|
|
Oracle listener security tips
Oracle Tips by Steve Karam
Oracle ACE, Oracle Certified Master
|
The topics covered in listener
security management are straightforward, but we will not
involve the Oracle Advanced Security option: it's too big to cover here, and it
is an added expense that many companies do not want. Instead, we will go over
basic network (listener) security management that can be implemented by anyone who uses Oracle. It is
built in and so is already part of your system.
Oracle Listener security
The first thing to do is to put
a password on your listener. By default the listener comes with no password, and
anyone can change listener settings through the lsnrctl tool. In Oracle 9i, any
computer on your network can stop your listener in the blink of an eye if you do
not password protect it.
First, a point on passwords. Yes, they are inconvenient, but they are much
better than the alternatives. Which would you rather explain to your employer:
that you have to spend hours working on password management, or that you have to
spend days on fixing downtime or data corruption and that the company is losing
money? And yes, an unprotected listener can easily be used to corrupt your
entire database.
To password protect your listener, perform the following as your Oracle user:
$ lsnrctl
LSNRCTL> change_password
Old password: <press enter here>
New password: <enter new password>
Reenter new password: <reenter password>
If you have done all of this
correctly, you will see the following:
Connecting to
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
Password changed for <listener name>
The command completed successfully
Just as a note, if the listener
you are protecting does not have the default name of LISTENER, you must do set
cur <listenername> before issuing the change_password command.
At this point, save the configuration of the listener to the file system. If you
are on 10g, it will save with no problems:
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
Saved <listener name> configuration parameters.
Listener Parameter File <oracle home>/listener.ora
Old Parameter File <oracle home>/listener.bak
The command completed successfully
And you have a password
protected listener.
However, this does not happen on 9i. If you perform a save_config, you will see
the following:
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
TNS-01169: The listener has not recognized the password
Oops! The reason is this: in
Oracle 10g, operating system authentication for the listener has been
implemented. The listener checks to make sure you are part of the privileged dba
group, and if so it will grant you access to change the password, save
configuration, stop the listener, etc. In 9i, we must do the following at this
point:
LSNRCTL> set password
Password: <the password you chose>
The command completed successfully
At this point, you can now
perform a save_config.
So what is the result of this? In 9i, you will now require a password whenever
you wish to stop the listener or any other "destructive" listener actions. In
10g, if you are not logged into the operating system with a privileged account,
you will have to enter a password as well. A typical listener stop may look like
this:
$ lsnrctl
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password: <enter password here>
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
The command completed successfully
You are now protected against
unauthorized shutdowns of your listener. This protects you from a whole range of
possible security breaches. Remember that "set password" is how you enter your
password for authentication; change_password is how it is changed.
Oracle listener for auditing
One of the first tings involved in securing the Oracle listener is to audit
the listener logs for specific messages:
- See
Oracle listener auditing tips
Also see: