Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







Lock down database security in your Web-enabled apps

Oracle Tips by Burleson Consulting
September 20, 2002

2007 Update - For a complete treatment of the topic of Oracle security on the web, see these books and resources:

Many managers are concerned about opening up mission-critical applications to the Internet. With dozens of potential entry points and almost daily news about large companies being hacked, proper database security is critical. In general, security concerns over Internet access are similar to security issues in an internal network.

To understand the similarity, let's examine the possible entry points for hackers and demonstrate some techniques attackers use to gain access to confidential data. We'll then consider some techniques, including database-level security built into Oracle, for mitigating these risks.

Analyzing the threat

All Web-based applications have numerous possible entry points, and you must check every one. Hackers look at the following areas when they try to break into a Web application.
  • Internet access – If hackers can guess the IP address of a server, they can telnet to the server and get a login prompt. At this point, all they need is a user ID and password to gain access to the server.
  • Port access – All Web applications are configured to listen on a predefined port for incoming connections, and they generally use a listener daemon process to poll for connections.
  • Server access – A four-tiered Web application (illustrated in Figure A) incorporates a series of Web servers, application servers, and database servers. Each of these servers presents a potential point of entry, and if remote shell (rsh) access is enabled, a hacker that gets access to a single database may get access to many servers.
  • Network access – Oracle SQL*Net, as an example, allows for incoming connect strings to the Oracle listener process. If hackers know the port, IP address, Oracle ID, and password, they can gain direct access to the database.

Today's Web architectures include four layers of servers: Web listeners, Web servers, application servers, and database servers. Each of these layers is vulnerable to hacks.

Figure A
The anatomy of a four-tiered Web architecture

After you identify possible attack points, you must restrict access to those points. Disabling external entry can be accomplished though several methods. Let's explore antihacker tips for each potential point of entry.

Restricting server access

If possible, servers should not be accessible over the Internet unless network and systems administrators have followed the general guidelines for authenticated external access. Some companies use domain servers to restrict server access to specified users. However, hackers still might intercept user IDs and passwords. To prevent this, many companies employ tools that utilize secure shell (ssh) technologies to encrypt external Internet communications. The most popular of these tools is SecureCRT, which gives authorized users Internet access to servers without the fear of someone capturing the user ID and password.

Secure shell tools use sophisticated Huffman cryptography techniques for Internet transmissions; these products are more secure even than the Enigma code that was used during World War II. However, such superb encryption sometimes lulls IT staffs into believing that they are protected from external attack. Remember, the bulk of the security is at the server firewall, not on the Internet.

Hacking for active IP addresses is easy

Internet hackers are constantly searching for servers to attack. To do this, hackers write simple scripts that randomly generate and ping IP addresses, looking for servers that respond, "I'm here." The response is called a "ping acknowledgement" and is a standard feature of the ping utility, with the simple syntax:
C:\ ping

Here's the output:
Pinging with 32 bytes of data:
Reply from bytes=32 time=164ms TTL=254
Reply from bytes=32 time=162ms TTL=254
Reply from bytes=32 time=170ms TTL=254
Ping statistics for
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

Minimum = 162ms, Maximum = 170ms, Average = 165ms

The acknowledgement packet (called an ack in netguru jargon) tells the hacker that there's an active server at this IP address. Next, the hacker telnets to the server and begins a series of attempts to hack the root or the Oracle user password. The best way to foil this type of attack is to disable all server accounts after three password attempts.

Below you'll find the pseudocode for a UNIX shell script to cruise the Internet for vulnerable servers. Hackers run such scripts as daemon processes and scan hundreds of thousands of IP addresses every hour. Please note that I have deliberately introduced syntax errors into the pseudocode routine to prevent it being used by any wannabe hackers.

while true
# Generate a random IP address
# Submit the IP address to the ping command
nohup ping $IP_ADDRESS > /tmp/t.lst 2>&1 &
# If ping is responding – start the attack
if `cat /tmp/t.lst|wc –l` > 0 then invoke attack_routine

Even a novice computer user can write an attack program and locate server attack opportunities. Although the main method of attack is directly from the IP address, some creative hackers gain entry with I/O-enabled Java applets or programs that compromise cookie-writing. To prevent these types of external attacks, savvy companies employ some of the following techniques:

  • Trusted IP addresses - UNIX servers are configured to answer only pings from a list of "trusted" hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
  • Server account disabling – If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
  • Special tools – Products such as Zone Alarm send an alert when an external server is attempting to breach your firewall security.

Restricting database access

Now that we have reviewed server access, let's explore port access. All Web-enabled applications have a listener process that checks a specific port for incoming database requests.

Inside the database, companies run the risk of allowing Web users unauthorized access to information. In an internal environment, each user is clearly identified. On the Web, anybody can try to access the application. It's up to the database administrator to ensure that everyone who accesses the application has the proper credentials.

Oracle has a wealth of authentication methods:

  • Kerberos security – This popular "ticket"-based authentication system sidesteps several security risks.
  • Virtual private databases – VPD technology can restrict access to selected rows of tables.
  • Role-based security – Object privileges can be grouped into roles, which can then be assigned to specific users.
  • Grant-execute security – Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
  • Authentication servers – Secure authentication servers provide positive identification for external users.
  • Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.

Be on guard

Data is the lifeblood of an organization's IT infrastructure, so it must be protected at all costs. You have some highly available options to jump-start security for your organization's database servers.



If you like Oracle tuning, you might enjoy my book "Oracle Tuning: The Definitive Reference", with 950 pages of tuning tips and scripts. 

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.