| 订阅 | 在线投稿
分享
 
 
 

初学者必读:Oracle监听口令及监听器安全

2008-07-17 07:49:10 编辑來源:互联网 国际版 评论
 
 
  很多人都知道,Oracle的监听器一直存在着一个安全隐患,假如不设置安全措施,那么能够访问的用户就可以远程关闭监听器。

  相关示例:

  D:\>lsnrctl stop eygle

  LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40

  Copyright (c) 1991, 2006, Oracle. All rights reserved.

  正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))

  (CONNECT_DATA=(SERVICE_NAME=eygle)))

  命令执行成功

  大家可以发现,此时缺省的监听器的日志还无法记录操作地址:

  No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

  28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)

  (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0

  为了更好的保证监听器的安全,大家最好为监听设置密码:

  [oracle@jumper log]$ lsnrctl

  LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17

  Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.

  Welcome to LSNRCTL, type "help" for information.

  LSNRCTL> set current_listener listener

  Current Listener is listener

  LSNRCTL> change_password

  Old password:

  New password:

  Reenter new password:

  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

  Password changed for listener

  The command completed successfully

  LSNRCTL> set password

  Password:

  The command completed successfully

  LSNRCTL> save_config

  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

  Saved LISTENER configuration parameters.

  Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora

  Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak

  The command completed successfully

  在我们设置密码后,远程操作将会因缺失密码而出现失败:

  D:\>lsnrctl stop eygle

  LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57

  Copyright (c) 1991, 2006, Oracle. All rights reserved.

  正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)

  (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))

  TNS-01169: 监听程序尚未识别口令

  注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:

  LSNRCTL> set password

  Password:

  The command completed successfully

  LSNRCTL> stop

  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

  The command completed successfully

  LSNRCTL> start

  Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait...

  TNSLSNR for Linux: Version 9.2.0.4.0 - Production

  System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora

  Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log

  Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc

  Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

  STATUS of the LISTENER

  ------------------------

  Alias LISTENER

  Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production

  Start Date 28-NOV-2007 10:22:23

  Uptime 0 days 0 hr. 0 min. 0 sec

  Trace Level support

  Security ON

  SNMP OFF

  Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora

  Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log

  Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc

  Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

  Services Summary...

  Service "eygle" has 1 instance(s).

  Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...

  Service "julia" has 1 instance(s).

  Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...

  The command completed successfully

  另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。
 
 
很多人都知道,Oracle的监听器一直存在着一个安全隐患,假如不设置安全措施,那么能够访问的用户就可以远程关闭监听器。 相关示例: D:\>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=eygle))) 命令执行成功 大家可以发现,此时缺省的监听器的日志还无法记录操作地址: No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) 28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop) (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0 为了更好的保证监听器的安全,大家最好为监听设置密码: [oracle@jumper log]$ lsnrctl LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17 Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listener Current Listener is listener LSNRCTL> change_password Old password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Password changed for listener The command completed successfully LSNRCTL> set password Password: The command completed successfully LSNRCTL> save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Saved LISTENER configuration parameters. Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak The command completed successfully 在我们设置密码后,远程操作将会因缺失密码而出现失败: D:\>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle))) TNS-01169: 监听程序尚未识别口令 注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器: LSNRCTL> set password Password: The command completed successfully LSNRCTL> stop Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) The command completed successfully LSNRCTL> start Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 9.2.0.4.0 - Production System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production Start Date 28-NOV-2007 10:22:23 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level support Security ON SNMP OFF Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Services Summary... Service "eygle" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... Service "julia" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... The command completed successfully 另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。
󰈣󰈤
 
 
>>返回首页<<
 为你推荐
 
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
  免责声明:本文仅代表作者个人观点,与王朝网络无关。王朝网络登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述,其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
©2005- 王朝网络 版权所有