin/sqlnet. add Oracle 8/8i to $ ORACLE_HOME/network/admin/protocol. ora file.

Tcp. validnode_checking = yes
Tcp. invited_nodes = (x. x | name, x. x | name)
Tcp. excluded_nodes = (x. x | name, x. x | name)

It can include accepted or rejected nodes, but not all. Wildcards and subnets are invalid. Only IP addresses or host names are allowed. For more precise checks, use Oracle Connection Manager.
To activate the check function, the listener must be restarted. There is no hard limit on the number of nodes that can be included, but using Oracle Connection Manager for a large number of entries should be a good solution.
If a large number of clients need to directly connect to SQL * Net to access the database, it is usually difficult to check the node validity due to frequent changes in network configurations. In this configuration, SQL * Net communication must be blocked from the network.

9. Monitoring log file [Optional]
In the log file, each invalid password access contains a TNS-01169 error. A brute-force password cracking attack will generate hundreds of thousands of such errors. Monitor log files with simple shell scripts or administrative tools and generate warning information when TNS-01169 errors reach a threshold.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.