Oracle Configuration Access White List tutorial

For purposes such as improving data security, we may want to restrict access to Oracle, allowing some IP connections to the database or denying some IP access to the database.

Of course, the use of iptables can also reach the limit of the target, but from the monitoring port change limit throw can take effect, only for the oracle itself does not and other port restrictions and do not need root account of these aspects, Restricting access by configuring the Sqlnet.ora file can be a better choice.

1. Configuring the Sqlnet.ora File

Enter the $tns_admin (the true path of the general corresponds to the shape of/oracle/app/oracle/product/11.2.0/dbhome_1/network/ Admin) to see if there are sqlnet.ora files and whether the tcp.validnode_checking, tcp.invited_nodes, tcp.excluded_nodes items are configured.

If the file exists and has these items, modify the items on this basis, and if the file exists but these items do not exist, append at the end, or create a new one if the file does not exist.

Oracle does not have the default, we create the file as an example, and write the following:

tcp.validnode_checking=yestcp.invited_nodes= (192.168.  220.128,127.0. 0.1 ) Tcp.excluded_nodes= (192.168.  220.1)

tcp.validnode_checking--This entry is enabled for IP legal check, this entry must be configured and will not work if the other two items are not enabled

tcp.invited_nodes--This entry is the IP address that allows the database to be connected, and multiple addresses are separated by commas (half-width), and if this is enabled, be sure to match the local address or the listener cannot start.

tcp.excluded_nodes--This entry is an IP address that is not allowed to connect to the database, where multiple addresses are separated by commas (half-width), or if the same IP as Tcp.invited_nodes is allowed to access the database

Tcp.invited_nodes and Tcp.excluded_nodes can actually only configure one item, when only with Tcp.invited_nodes is the whitelist, all the IP in this list allows access to the database, All IPs that are not in this list are denied access to the database;

When only Tcp.excluded_nodes is configured, all IP in this list denies access to the database, and all IPs that are not in this list allow access to the database.

2. Reload to make the configuration effective

If the Sqlnet.ora does not exist before, you need to restart the monitor

Lsnrctl Stoplsnrctl Start

If a previous sqlnet.ora is present, only the configuration can be reloaded.

Lsnrctl Reload

The difference between rebooting and reload should be the difference between a full stop and an incomplete stop; using Stop/start all currently connected sessions are forced to disconnect, reload will not disconnect an existing session.

Reference:

Http://www.linuxidc.com/Linux/2014-10/108650.htm

http://blog.itpub.net/22664653/viewspace-707358/

Oracle Configuration Access White List tutorial