ORACLE数据库安全漏洞之监听密码设置

    Oracle相关组件安全防范做的可谓真够全面,当然监听程序也有相关的安全设置;默认状态下,用户不需要使用任何密码即通过lsnrctl 工具对Oracle Listener进行操作或关闭,可造成新的会话无法建立连接;Oracle监听器允许利用lsnrctl从远程发起对监听器的管理,也容易导致数据库受到损坏。另外,ORACLE数据库监听器的管理9i与10g和11g还有点区别,9i数据库通过lsnrctl设置密码就会过滤系统认证,而10g和11g监听lsnrctl设置密码后不会自动生效,需要取消操作系统认证方能使监听密码设置生效。
   这里特别提示11G监听密码设置
1、在ORACLE用户下,shell里输入lsnrctl回车可进入监听程序管理控制台
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:33:57
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> 

2、在监听管理控制台输入help可以查看监听管理命令
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start               stop                status              
services            version             reload              
save_config         trace               spawn               
change_password     quit                exit                
set*                show*  

3、监听未设置密码时oracle会话可使用lsnrctl启停监听程序(这也是监听程序的风险),启停监听
[oracle@orcl11g admin]$ lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:38:13
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
[oracle@orcl11g admin]$ 
[oracle@orcl11g admin]$ lsnrctl start
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:39:50
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Starting /oracle/app/oracle/product/11.2.0.3/db/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 11.2.0.3.0 - Production
System parameter file is /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Log messages written to /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 15:39:50
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@orcl11g admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:39:54
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 15:39:50
Uptime                    0 days 0 hr. 0 min. 3 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@orcl11g admin]$ 

4、这里使用lsnrctl管理工具为Oracle数据库监听设置密码
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:41:35
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start               stop                status              
services            version             reload              
save_config         trace               spawn               
change_password     quit                exit                
set*                show*               
LSNRCTL> change_password
Old password:<如果监听设置过密码则输入旧密码> 
New password: <输入新密码>
Reenter new password: <输入新密码确认>
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password #设置控制台密码
Password: 
The command completed successfully
LSNRCTL> save_config #保存配置
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Old Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.bak
The command completed successfully
LSNRCTL> 

5、测试密码安全设置是否生效(注意:需要reload或重启监听)
LSNRCTL> reload
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL> 

6、验证监听密码设置是否生效(注意:9i版本的是生效的,这里强调的是10g或11g使用了操作系统认证,监听的密码设置不自动生效)
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL>
可见,虽然监听设置了密码保护,但是由于11g使用了操作系统认证,监听的密码保护策略没有生效

7、在监听listener.ora配置文件中取消操作系统认证
SID_LIST_ORCL11G=
   (SID_LIST=
(SID_DESC=
          (GLOBAL_DBNAME=ORCL11G)
          (SID_NAME=ORCL11G)
          (ORACLE_HOME=/oracle/app/oracle/product/11.2.0.3/db)
         (PRESPAWN_MAX=20)
 (PRESPAWN_LIST=
           (PRESPAWN_DESC=(PROTOCOL=tcp)(POOL_SIZE=2)(TIMEOUT=1))
         )
        )
       )

LOCAL_OS_AUTHENTICATION_listener=OFF

#----ADDED BY TNSLSNR 08-JUL-2015 14:00:26---
PASSWORDS_LISTENER = FC996BE8FB638140
#--------------(这里就是监听设置了密码的标识了)------------------------------

8、在listener.ora配置取消操作系统认证后重启监听,重新验证监听密码是否生效
[oracle@orcl11g admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 16:10:18
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
TNS-01169: The listener has not recognized the password
[oracle@orcl11g admin]$
可见,密码保护已经生效了

9、数据库监听设置了密码保护后,再管理数据库监听就需要通过lsnrctl 管理控制台使用set命令先设置密码了
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 16:12:18
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password: 
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 16:08:52
Uptime                    0 days 0 hr. 4 min. 21 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Services Summary...
Service "orcl11g" has 1 instance(s).
  Instance "orcl11g", status READY, has 1 handler(s) for this service...
Service "orcl11gXDB" has 1 instance(s).
  Instance "orcl11g", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL> start
Starting /oracle/app/oracle/product/11.2.0.3/db/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 11.2.0.3.0 - Production
System parameter file is /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Log messages written to /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 16:13:25
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
LSNRCTL> 

10、重要提示,一旦设置了密码后,需要牢记密码,否则以后管理数据库监听会比较麻烦。

时间: 2024-09-09 01:09:01

ORACLE数据库安全漏洞之监听密码设置的相关文章

Oracle环境变量、监听listener.ora、tnsnames.ora、sqlnet.ora配置

Oracle环境变量.监听listener.ora.tnsnames.ora.sqlnet.ora配置 点击(此处)折叠或打开 NLS_DATE_FORMAT=YYYY-MM-DD HH24:mi:ss NLS_LANG=AMERICAN_CHINA.ZHS16GBK ORACLE10G=D:\Program files\app\oracle\product\10.2.0\db_1 ORACLE11G=D:\Program files\app\oracle\product\11.2.0.1\db

oracle-linux下Oracle安装之后重启监听失败。具体情况见下 、还往大家帮忙

问题描述 linux下Oracle安装之后重启监听失败.具体情况见下 .还往大家帮忙 我的操作是安装oracle之后.尝试连接 [oracle@linux64 ~]$ sqlplus / as sysdba Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing

如何在SUSE Linux 10上安装Oracle:创建数据库监听

如何在SUSE Linux 10上安装Oracle:创建数据库监听的详细步骤说明 $ORACLE_HOME/bin/netcaoracle@linuxsuse:~> netca

oracle 11g 监听日志 设置

11g开始引入ADR,监听日志就从原来的$ORACLE_HOME/network/log/listener.log变为了 $ORACLE_BASE/diag/tnslsnr/hostname/listener/alert/log.xml 当然也存在一份$ORACLE_BASE/diag/tnslsnr/hostname/listener/trace/listener.log(此处listener.log的名字是根据监听名字决定的,比如我的监听叫TEST,此处就是test.log) 有个问题是,$

ORACLE清理、截断监听日志文件(listener.log)

       在 ORACLE数据库中,如果不对监听日志文件(listener.log)进行截断,那么监听日志文件(listener.log)会变得越来越大,想必 不少人听说过关于"LISTENER.LOG日志大小不能超过2GB,超过会导致LISTENER监听器无法处理新的连接",当然这个不是真理,不会绝对 出现,只是发生在老旧的32bit Linux或Unix系统下面,真实的原因是一些32bit OS自带的文件系统不支持2GB以上的文件,导致监听服务进程(tnslsnr)append

Oracle ASM PRCR 1079监听启动报错如何解决

1.1.   ASM:PRCR-1079 ASM的监听启动失败. 报错原因: 没有配置LD_LIBRARY_PATH变量导致oraagent.bin找不到库文件. 解决方法: 配置LD_LIBRARY_PATH变量. 解决步骤: 以grid身份启动监听的时候报错: [grid@rolequery ~]$ srvctl start listener PRCR-1079 : Failed to start resourceora.LISTENER.lsnr CRS-5016: Process"/ho

oracle 11g-oracle 11.2监听日志大量service update

问题描述 oracle 11.2监听日志大量service update 今天早上无法远程登录oracle,报tns超时,去看了监听日志,大量的service update信息,过了一段时间以后,再链接又能远程登录了,日志也变正常了,这是怎么一回事情,怎么排查这一类问题

Oracle无法启动2——监听程序当前无法识别连接描述符中请求的服务

一.发现问题 在连接oracle 10g数据库的时候老是连不上,服务也启动了,但一连接就弹出TNS:监听程序当前无法识别连接描述符中请求的服务, 昨天还好好的连着,今天怎么就突然不能用来,想想会不会是昨天改了配置文件的原因,对比了一下昨天备份的那个配置文件,发现有些地方不一样.检查了一下监听的配置文件,发现里面并没有配置注册对我想要连接的那个数据库服务的监听器,上网找了下配置的语句,只要在listener.ora配置 SID_LIST_LISTENER =   (SID_LIST =     (

oracle中一次监听不能启动实例

登录测试环境发现一个节点监听异常 root@xxxxdbb:/ #crsctl status res -t -------------------------------------------------------------------------------- NAME           TARGET  STATE        SERVER                   STATE_DETAILS ----------------------------------------