Oracle监听口令及监听器安全详解
很多Oracle用户都知道,Oracle的监听器一直存在着一个安全隐患,假如对此不设置安全措施,那么能够访问的用户就可以远程关闭监听器。
相关示例如下:
D:>lsnrctlstopeygle LSNRCTLfor32-bitWindows:Version10.2.0.3.0-Productionon28-11月-200710:02:40 Copyright(c)1991,2006,Oracle.Allrightsreserved. 正在连接到(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=eygle)))
命令执行成功
大家可以发现,此时缺省的监听器的日志还无法记录操作地址:
Nolongerlisteningon:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) 28-NOV-200709:59:20*(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop) (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080))*stop*0
有鉴于此,为了更好的保证监听器的安全,大家最好为监听设置密码:
[oracle@jumperlog]$lsnrctl LSNRCTLforLinux:Version9.2.0.4.0-Productionon28-NOV-200710:18:17 Copyright(c)1991,2002,OracleCorporation.Allrightsreserved. WelcometoLSNRCTL,type"help"forinformation. LSNRCTL>setcurrent_listenerlistener CurrentListenerislistener LSNRCTL>change_password Oldpassword: Newpassword: Reenternewpassword: Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Passwordchangedforlistener Thecommandcompletedsuccessfully LSNRCTL>setpassword Password: Thecommandcompletedsuccessfully LSNRCTL>save_config Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) SavedLISTENERconfigurationparameters. ListenerParameterFile/opt/oracle/product/9.2.0/network/admin/listener.ora OldParameterFile/opt/oracle/product/9.2.0/network/admin/listener.bak Thecommandcompletedsuccessfully
在我们设置密码后,远程操作将会因缺失密码而出现失败:
D:>lsnrctlstopeygle LSNRCTLfor32-bitWindows:Version10.2.0.3.0-Productionon28-11月-200710:22:57 Copyright(c)1991,2006,Oracle.Allrightsreserved. 正在连接到(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))
TNS-01169:监听程序尚未识别口令
注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:
LSNRCTL>setpassword Password: Thecommandcompletedsuccessfully LSNRCTL>stop Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Thecommandcompletedsuccessfully LSNRCTL>start Starting/opt/oracle/product/9.2.0/bin/tnslsnr:pleasewait... TNSLSNRforLinux:Version9.2.0.4.0-Production Systemparameterfileis/opt/oracle/product/9.2.0/network/admin/listener.ora Logmessageswrittento/opt/oracle/product/9.2.0/network/log/listener.log Traceinformationwrittento/opt/oracle/product/9.2.0/network/trace/listener.trc Listeningon:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) STATUSoftheLISTENER ------------------------ AliasLISTENER VersionTNSLSNRforLinux:Version9.2.0.4.0-Production StartDate28-NOV-200710:22:23 Uptime0days0hr.0min.0sec TraceLevelsupport SecurityON SNMPOFF ListenerParameterFile/opt/oracle/product/9.2.0/network/admin/listener.ora ListenerLogFile/opt/oracle/product/9.2.0/network/log/listener.log ListenerTraceFile/opt/oracle/product/9.2.0/network/trace/listener.trc ListeningEndpointsSummary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) ServicesSummary... Service"eygle"has1instance(s). Instance"eygle",statusUNKNOWN,has1handler(s)forthisservice... Service"julia"has1instance(s). Instance"eygle",statusUNKNOWN,has1handler(s)forthisservice... Thecommandcompletedsuccessfully
另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在listener.ora文件中设置ADMIN_RESTRICTIONS_为ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。