[20150504]11G口令不对的问题.txt

[20150504]11G口令不对的问题.txt

--前一阵子,遇到用户口令不对,导致登录缓慢的问题,主要11G加入密码错误验证延迟导致的.(哎现在看文档才知道)

http://blog.itpub.net/267265/viewspace-1479718/

Preventing passwords from being broken. If a user tries to log in to Oracle Database multiple times using an incorrect
password, Oracle Database delays each login after the third try. This protection applies for attempts made from
different IP addresses or multiple client connections. For the first three attempts, there is no delay. Afterwards, it
gradually increases the time before the user can try another password, up to a maximum of about 10 seconds. If the user
enters the correct password, he or she is able to log in successfully without any delay.

This feature significantly decreases the number of passwords that an intruder would be able to try when attempting to
log in. It is designed to prevent repeated attacks on password checking.

我们通过修改参数。屏蔽了密码错误验证延迟EVENT="28401 TRACE NAME CONTEXT FOREVER, LEVEL 1"

--这个测试不做,看看如何延迟的.
$ cat az.sql
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt
(time echo 'select sysdate from dual;' | sqlplus -s test/a ) 2>>/tmp/aaa.txt

$ grep real /tmp/aaa.txt
real    0m0.077s
real    0m0.071s
real    0m0.076s
real    0m1.113s
real    0m2.077s
real    0m3.078s
real    0m4.078s
real    0m5.079s
real    0m6.078s
real    0m7.109s
real    0m8.115s
real    0m9.079s
real    0m10.074s
real    0m10.073s
real    0m10.074s

--根据这个特性,如果知道用户名,而登录错误没有限制(Failed login attempts)没有限制,可能被人滥用,导致系统无法登录.
--最佳的方法是打开错误登录审计,限制Failed login attempts次数,10次相对太少,设置大一些会比较合适(比如100).