Blocking Oracle access by IP
Address
Now comes the fun part:
keeping people out of your
database! While IP-based
blocking is not as suitable as a
full firewall, you are able to
block clients based on their IP
address or hostname.
The secret lies in the
SQLNET.ORA file. This file can
be found in your
$ORACLE_HOME/network/admin
directory along with your
tnsnames.ora and listener.ora.
Open it up and insert the
following line:
tcp.validnode_checking = yes
This turns on the hostname/IP
checking for your listeners.
After this, you can supply lists
of nodes to enable/disable, as
such:
tcp.invited_nodes = (hostname1, hostname2)
tcp.excluded_nodes = (192.168.10.3)
Note that if you only specify
invited nodes, all others will
be excluded, so there is really
no reason to do both. The same
goes for excluded nodes: exclude
a list of clients, invite all
others.
Even though this will not
protect you against advanced
attacks (IP and hostname are
easy to spoof) it still serves
as a deterrent against hacking
attempts.
Here are some rules for
entering invited/excluded nodes:
- You cannot use wildcards
in your specifications.
- You must put all invited
nodes in one line; likewise
for excluded nodes.
- You should always enter
localhost as an
invited node.
Once you have set up your
rules and enabled valid node
checking, you must restart your
listeners to reap the benefits.
Here is an example:
PayrollDB is a database
server, accessed by Payroll
SalesDB is a database server,
accessed by Sales
SApp1, SApp2, and SApp3 are
application servers using the
SalesDB
PApp1, PApp2, and PApp3 are
application servers using the
PayrollDB
The sqlnet.ora on PayrollDB
would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, PayrollDB, PApp1, PApp2, PApp3)
The sqlnet.ora on SalesDB
would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, SalesDB, SApp1, SApp2, SApp3)
Once this has been done,
restart the listener.
$ lsnrctl
LSNRCTL> set password
Password: <the password you
chose>
The command completed
successfully
LSNRCTL> stop
The command completed
successfully
LSNRCTL> start
Now PApp1, PApp2, and PApp3
can access PayrollDB but not
SalesDB; the same goes for the
Sales application servers'
access to PayrollDB.
While this isn't terribly
advanced, it will definitely act
as a good block against basic
attacks.