11 Oracle listener protection methods (1)

RHEL4 Oracle listeners can be used by hackers in many places, so there are many protection measures for RHEL4 Oracle. Next we will introduce these 11 methods to protect RHEL4 Oracle listeners one by one.

1. RHEL4 Oracle listener SET Password

By setting the listener password, most cainiao hackers can defend against attacks. There are two methods to set the password: one is to use the lsnrctl command, and the other is to directly modify the listener. ora file. The password set in the first method is encrypted and stored in listener. ora, while the second method is in the form of plaintext in listener. in ora, so the first method is recommended. The command is as follows:
LSNRCTL> set current_listener <listener Name>
LSNRCTL> change_password
Old password: <press enter if no password is set before>
New password: <enter a New password>
Reenter new password: <enter the new password again>
LSNRCTL> set password Password: <enter the new password you just set>
LSNRCTL> save_config

After setting the password, open listener. ora to check whether there is a PASSWORDS _ <listener Name> record, similar to PASSWORDS_LISTENER = F4BAA4A006C26134. after a password is set for the listener, you must reconfigure the connection to the client.

2. RHEL4 Enable Logging for Oracle listeners

The listener logging function is enabled to capture listener commands and prevent brute force password cracking. To enable the listener log function, run the following command:
LSNRCTL> set current_listener <listener Name>
LSNRCTL> set password Password: <enter the listener password>
LSNRCTL> set log_directory/network/admin
LSNRCTL> set log_file. log
LSNRCTL> set log_status on
LSNRCTL> save_config

By running the preceding command, the listener will create a. log file in the/network/admin directory. You can open this file to view some common ORA-error messages.

3. The RHEL4 Oracle listener sets ADMIN_RESTRICTIONS in listener. ora.

In listener. after the ADMIN_RESTRICTIONS parameter is set in the ora file, when the listener is running, it is not allowed to execute any management operations. At that time, the set command will be unavailable, it does not work either locally or remotely on the server. If you want to modify the listener settings, you only need to manually modify the listener. ora file. You can manually modify listener. ora. To make the modification take effect, you can only use the lsnrctl reload command or the lsnrctl stop/start command to re-load the listener configuration information. Manually Add the following line to the listener. ora file: ADMIN_RESTRICTIONS _ <listener Name> = ON

4. Install the latest listener patch for RHEL4 Oracle

This is similar to the operating system. The database also has bugs and vulnerabilities. Hackers will immediately scan servers without Patches when detecting vulnerabilities, therefore, a competent DBA should pay attention to the Oracle CPU at any time (haha, not a processor, but the meaning of key patch upgrade). Here we need to note that the Oracle listener patches are automatically accumulated, just as windows xp sp2 contains all sp1 content, you only need to follow the latest patch set, note that before applying any patch to the production system, you must test the patch in the testing environment to ensure that the upgrade does not affect normal services. Finally, you must note that you can log on to and download the patch only after purchasing the official Oracle license. Otherwise, you can only download the patch from a third-party address, and its integrity cannot be guaranteed.

5. RHEL4 Oracle listeners use the firewall to block SQL * NET

Unless necessary, SQL * NET should not be allowed to communicate through the firewall. When designing firewall rules, it should be designed to allow only authenticated Web servers and applications to communicate with SQL * NET through the firewall. In addition, when the application server in the DMZ area of the firewall uses SQL * NET for communication, it should only allow it to communicate with specific database servers.

Usually few applications access the database directly from the Internet, because the delay in this method is very obvious. A common practice is to configure the application server to communicate with the database, and the Internet client can access the application server through a browser, when configuring the firewall, you only need to set the communication rules between the application server and the database server.