很多Oracle用户都知道,Oracle的监听器一直存在着一个安全隐患,假如对此不设置安全措施,那么能够访问的用户就可以远程关闭监听器。
相关示例如下:
D:>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=eygle)))
命令执行成功
大家可以发现,此时缺省的监听器的日志还无法记录操作地址:
No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) 28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop) (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0
有鉴于此,为了更好的保证监听器的安全,大家最好为监听设置密码:
[oracle@jumper log]$ lsnrctl LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17 Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listener Current Listener is listener LSNRCTL> change_password Old password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Password changed for listener The command completed successfully LSNRCTL> set password Password: The command completed successfully LSNRCTL> save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Saved LISTENER configuration parameters. Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak The command completed successfully
在我们设置密码后,远程操作将会因缺失密码而出现失败:
D:>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))
TNS-01169: 监听程序尚未识别口令
注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:
LSNRCTL> set password Password: The command completed successfully LSNRCTL> stop Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) The command completed successfully LSNRCTL> start Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 9.2.0.4.0 - Production System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production Start Date 28-NOV-2007 10:22:23 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level support Security ON SNMP OFF Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Services Summary... Service "eygle" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... Service "julia" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... The command completed successfully
另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有 