很多人都知道,oracle的監(jiān)聽器一直存在著一個安全隱患,假如不設置安全措施,那么能夠訪問的用戶就可以遠程關閉監(jiān)聽器。
相關示例:
d:>lsnrctl stop eygle
lsnrctl for 32-bit windows: version 10.2.0.3.0 - production on 28-11月-2007 10:02:40
copyright (c) 1991, 2006, oracle. all rights reserved.
正在連接到 (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521))
(connect_data=(service_name=eygle)))
命令執(zhí)行成功
大家可以發(fā)現(xiàn),此時缺省的監(jiān)聽器的日志還無法記錄操作地址:
no longer listening on: (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
28-nov-2007 09:59:20 * (connect_data=(cid=(program=)(host=)(user=administrator))(command=stop)
(arguments=64)(service=eygle)(version=169870080)) * stop * 0
為了更好的保證監(jiān)聽器的安全,大家最好為監(jiān)聽設置密碼:
[oracle@jumper log]$ lsnrctl
lsnrctl for linux: version 9.2.0.4.0 - production on 28-nov-2007 10:18:17
copyright (c) 1991, 2002, oracle corporation. all rights reserved.
welcome to lsnrctl, type help for information.
lsnrctl> set current_listener listener
current listener is listener
lsnrctl> change_password
old password:
new password:
reenter new password:
connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
password changed for listener
the command completed successfully
lsnrctl> set password
password:
the command completed successfully
lsnrctl> save_config
connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
saved listener configuration parameters.
listener parameter file /opt/oracle/product/9.2.0/network/admin/listener.ora
old parameter file /opt/oracle/product/9.2.0/network/admin/listener.bak
the command completed successfully
在我們設置密碼后,遠程操作將會因缺失密碼而出現(xiàn)失敗:
d:>lsnrctl stop eygle
lsnrctl for 32-bit windows: version 10.2.0.3.0 - production on 28-11月-2007 10:22:57
copyright (c) 1991, 2006, oracle. all rights reserved.
正在連接到 (description=(address=(protocol=tcp)(host=172.16.33.11)
(port=1521))(connect_data=(service_name=eygle)))
tns-01169: 監(jiān)聽程序尚未識別口令
注意:此時在服務器端或客戶端,都需要我們通過密碼來起停監(jiān)聽器:
lsnrctl> set password
password:
the command completed successfully
lsnrctl> stop
connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
the command completed successfully
lsnrctl> start
starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait...
tnslsnr for linux: version 9.2.0.4.0 - production
system parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora
log messages written to /opt/oracle/product/9.2.0/network/log/listener.log
trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc
listening on: (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
connecting to (description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
status of the listener
------------------------
alias listener
version tnslsnr for linux: version 9.2.0.4.0 - production
start date 28-nov-2007 10:22:23
uptime 0 days 0 hr. 0 min. 0 sec
trace level support
security on
snmp off
listener parameter file /opt/oracle/product/9.2.0/network/admin/listener.ora
listener log file /opt/oracle/product/9.2.0/network/log/listener.log
listener trace file /opt/oracle/product/9.2.0/network/trace/listener.trc
listening endpoints summary...
(description=(address=(protocol=tcp)(host=172.16.33.11)(port=1521)))
services summary...
service eygle has 1 instance(s).
instance eygle, status unknown, has 1 handler(s) for this service...
service julia has 1 instance(s).
instance eygle, status unknown, has 1 handler(s) for this service...
the command completed successfully
另外,admin_restrictions參數(shù)也是一個重要的安全選項,大家可以在 listener.ora 文件中設置 admin_restrictions_ 為 on,此后所有在運行時對監(jiān)聽器的修改都將會被阻止,所有對監(jiān)聽器的修改都必須通過手工修改listener.ora文件才能順利完成。
更多信息請查看IT技術專欄