Oracle监听口令及监听器安全

很多人都知道Oracle的监听器一直存在着一个安全隐患假如不设置安全措施那么能够访问的用户就可以远程关闭监听器

相关示例 D:\>lsnrctl stop eygle

LSNRCTL for bit Windows: Version Production on 月 ::

Copyright (c) Oracle All rights reserved

正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=))

(CONNECT_DATA=(SERVICE_NAME=eygle)))

命令执行成功

大家可以发现此时缺省的监听器的日志还无法记录操作地址 No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))

NOV :: * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)

(ARGUMENTS=)(SERVICE=eygle)(VERSION=)) * stop *

为了更好的保证监听器的安全大家最好为监听设置密码 [oracle@jumper log]$ lsnrctl

LSNRCTL for Linux: Version Production on NOV ::

Copyright (c) Oracle Corporation All rights reserved

Welcome to LSNRCTL type help for information

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> change_password

Old password:

New password:

Reenter new password:

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))

Password changed for listener

The command completed successfully

LSNRCTL> set password

Password:

The command completed successfully

LSNRCTL> save_config

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))

Saved LISTENER configuration parameters

Listener Parameter File /opt/oracle/product//network/admin/listenerora

Old Parameter File /opt/oracle/product//network/admin/listenerbak

The command completed successfully

在我们设置密码后远程操作将会因缺失密码而出现失败

D:\>lsnrctl stop eygle

LSNRCTL for bit Windows: Version Production on 月 ::

Copyright (c) Oracle All rights reserved

正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)

(PORT=))(CONNECT_DATA=(SERVICE_NAME=eygle)))

TNS: 监听程序尚未识别口令

注意此时在服务器端或客户端都需要我们通过密码来起停监听器 LSNRCTL> set password

Password:

The command completed successfully

LSNRCTL> stop

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))

The command completed successfully

LSNRCTL> start

Starting /opt/oracle/product//bin/tnslsnr: please wait

TNSLSNR for Linux: Version Production

System parameter file is /opt/oracle/product//network/admin/listenerora

Log messages written to /opt/oracle/product//network/log/listenerlog

Trace information written to /opt/oracle/product//network/trace/listenertrc

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))

STATUS of the LISTENER

Alias LISTENER

Version TNSLSNR for Linux: Version Production

Start Date NOV ::

Uptime days hr min sec

Trace Level support

Security ON

SNMP OFF

Listener Parameter File /opt/oracle/product//network/admin/listenerora

Listener Log File /opt/oracle/product//network/log/listenerlog

Listener Trace File /opt/oracle/product//network/trace/listenertrc

Listening Endpoints Summary

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))

Services Summary

Service eygle has instance(s)

Instance eygle status UNKNOWN has handler(s) for this service

Service julia has instance(s)

Instance eygle status UNKNOWN has handler(s) for this service

The command completed successfully

另外ADMIN_RESTRICTIONS参数也是一个重要的安全选项大家可以在 listenerora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON此后所有在运行时对监听器的修改都将会被阻止所有对监听器的修改都必须通过手工修改listenerora文件才能顺利完成