 |
|
Oracle IP address blocking in
sqlnet.ora
Oracle Tips by Steve Karam
Oracle ACE, Oracle Certified Master
|
The topics covered in listener
security management are straightforward, but there are special sqlnet.ora tricks
for blocking access by IP address.
Blocking Oracle Access by IP Address
Now comes the fun part: keeping
people out of your database! While IP-based blocking is not as suitable as a
full firewall, you are able to block clients based on their IP address or
hostname.
The secret lies in the SQLNET.ORA file. This file can be found in your
$ORACLE_HOME/network/admin directory along with your tnsnames.ora and
listener.ora. Open it up and insert the following line:
tcp.validnode_checking = yes
This turns on the hostname/IP checking for your listeners. After this, you can
supply lists of nodes to enable/disable, as such:
tcp.invited_nodes = (hostname1,
hostname2)
tcp.excluded_nodes = (192.168.10.3)
Note that if you only specify
invited nodes, all others will be excluded, so there is really no reason to do
both. The same goes for excluded nodes: exclude a list of clients, invite all
others.
Even though this will not protect you against advanced attacks (IP and hostname
are easy to spoof) it still serves as a deterrent against hacking attempts.
Here are some rules for entering invited/excluded nodes:
- You cannot use wildcards
in your specifications.
- You must put all invited
nodes in one line; likewise for excluded nodes.
- You should always enter
localhost as an invited node.
Once you have set up your rules
and enabled valid node checking, you must restart your listeners to reap the
benefits. Here is an example:
- PayrollDB is a database
server, accessed by Payroll
- SalesDB is a database
server, accessed by Sales
- SApp1, SApp2, and SApp3
are application servers using the SalesDB
- PApp1, PApp2, and PApp3
are application servers using the PayrollDB
The sqlnet.ora on PayrollDB
would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, PayrollDB, PApp1, PApp2, PApp3)
The sqlnet.ora on SalesDB would
look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, SalesDB, SApp1, SApp2, SApp3)
Once this has been done,
restart the listener. (You did follow the first part of this article and
password protect it, didn?t you?)
$ lsnrctl
LSNRCTL> set password
Password: <the password you chose>
The command completed successfully
LSNRCTL> stop
The command completed successfully
LSNRCTL> start
Now PApp1, PApp2, and PApp3 can
access PayrollDB but not SalesDB; the same goes for the Sales application
servers' access to PayrollDB.
While this isn't terribly advanced, it will definitely act as a good block
against basic attacks.