2019-01-28 KK日记,不得不说的ORACLE 实例的remote listener的远程注册

一、背景

某天,dba完成生产库的恢复演练,然后打开测试数据库(oracle 11g rac架构),结果发现生产应用连接到我们刚恢复的数据库上,还成功执行了sql。

二、问题

为什么生产应用会自动连接到刚恢复的数据库呢?

三、数据收集和分析

3.1 检查应用配置

  • 检查应用代码没有直接连接测试库。
  • 检查应用的通用数据库连接配置文件,没有发现连接测试库的配置。

3.2 在应用端抓包

  • 发现应用端发出的请求包发送到scan name,然后scan name会进行redirecet操作,结果发现,有的请求包被分发到生产实例,有的请求包被分发到测试实例上。

这时怀疑测试库的实例注册到生产的scan里了。

3.3 检查生产库

  • 在生产库上没有看到测试实例注册到生产scan 的相关信息。

3.4 检查测试库的配置

  • 参数remote_listener配置值是生产scan_name的名字:productdbsvc.company.com
  • 在测试实例的os上执行nslookup productdbsvc.company.com返回的ip就是生产scan 的ip
  • 检查测试库的dbname,instance name,service name与生产库配置一样。

由于是从生产库直接恢复过来的,所以配置没有改动。

3.5 查阅support.oracle.com

  • 发现有一个类似的安全漏洞文章:Oracle Security Alert for CVE-2012-1675 (TNS Listener Poison Attack)
  • https://www.informationsecuritybuzz.com/articles/oracle-tns-listener-poison-attack/
  • https://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  • 防止远程注册的官方方法,How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)
On 11.2.0.4:

To accomplish only local registration of the instances to local and scan listeners, the following settings will need to be made in listener.ora on all nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=()

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=()

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN3=()



For example, for a two node rac with two scan listeners, we will have on both nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)

 

Having VALID_NODE_CHECKING_REGISTRATION_LISTENER and VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANX set to 1 will allow local instances on that node to be registered. REGISTRATION_INVITED_NODES_LISTENER_SCANX parameter will add to the invited nodes all the instances on the other nodes. We will need to use public ip's of the nodes, even if the local listeners run only on VIP's (and not on both as it is default in 11.2 and higher).

Version 12.1.0.2 Change to VNCR

On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to ON/1/LOCAL
to specify valid node checking registration is on, and all local IP addresses can register. 
12c introduces the option of using srvctl to set 'invitednodes' or 'invitedsubnets'.


See example:
srvctl modify scan_listener {-update | -endpoints [TCP:]port[/IPC:key] [/NMP:pipe_name][/TCPS:s_port][/SDP:port] } [-invitednodes node_list] [-invitedsubnets subnet_list]

Note that all nodes in a cluster would be from the same subnet so 12c VNCR is configured with protection "out-of-the-box".

It is important to note that in 12c this configuration alone does not offer protection for Oracle Security Alert CVE-2012-1675 or TNS Listener poison attacks.
We recommend using the 11gR2 instructions posted above to limit registration.   

Listener.ora file sample for 12c listener configured to restrict registration using INVITED_NODES:


VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1 
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=()

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1 
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=()

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1 
REGISTRATION_INVITED_NODES_LISTENER_SCAN3=()
 

Version 12c also introduces the following parameter:  REMOTE_REGISTRATION_ADDRESS_. This parameter is configured internally in the SCAN listener to restrict registrations to the private network. The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint.

The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF. The value is OFF in non-SCAN listeners.


You can check its value by running:

lsnrctl show remote_registration_address 

Example:

LSNRCTL>set current_listener LISTENER_SCAN1

LSNRCTL>show remote_registration_address
 

All the instances registration requests will be redirected to this private endpoint so that instances in the same cluster will register. This is the alternative for VNCR settings on local listeners.

NOTE:  In 12.1.0.2, the GI agent sets the remote_registration_address to HAIP or the private IP address by default.  This is true for both local listener and scan_listener.
The agent turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) is set using srvctl.
The agent also turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) information is found in the listener.ora file.

Both database and the GRID home must be at version 12.  If the database is pre 12 OR upgraded from 11g, the REMOTE_REGISTRATION_ADDRESS will not be set to HAIP.  
VNCR will not be enabled by default for those instances that have been upgraded from 11g.  


Important note:  The HAIP endpoints will accept registrations from any database in the subnet.  This may or may 
not be a security threat in your enterprise but it should be considered when implementing this solution.  
HAIP endpoints CAN accept registrations from the same subnet.

As of  12.1.0.2  Grid Infrastructure, VCNR is enabled by default (since REMOTE_REGISTRATION_ADDRESS points only to internal IP address) and there is no additional step required.

If one wants to relax this default VCNR in 12.1.0.2, he can use srvctl modify  invited_node or invited_subnet commands


IMPORTANT NOTE:  A restart (not reload) of the listener process will  be necessary after making the changes to VNCR in the listener.ora file:
LSNRCTL>set current_listener listener_name
LSNRCTL>stop
LSNRCTL>start
  • 实例远程注册例子。https://blog.csdn.net/langcai1981/article/details/7161440

通过以上文章得知,只要在测试数据库实例将remote_listener配置成生产值(如:product.com:1521),同时需要设置测试数据库实例的local_listener(如:alter system set local_listener= '(ADDRESS=(PROTOCOL=TCP)(HOST=测试机ip)(PORT=1521))' ;),那么测试数据库实例就可以注册到生产库上,并且把生产请求引流到测试库上。

四、预防措施

在listener.ora上增加如下设置

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1 #如果有多个scan listener就需要逐个添加 
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(scan运行的物理ip1,scan运行的物理ip2) 

你可能感兴趣的:(ORACLE,DBA)