数据库安全检查监听是重点,设置监听密码
Oracle 数据库监听的安全管理是比较容易忽略的一个问题,做一个测试
禁用监听的本地验证功能,设置监听密码,数据库版本为11.2.0.4
1、默认配置listener.ora
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = roidb01)(PORT = 1521))
)
)
SID_LIST_LISTENER=
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = orcl)
(ORACLE_HOME =/u01/app/oracle/product/11.2.0/dbhome_1)
(SID_NAME = orcl)
)
)
ADR_BASE_LISTENER = /u01/app/oracle
2、添加参数
LOCAL_OS_AUTHENTICATION_LISTENER = OFF
使用vi 添加以上参数如下:
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = roidb01)(PORT = 1521))
)
)
SID_LIST_LISTENER=
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = orcl)
(ORACLE_HOME =/u01/app/oracle/product/11.2.0/dbhome_1)
(SID_NAME = orcl)
)
)
ADR_BASE_LISTENER = /u01/app/oracle
LOCAL_OS_AUTHENTICATION_LISTENER = OFF
3、reload 监听
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-NOV-2018 10:55:16
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
The command completed successfully
root 10 2 0 09:11 ? 00:00:00 [netns]
oracle 2809 1 0 10:55 ? 00:00:00 /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr LISTENER -inherit
oracle 2820 1898 0 10:55 pts/0 00:00:00 grep tns
4、设置监听密码
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-NOV-2018 10:55:50
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start stop status
services version reload
save_config trace spawn
change_password quit exit
set show
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Old Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.bak
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 29-NOV-2018 10:55:01
Uptime 0 days 0 hr. 2 min. 14 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/roidb01/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=roidb01)(PORT=1521)))
Services Summary...
Service "ORCL_DGB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl" has 2 instance(s).
Instance "orcl", status UNKNOWN, has 1 handler(s) for this service...
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
5、关闭监听方法
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-NOV-2018 10:58:12
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-NOV-2018 10:58:15
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=roidb01)(PORT=1521)))
The command completed successfully
LSNRCTL>