Oracle Listener security
The first thing to do is to put a password on
your listener. By default the listener comes with no
password, and anyone can change listener settings
through the lsnrctl
tool. In Oracle 9i, any computer on your network can
stop your listener in the blink of an eye if you do
not password protect it.
First, a point on passwords. Yes, they are
inconvenient, but they are much better than the
alternatives. Which would you rather explain to your
employer: that you have to spend hours working on
password management, or that you have to spend days
on fixing downtime or data corruption and that the
company is losing money? And yes, an unprotected
listener can easily be used to corrupt your entire
database.
To password protect your listener, perform the
following as your Oracle user:
$ lsnrctl
LSNRCTL> change_password
Old password: <press enter here>
New password: <enter new password>
Reenter new password: <reenter password>
If you have done all of this correctly, you will
see the following:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
Password changed for <listener name>
The command completed successfully
Just as a note, if the listener you are
protecting does not have the default name of
LISTENER, you must do
set cur <listenername>
before issuing the
change_password command.
At this point, save the configuration of the
listener to the file system. If you are on 10g, it
will save with no problems:
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
Saved <listener name> configuration parameters.
Listener Parameter File <oracle home>/listener.ora
Old Parameter File <oracle home>/listener.bak
The command completed successfully
And you have a password protected listener.
However, this does not happen on 9i. If you
perform a
save_config, you will see the following:
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
TNS-01169: The listener has not recognized the password
Oops! The reason is this: in Oracle 10g,
operating system authentication for the listener has
been implemented. The listener checks to make sure
you are part of the privileged dba group, and if so
it will grant you access to change the password,
save configuration, stop the listener, etc. In 9i,
we must do the following at this point:
LSNRCTL> set password
Password: <the password you chose>
The command completed successfully
At this point, you can now perform a
save_config.
So what is the result of this? In 9i, you will
now require a password whenever you wish to stop the
listener or any other "destructive" listener
actions. In 10g, if you are not logged into the
operating system with a privileged account, you will
have to enter a password as well. A typical listener
stop may look like this in Oracle 9i:
$ lsnrctl
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password: <enter password here>
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>)))
The command completed successfully
You are now protected against unauthorized
shutdowns of your listener. This protects you from a
whole range of possible security breaches. Remember
that "set password" is how you enter your password
for authentication;
change_password is how it is changed.
