很多oracle用户都知道,oracle的监听器一直存在着一个安全隐患,假如对此不设置安全措施,那么能够访问的用户就可以远程关闭监听器。
相关示例如下:
d:>lsnrctl stop eygle lsnrctl for 32-bit windows: version 10.2.0.3.0 - production on 28-11月-2007 10:02:40 copyright (c) 1991, 2006, oracle. all rights reserved. 正在连接到 (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)) (connect_data=(service_name=eygle)))
命令执行成功
大家可以发现,此时缺省的监听器的日志还无法记录操作地址:
no longer listening on: (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) 28-nov-2007 09:59:20 * (connect_data=(cid=(program=)(host=)(user=administrator))(command=stop) (arguments=64)(service=eygle)(version=169870080)) * stop * 0
有鉴于此,为了更好的保证监听器的安全,大家最好为监听设置密码:
[oracle@jumper log]$ lsnrctl lsnrctl for linux: version 9.2.0.4.0 - production on 28-nov-2007 10:18:17 copyright (c) 1991, 2002, oracle corporation. all rights reserved. welcome to lsnrctl, type "help" for information. lsnrctl> set current_listener listener current listener is listener lsnrctl> change_password old password: new password: reenter new password: connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) password changed for listener the command completed successfully lsnrctl> set password password: the command completed successfully lsnrctl> save_config connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) saved listener configuration parameters. listener parameter file /opt/oracle/product/9.2.0/network/admin/listener.ora old parameter file /opt/oracle/product/9.2.0/network/admin/listener.bak the command completed successfully
在我们设置密码后,远程操作将会因缺失密码而出现失败:
d:>lsnrctl stop eygle lsnrctl for 32-bit windows: version 10.2.0.3.0 - production on 28-11月-2007 10:22:57 copyright (c) 1991, 2006, oracle. all rights reserved. 正在连接到 (description=(address=(protocol=tcp)(host=172.16.33.11) (port=1521))(connect_data=(service_name=eygle)))
tns-01169: 监听程序尚未识别口令
注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:
lsnrctl> set password password: the command completed successfully lsnrctl> stop connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) the command completed successfully lsnrctl> start starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait... tnslsnr for linux: version 9.2.0.4.0 - production system parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora log messages written to /opt/oracle/product/9.2.0/network/log/listener.log trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc listening on: (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) status of the listener ------------------------ alias listener version tnslsnr for linux: version 9.2.0.4.0 - production start date 28-nov-2007 10:22:23 uptime 0 days 0 hr. 0 min. 0 sec trace level support security on snmp off listener parameter file /opt/oracle/product/9.2.0/network/admin/listener.ora listener log file /opt/oracle/product/9.2.0/network/log/listener.log listener trace file /opt/oracle/product/9.2.0/network/trace/listener.trc listening endpoints summary... (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))) services summary... service "eygle" has 1 instance(s). instance "eygle", status unknown, has 1 handler(s) for this service... service "julia" has 1 instance(s). instance "eygle", status unknown, has 1 handler(s) for this service... the command completed successfully
另外,admin_restrictions参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 admin_restrictions_ 为 on,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。