• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    Oracle监听口令及监听器安全详解

    很多Oracle用户都知道,Oracle的监听器一直存在着一个安全隐患,假如对此不设置安全措施,那么能够访问的用户就可以远程关闭监听器。

    相关示例如下:

    D:>lsnrctl stop eygle
    LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40
    Copyright (c) 1991, 2006, Oracle. All rights reserved.
    正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))
    (CONNECT_DATA=(SERVICE_NAME=eygle)))
    
    

    命令执行成功

    大家可以发现,此时缺省的监听器的日志还无法记录操作地址:

    No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))
    28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)
    (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0
    
    

    有鉴于此,为了更好的保证监听器的安全,大家最好为监听设置密码

    [oracle@jumper log]$ lsnrctl
    LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17
    Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
    Welcome to LSNRCTL, type "help" for information.
    LSNRCTL> set current_listener listener
    Current Listener is listener
    LSNRCTL> change_password
    Old password:
    New password:
    Reenter new password:
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))
    Password changed for listener
    The command completed successfully
    LSNRCTL> set password
    Password:
    The command completed successfully
    LSNRCTL> save_config
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))
    Saved LISTENER configuration parameters.
    Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora
    Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak
    The command completed successfully
    
    

    在我们设置密码后,远程操作将会因缺失密码而出现失败:

    D:>lsnrctl stop eygle
    LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57
    Copyright (c) 1991, 2006, Oracle. All rights reserved.
    正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)
    (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))
    
    

    TNS-01169: 监听程序尚未识别口令

    注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:

    LSNRCTL> set password
    Password:
    The command completed successfully
    LSNRCTL> stop
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))
    The command completed successfully
    LSNRCTL> start
    Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait...
    TNSLSNR for Linux: Version 9.2.0.4.0 - Production
    System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora
    Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log
    Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))
    STATUS of the LISTENER
    ------------------------
    Alias LISTENER
    Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production
    Start Date 28-NOV-2007 10:22:23
    Uptime 0 days 0 hr. 0 min. 0 sec
    Trace Level support
    Security ON
    SNMP OFF
    Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora
    Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log
    Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc
    Listening Endpoints Summary...
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))
    Services Summary...
    Service "eygle" has 1 instance(s).
    Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...
    Service "julia" has 1 instance(s).
    Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...
    The command completed successfully
    
    

    另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。

    您可能感兴趣的文章:
    • oracle 11g数据库安全加固注意事项
    • Oracle数据库安全策略分析(一)
    • Oracle数据库安全策略分析 (三)
    • Oracle数据库的安全策略
    • Oracle数据库安全策略分析(二)
    • Oracle数据库安全策略
    • Oracle数据安全面面观
    • Oracle数据库的安全策略
    • 提升Oracle用户密码安全性的策略
    • Oracle 11g实现安全加固的完整步骤
    上一篇:Oracle数据库TNS常见错误的解决方法汇总
    下一篇:Oracle阻塞(blockingblocked)实例详解
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    Oracle监听口令及监听器安全详解 Oracle,监听,口令,及,监听器,