Oracle Common FAQ V1.0 (5)

Oracle part Fifth, Oracle Network and security
[Q] How to qualify a specific IP Access database
[A] You can use login triggers, CMGW, or add a Protocol.ora file under $oreacle_home/network/admin (some OS may be. Protocol.ora), 9i can directly modify Sqlnet.ora:
Add the following:
Tcp.validnode_checking=yes
#允许访问的ip
tcp.inited_nodes= (ip1,ip2,......)
#不允许访问的ip
tcp.excluded_nodes= (ip1,ip2,......)
[Q] How to connect to a database through a firewall
[A] This problem will only appear on the win platform, the UNIX platform will be automatically resolved.
Workaround:
The Sqlnet.ora on the server side should be similar
Sqlnet. Authentication_services= (NTS)
NAMES. Directory_path= (TNSNAMES, Onames, HOSTNAME)
Trace_level_client = 16
Registry HOME0 Plus [HKEY_LOCAL_MACHINE]
Use_shared_socket=true
[Q] How to connect a database using hostname method
Host name only supports small LAN for TCP/IP protocol
Modify the following information in the Listener.ora
(Sid_desc =
(Global_dbname = ur_hostname)--Your machine name
(Oracle_home = E:\oracle\ora92)--oracle Home
(Sid_name = ORCL)--sid NAME
)
Then on the client
In the Sqlnet.ora to ensure that there are
NAMES. Directory_path= (HOSTNAME)
You can access the database using the name of the database server.
[Q]dbms_repcat_admin can bring any security problems
[A] If a user can execute the dbms_repcat_admin package, it will gain great system privileges.
The following conditions may obtain execution permissions for the package:
1, under SYS Grant execute on dbms_repcat_admin to Public[|user_name]
2, the user has execute any procedure privileges (only 9i below, 9i must show authorization)
If the user executes the following statement:
exec sys.dbms_repcat_admin.grant_admin_any_schema (' user_name ');
This user will receive great system privileges
You can get more information from the User_sys_privs
[Q] When you do not know the user password, how to jump to another user to perform the operation does not affect the user?
[A] We can safely use the user and then jump back in the following ways, which is more useful at some point
Requires ALTER user permission or DBA authority:
Sql> Select password from dba_users where username= ' SCOTT ';
PASSWORD
-----------------------------
F894844c34402b67
Sql> alter user Scott identified by Lion;
User altered.
Sql> Connect scott/lion
Connected.
REM do whatever ...
Sql> Connect System/manager
Connected.
Sql> alter user Scott identified by values ' f894844c34402b67 ';
User altered.
Sql> Connect Scott/tiger
Connected.
[Q] How to strengthen your database
[A] Attention should be paid to the following aspects
1. Modify the Sys, System password.
2. Lock, modify, delete default User: Dbsnmp,ctxsys, etc.
3. Change the remote_os_authent to False to prevent the remote machine from landing directly.
4. Change the o7_dictionary_accessibility to false.
5. Remove some of the privileges from public role.
6. Check the security of the database data files. Don't set it to 666 or something. Check with other DBA users.
7. Put some unwanted services (such as FTP, NFS, etc. off)
8. Limit the number of users on the database host.
9. Check the security Alert above Metalink/otn regularly. Like what:
Http://otn.oracle.com/deploy/security/alerts.htm

10. Put your database and application in a separate subnet, otherwise your user password is easily sniffer. Or use advance security, the user login encryption.
11. Limit only certain IP can access your database.
Lsnrctl to add a password, otherwise it is easy for others to turn off your listener from outside.
13. Do not use the default 1521 port if possible
[Q] How to check if the user has used the default password

[A] If you use the default password, it is likely to cause a certain security risks to your database, then you can use the following query to get those users using the default password
Select Username "User (s) with Default password!"
From Dba_users
where password in
(' E066D214D5421CCC ',--DBSNMP
' 24abab8b06281b4c ',--Ctxsys
' 72979a94bad2af80 ',--Mdsys
' c252e8fa117af049 ',--ODM
' A7a32cd03d3ce8d5 ',--odm_mtr
' 88a2b2c183431f00 ',--ordplugins
' 7efa02ec7ea6b86f ',--Ordsys
' 4a3ba55e08595c81 ',--outln
' F894844c34402b67 ',-Scott
' 3f9fbd883d787341 ',--wk_proxy
' 79df7a1bd138cf11 ',--Wk_sys
' 7c9ba362f8314299 ',--Wmsys
' 88d8364765fce6af ',--xdb
' F9da8977092b7b81 ',--tracesvr
' 9300c0977d7dc75e ',--oas_public
' a97282ce3d94e29e ',--Websys
' Ac9700fd3f1410eb ',--Lbacsys
' E7b5d92911c831e1 ',--Rman
' ac98877de1297365 ',--perfstat
' 66f4ef5650c20355 ',--Exfsys
' 84b8cbca4d477fa3 ',--Si_informtn_schema
' d4c5016086b2dc6a ',--sys
' D4df7931ab130e37 ')--system
/
[Q] How to modify the default Xdb listening port

[A] oracle9i default XML DB sets the default port of HTTP to 8080, which is a much-used port, and many other webserver will use this port.
If we install it, it is best to change it, avoid conflict, if not used, it is best not to install
Provides three ways to modify
1.DBCA, select your database, and then standard DB features->customize->oracle XML option, you should know how to change the image.
2.OEM console, modifying in the configuration of XML Database
3. Packages provided by Oracle:
--Change the Http/webdav port from 8080 to 8081
Sql> Call Dbms_xdb.cfg_update (Updatexml (Dbms_xdb.cfg_get),
'/xdbconfig/sysconfig/protocolconfig/httpconfig/http-port/text () ', 8081)
/
--Change the FTP port from 2100 to 2111
Sql> Call Dbms_xdb.cfg_update (Updatexml (Dbms_xdb.cfg_get),
'/xdbconfig/sysconfig/protocolconfig/ftpconfig/ftp-port/text () ', 2111)
/
Sql> commit;
sql> exec Dbms_xdb.cfg_refresh;
--Check if the modification has been successful
Sql> select Dbms_xdb.cfg_get from dual;
[Q] How to capture user login information, such as SID,IP address
[A] can take advantage of login triggers, such as
CREATE OR REPLACE TRIGGER Tr_login_record
After logon on DATABASE
DECLARE
MIUSERSID number;
Mtsession V$session%rowtype;
CURSOR CSession (Iiusersid in number) is
SELECT * from V$session
WHERE Sid=iiusersid;
BEGIN
SELECT sid into Miusersid from V$mystat WHERE rownum