Oracle user automatic lock Solution

-- 1.
-- System parameter configuration: connect sys/password @ db_link as sysdba
Select * From dba_profiles where resource_name like 'failed _ login_attempts % ';
-- 1 default failed_login_attempts password 10
-- The user is locked for 10 consecutive error connections.
-- 2.
-- View locked users
Select lock_date, username from dba_users where username = 'username ';
If the value of lock_date is null, it indicates that it is not locked. If the value is not empty, it indicates that it is locked.
-----
Select S. username,
Decode (L. type, 'Tm ', 'table lock', 'tx', 'row lock', null) lock_level,
O. Owner,
O. object_name,
O. object_type,
S. Sid,
S. Serial #,
S. Terminal,
S. machine,
S. program,
S. osuser
From v $ session S, V $ lock l, dba_objects o
Where S. Sid = L. Sid
And O. object_id = L. id1
And S. username is not null;
-- 3.
-- Unlock Method
Alter user user_name account unlock;
-- Note that the locked user may not be worth the value during the upgrade process.
-- Upgrade again
----- Set the default logon times of the system
Alter profile default limit failed_login_attempts 10;
Alter profile default limit failed_login_attempts unlimited;
------------
If the data administrator sets the number of Logon times for this user, he/she needs to search for the user's profile and modify it. He can view the user's creation language name and find the corresponding settings.
The profile in the Oracle system can be used to restrict the database resources that users can use. The create profile command is used to create a profile to restrict the use of database resources, if the profile is assigned to the user, all the database resources that the user can use are limited by the profile.
Ii. conditions:
To create a profile, you must have the create profile system permission.
Specify resource limits for users. required:
1. dynamically use alter system or use the initialization parameter resource_limit to make the resource limit take effect. This change is invalid for password resources and password resources are always available.
SQL> show parameter resource_limit
Name type value
--------------------------
Resource_limit Boolean false
SQL> alter system set resource_limit = true;
The system has been changed.
SQL> show parameter resource_limit;
Name type value
--------------------------
Resource_limit Boolean true
SQL>
2. Use create profile to create a profile that defines the limits on database resources.
3. Use the create user or alter USER command to allocate the profile to the user.
Iii. Syntax:
Create profile limit {resource_parameters | password_parameters} [resource_parameters | password_parameters]… ; <Resource_parameters> {sessions_per_user | cpu_per_session | cpu_per_call | connect_time | idle_time | average | percent | integer} {INTEGER | unlimited | default} | private_sga {INTEGER [k | M] | limituned default }}< password_parameters>
{Expiration | password_life_time | password_reuse_time | password_reuse_max | password_lock_time | password_grace_time} {expr | unlimited | default} | functions {function | null | default}. Syntax explanation:
Profile: name of the configuration file. Oracle databases force resource restrictions in the following ways:
1. If the user exceeds the session resource limit of connect_time or idle_time, the database rolls back the current transaction and ends the session. When the user executes the command again, the database returns an error,
2. If you attempt to perform operations that exceed other session resource limits, the database will discard the operation, roll back the current transaction, and immediately return an error. After that, you can submit or roll back the current transaction. You must end the session.
Tip: You can divide a row into multiple segments, such as one hour (1/24 days) to limit the time. You can specify resource restrictions for users, but the database will only execute the restrictions after the parameters take effect.
Unlimited: the user who assigns the profile has no limit on the resource usage. When the password parameter is used, unlimited means that there is no limit on the parameter.
Default: if it is set to default, some resource restrictions on the profile are ignored. The initial definition of the default profile is not limited to resources and can be changed through the alter profile command.
Resource_parameter part:
Session_per_user: specifies the number of concurrent sessions of a user.
Cpu_per_session: Specifies the CPU time limit of the session, in the unit of 1% seconds.
Cpu_per_call: Specifies the CPU time limit for one call (resolution, execution, and extraction), in 1% seconds.
Connect_time: Specifies the total connection time of a session, in minutes.
Idle_time: Specifies the total time for a session to allow continuous inactivity, in minutes. If the duration is exceeded, the session will be disconnected. However, long-running queries and other operations are not restricted.
Logical_reads_per_session: specify the number of data blocks that a session can read, including all data blocks read from memory and disk.
Logical_read_per_call: specify the maximum number of data blocks that can be read when an SQL statement (parsing, execution, and extraction) call is executed.
Private_sga: specify the maximum space that a session can allocate in the Shared Pool (SGA), in bytes. (This restriction is only valid when the Shared Server structure is used. The private space of a session in SGA includes private SQL and PL/SQL, but not shared SQL and PL/SQL ).
Composite_limit: Specifies the total resource consumption of a session, in the unit of service units. The Oracle Database calculates the total service units of cpu_per_session, connect_time, logical_reads_per_session, and private-SGA in a favorable way.
Password_parameter part:
Failed_login_attempts: specifies the maximum number of logon attempts allowed before the account is locked.
Password_life_time: specifies the number of days allowed by the same password. If the password_grace_time parameter is specified at the same time, if the password is not changed within grace period, the password will be invalid and the connection to the database will be rejected. If the password_grace_time parameter is not set, the default value of unlimited will forward a database warning, but allow the user to continue the connection.
Password_reuse_time and password_reuse_max: these two parameters must be associated. password_reuse_time specifies the number of days before the password cannot be reused, while password_reuse_max specifies the number of times the password has changed before the current password is reused. Both parameters must be set as integers.
1. If an integer is specified for these two parameters, the user cannot reuse the password until the password is changed to the number of times specified by password_reuse_max and later within the time specified by password_reuse_time.
For example, if password_reuse_time = 30 and password_reuse_max = 10, you can reuse the password after 30 days. The password must be changed more than 10 times.
2. If one of them is specified as an integer and the other is unlimited, the user can never reuse a password.
3. if one of them is specified as default, Oracle database uses the default value defined in profile. By default, all parameters are set as unlimited in profile. If the default value of profile is not changed, the database always defaults to unlimited.
4. If both parameters are set to unlimited, the database ignores them.
Password_lock_time: Specify the account contraction time after the number of failed login attempts reaches, in days.
Password_grace_time: specifies the number of days before the database returns a warning. If the database password is not modified in the middle, it will expire.
Password_verify_function: this field allows complex PL/SQL password verification scripts to be passed to the create profile statement for parameter data transmission. Oracle Database provides a default script, but you can create your own verification rules or use third-party software for verification. For the function name, specify the name of the password verification rule. If it is null, the password verification function is not used. If an expression is specified for the password parameter, the expression can be any lattice, except for database scalar queries.
V. Example:
1. Create a profile:
Create profile new_profile limit password_reuse_max 10 password_reuse_time 30;
2. Set profile resource restrictions:
Create profile app_user limit sessions_per_user unlimited cpu_per_session unlimited cpu_per_call 3000 connect_time 45 logical_reads_per_session default logical_reads_per_call 1000 private_sga 15 K composite_limit 5000000;
The total resource cost cannot exceed 5 million service units. The formula for calculating the total resource cost is specified by the alter resource cost statement.
3. Set Password restriction profile:
Create profile app_users2 limit 5 password_life_time 60 password_reuse_time 60 password_reuse_max 5 password_verify_function verify_function password_lock_time 1/24 password_grace_time 10;
4. Allocate the configuration file to the user:
SQL> alter user dinya profile app_user;
The user has changed.
SQL> alter user dinya profile default;
The user has changed.
Reason and solution for Oracle user lock
The test user is notified of being locked during login.
1. log on to and unlock the account with the DBA role. First, set the specific time format to view the specific time.
SQL> alter session set nls_date_format = 'yyyy-mm-dd hh24: MI: ss ';
Session altered.
2. view the lock time
SQL> select username, lock_date from dba_users where username = 'test ';
Username lock_date
-------------------------------------------------
Test 08:51:03
3. Unlock
SQL> alter user test account unlock;
User altered.
4. Check that the test user is locked due to the IP address.
View $ ORACLE_HOME/Network/admin/log/listener. Log logs
10-Mar-2009 08:51:03 * (CONNECT_DATA = (SID = lhoms) (Server = dedicated) (cid = (program = Oracle) (host = omstestdb) (user = oraoms ))) * (address = (Protocol = TCP) (host = 10.69.1.11) (Port = 49434) * establish * lhoms * 0
10-Mar-2009 08:51:03 * (CONNECT_DATA = (SID = lhoms) (Server = dedicated) (cid = (program = Oracle) (host = omstestdb) (user = oraoms ))) * (address = (Protocol = TCP) (host = 10.69.1.11) (Port = 49435) * establish * lhoms * 0 the exam will go big
It can be seen that the above IP address is locked due to multiple failed login attempts
Note:
By default, the database locks users after 10 failed attempts.
1. view the failed_login_attempts Value
Select * From dba_profiles
2. Change to 30 times
Alter profile default limit failed_login_attempts 30;
3. Change to unlimited (for security reasons, it is not recommended)
Alter profile default limit failed_login_attempts unlimited;