Oracle listener Protection

Oracle monitoring protection today is, not just after, it should be, today my colleagues failed to perform security reinforcement on the database, my buddy did the same experiment and the result still failed. So far I don't know why. I am sorry to say something to Brother Xian Wei, I did not come up with time to study the problem with you. I hope you will understand it. This log is written to show how I do it. I hope to help you. You are also welcome to give your insights and valuable comments. Xiaohai is patient and willing to accept them. People who do not know how to learn with humility will eventually lose the chance of success. Okay. Note: I have never agreed to set up listener protection, but it may be necessary to correct the security scan. Is its security scan correct? For me, I only know the answer after a real experiment. Notice: Ensure that the password has not been set in the listener. ora file. the local operating system authentication will secure the listener administration. the remote listener administration is disabled when the password has not been set. this prevents brute force attacks of the listener password. remember that the listener password has been deprecated in this release, and will not be supported I N the next release of Oracle Database is good. the steps are as follows: [oracle @ oracle-one admin] $ lsnrctl start LSNRCTL for Linux: Version 11.2.0.1.0-Production on 25-AUG-2013 00:21:12 Copyright (c) 1991,200 9, Oracle. all rights reserved. starting/opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 11.2.0.1.0-ProductionSystem parameter file is/opt/app/oracle/product/11.2.0/d Bhome_1/network/admin/listener. oraLog messages written to/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening on: (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521 ))) connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) STATUS of the LISTENER ---------------------- Alias LISTENERVersion TNSLSNR for Linux: version 11.2.0.1.0-ProductionS Tart Date 25-AUG-2013 00: 21: 12 Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity ON: Local OS AuthenticationSNMP OFFListener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraListener Log File/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening Endpoints Summary... (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521) The listener Supports no servicesThe command completed successfully OK, we can see that our current security is: Local OS Authentication, and then set the password, as shown below: [oracle @ oracle-one admin] $ lsnrctl LSNRCTL for Linux: version 11.2.0.1.0-Production on 25-AUG-2013 00:21:16 Copyright (c) 1991,200 9, Oracle. all rights reserved. welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listenerCurrent Listener is listenerLS NRCTL> change_passwordOld password: New password: Reenter new password: Connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) password changed for listenerThe command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) Saved LISTENER configuration parameters. listener Parameter File/opt/app/oracle/produ Ct/11.2.0/dbhome_1/network/admin/listener. oraOld Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. bakThe command completed successfullyLSNRCTL> set passwordPassword: The command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) no changes to save for LISTENER. the command completed successfullyLSNRC TL> exit [oracle @ oracle-one admin] $ pwd/opt/app/oracle/product/11.2.0/dbhome_1/network/admin [oracle @ oracle-one admin] $ vi listener. ora # listener. ora Network Configuration File:/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. ora # Generated by Oracle configuration tools. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) ADR_BA SE_LISTENER =/opt/app/oracle # ---- added by tnslsnr 25-AUG-2013 00:22:10 --- PASSWORDS_LISTENER = listener # export LOCAL_ OS _AUTHENTICATION_LISTENER = OFF [oracle @ oracle-one admin] $ lsnrctl stop LSNRCTL for Linux: version 11.2.0.1.0-Production on 25-AUG-2013 00:23:10 Copyright (c) 1991,200 9, Oracle. all rights reserved. connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) The command completed successfully [oracle @ oracle-one admin] $ lsnrctl start LSNRCTL for Linux: version 11.2.0.1.0-Production on 25-AUG-2013 00:23:15 Copyright (c) 1991,200 9, Oracle. all rights reserved. starting/opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 11.2.0.1.0-ProductionSystem parameter file is /Opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraLog messages written to/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening on: (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521 ))) connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) STATUS of the LISTENER ---------------------- Alias LISTENERVersion TNSLSNR for Linux: Version 11.2.0.1.0-ProductionStart Date 25-AUG-2013 00: 23: 15 Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity ON: PasswordSNMP OFFListener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraListener Log File/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening Endpoints Summary... (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1 521) The listener supports no servicesThe command completed successfully [oracle @ oracle-one admin] $ OK. Then, check The Security ON: Password and check The status, the password [oracle @ oracle-one admin] $ lsnrctl status LSNRCTL for Linux: Version 11.2.0.1.0-Production on 25-AUG-2013 00:23:53 Copyright (c) 1991,200 9, Oracle. all rights reserved. connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) TNS-01169: The listener has not recognized the password OK, then I enter The password to view the status. As follows: [oracle @ oracle-one admin] $ lsnrctl LSNRCTL for Linux: Version 11.2.0.1.0-Production on 25-AUG-2013 00:24:00 Copyright (c) 1991,200 9, Oracle. all rights reserved. welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listenerCurrent Listener is listenerLSNRCTL> set passwordPassword: The command completed successfullyLSNRCTL> statusConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) STATUS of the LISTENER ------------------------ Alias LISTENERVersion TNSLSNR for Linux: Version 11.2.0.1.0-ProductionStart Date 25-AUG-2013 00: 23: 15 Uptime 0 days 0 hr. 1 min. 26 secTrace Level offSecurity ON: PasswordSNMP OFFListener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraListener Log File/opt/app/oracle/diag/tn Slsnr/oracle-one/listener/alert/log. xmlListening Endpoints Summary... (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521) Services Summary... service "RHYS. ORACLE "has 1 instance (s ). instance "RHYS", status READY, has 1 handler (s) for this service... service "RHYSXDB. ORACLE "has 1 instance (s ). instance "RHYS", status READY, has 1 handler (s) for this service... the command completed succ EssfullyLSNRCTL> the operation has been completed. Okay, let's look back at why he failed. I guess 1) the password is set correctly, but the OS authentication LOCAL_ OS _AUTHENTICATION_LISTENER = OFF is not canceled as follows: [oracle @ oracle-one admin] $ lsnrctl LSNRCTL for Linux: Version 11.2.0.1.0-Production on 25-AUG-2013 00:28:04 Copyright (c) 1991,200 9, Oracle. all rights reserved. welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listenerCurrent Listener is listenerLSNRCTL> startStarting/opt/app/oracle/pr Oduct/11.2.0/dbhome_1/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 11.2.0.1.0-ProductionSystem parameter file is/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraLog messages written to/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening on: (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521) Connecting to (DESCRIPTION = (ADDRESS = (PROTO COL = TCP) (HOST = oracle-one) (PORT = 1521) STATUS of the LISTENER ------------------------ Alias listenerVersion TNSLSNR for Linux: Version 11.2.0.1.0-ProductionStart Date 25-AUG-2013 00: 28: 20 Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity ON: Local OS AuthenticationSNMP OFFListener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraListener Log File/opt/app/CMDL E/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening Endpoints Summary... (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521) The listener supports no servicesThe command completed successfullsnrctl> change_passwordOld password: New password: reenter new password: Connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) Password changed for listenerThe c Ommand completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521) Saved listener configuration parameters. listener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraOld Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. bakThe command completed successfullyLSNRCTL> set passwordP Assword: The command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) no changes to save for listener. the command completed successfullyLSNRCTL> stopConnecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) the command completed successfullyLSNRCTL> startStarting/opt/app/oracle/product/11.2.0/dbhome_1/B In/tnslsnr: please wait... TNSLSNR for Linux: Version 11.2.0.1.0-ProductionSystem parameter file is/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraLog messages written to/opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log. xmlListening on: (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521 ))) connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-on E) (PORT = 1521) STATUS of the LISTENER ------------------------ Alias listenerVersion TNSLSNR for Linux: Version 11.2.0.1.0-ProductionStart Date 25-AUG-2013 00: 28: 56 Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity ON: Password or Local OS AuthenticationSNMP OFFListener Parameter File/opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener. oraListener Log File/opt/app/oracle/diag/tnsl Snr/oracle-one/listener/alert/log. xmlListening Endpoints Summary... (DESCRIPTION = (ADDRESS = (PROTOCOL = tcp) (HOST = oracle-one) (PORT = 1521 ))) the listener supports no servicesThe command completed successfullyLSNRCTL> exit [oracle @ oracle-one admin] $ [oracle @ oracle-one admin] $ lsnrctl stop LSNRCTL for Linux: version 11.2.0.1.0-Production on 25-AUG-2013 00:30:17 Copyright (c) 1991,200 9, Oracle. all rights Reserved. connecting to (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = oracle-one) (PORT = 1521 ))) the command completed successfully [oracle @ oracle-one admin] $ can be directly disabled. 2) The Listener name is incorrect. OK. This is the end.