Oracle modify the listening Password

The oracle listening mechanism is the portal for external applications to connect to oracle. Use the lsnrctl program provided by oracle for management. Generally, when managing oracle, many people tend to ignore the security management of listener: The oracle tnslsnr listening on port 1521 (default port) has no password protection!
This poses a security risk: the remote Oracle tnslsnr server is not configured with a password. An attacker can use this vulnerability to disable the oracle tnslsnr server or set a new password, this will affect the normal use of Valid users. Attackers can also obtain detailed information about the database to launch further attacks. In combination with other vulnerabilities, attackers can even create or modify files on the target system to intrude into the system.
The following describes how to set the password security of the oracle listener module:
1. How to perform remote operations:
Modify the listerner. ora file on a remote machine and add the configuration for the remote oracle Server, for example:
Ls_oratest =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC_FOR_XE ))
(ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.1.10) (PORT = 1521 ))
)
)
HOST = 192.168.1.10 indicates the remote oracle Server. If it is set by default, It is not set on the oracle server.
The listener management password is executed on a remote machine as long:
Lsnrctl stop ls_oratest
You can stop the listening service on the 192.168.1.10 server.
2. How to change the password:
The password policy of listener is invalid for start to prevent malicious stop (start is not successful if it is running, so it does not need to be protected)
Lsnrctl>
Set current_listener listener_oratest <-- set the configuration name of the current listener
Old password: <original password> <-- if no password is set, press Enter. Otherwise, enter the original password.
New password: <New password>
Reenter new password: <new password>
Connecting to (ADDRESS = (PROTOCOL = ipc) (KEY = XXX ))
Password changed for listener_oratest
The command completed successfully
<-- The password of the currently running listening process is set or modified here. If the listening program restarts, the password is still the original password.
<-- Therefore, you need to save the password.
Set password
Password: <enter a new Password>
Save_config (this step is important. Save the current settings)
Exit

Note:
A. to execute save_config, You need to execute set password again to provide a new password, because in lsnrctl, the password of the current environment is set using the set password command. After setting the correct password, you can perform some important operations, such as save_config and stop.
B. After the password is set, the password is recorded in the listerner. ora file,
Example: PASSWORDS_listener_oratest = AF15F0B512F2229A
Format: PASSWORDS _ listener name = PASSWORD ciphertext. If you forget the password, you can remove this line, and the password is blank.
C. After the password is set, if the remote machine needs to stop listening, the password must be provided; otherwise, the operation fails.

3. How to manage the listening process after the password is set:
A. For manual interaction, you only need to enter two commands before executing the operation:
Lsnrdbms <
Set current_listener listener_oratest <-- set the configuration name of the current listener
Set password
Password: <enter the Password>
Stop
B. If the script is automatically executed, provide the ciphertext of the password (obtained from the isterner. ora file)
#! /Bin/sh
Lsnrctl <eof
Set current_listener listener_oratest
Set password AF15F0B512F2229A
Stop
Eof
In the future, if you enter lsnrctl for operations, you need to set password to connect to the listener.