你的监听安全吗
http://inthirties.com:90/thread-1282-1-1.html
是不是没有听说过来,这里确实是一个问题,在10g以前的版本,可以通过在客户端配置tnsname.ora从而对远程服务器上的监听进行管理,这 个是不是相当的可怕呀,如果你了解到了服务器的Oracle目录结构,已经listener的配置,你就可以轻而易举的悄无声息的把服务器的监听给端掉 了。
这是客户端的listener.ora的一个片段,客户端B的IP是172.16.10.129,服务器A的IP是172.16.10.130
在服务器A上配置监听LISTENER01
在listener.ora里添加配置
LISTENER01 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.16.10.130)(PORT = 21521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
)
)
然后启动LISTENER01
[oracle@asm02 ~]$ lsnrctl start LISTENER01
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 24-MAR-2010 23:26:05
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /u01/app/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait…
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/product/10.2.0/db_1/network/log/listener01.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.10.130)(PORT=21521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.10.130)(PORT=21521)))
STATUS of the LISTENER
————————
Alias LISTENER01
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 24-MAR-2010 23:26:06
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10.2.0/db_1/network/log/listener01.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.10.130)(PORT=21521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
The listener supports no services
The command completed successfully
这样服务器的LISTENER已经启动
下面我们来在客户端B机器上来对其尝试着进行操作,对于客户端B来说,不是本地的IP,需要在tnsname.ora里配置。
我们修改客户端的tnsname.ora
LISTENER01 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.16.10.130)(PORT = 21521))
)
)
加入服务器A的IP。
现在在客户端查看服务器A的监听状态
lsnrctl进入listner控制台
[oracle@asm01 ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2010 07:23:06
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type “help” for information.LSNRCTL> set current_listener LISTENER01
Current Listener is LISTENER01
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.10.130)(PORT=21521)))
TNS-01189: The listener could not authenticate the user
这里提示authenticate的error。是认证上的问题。 看上面的地方,可以看到服务器A上的LISTENER01的security方式是Local OS Authentication,本地认证,所以这remote的登录失败。
下面我们来设置服务器A上的监听的Security开启密码认证。
在服务器A上执行
[oracle@asm02 ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 24-MAR-2010 23:27:09
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type “help” for information.LSNRCTL> set current_listener LISTENER01
Current Listener is LISTENER01
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.10.130)(PORT=21521)))
Password changed for LISTENER01
The command completed successfully
现在再来查看一下Security
……..
STATUS of the LISTENER
————————
Alias LISTENER01
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 24-MAR-2010 23:26:06
Uptime 0 days 0 hr. 1 min. 41 sec
Trace Level off
[b]Security ON: Password or Local OS Authentication[/b]
SNMP OFF
Listener Parameter File /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10.2.0/db_1/network/log/listener01.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.10.130)(PORT=21521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
The listener supports no services
The command completed successfully
LSNRCTL> exit
已经修改为密码认证。
再转到客户端B上试试我们刚才的命令
LSNRCTL> set current_listener LISTENER01
Current Listener is LISTENER01
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.10.130)(PORT=21521)))
STATUS of the LISTENER
————————
Alias LISTENER01
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 24-MAR-2010 23:26:06
Uptime 0 days 0 hr. 3 min. 2 sec
Trace Level off
[b]Security ON: Password or Local OS Authentication[/b]
已经可以看到status
下面我们来远程关闭服务器A上的LISTENER01
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.10.130)(PORT=21521)))
The command completed successfully
检验在服务器A上查看LISTENER01是否关闭
已经关闭了。
这是在10g里加强的,在9i的版本里,客户端可以直接的对服务器端得监听进行操作,带来安全上的隐患,如果把LISTENER直接给干掉了,你的 db也就连不上了,好一个釜底抽薪。
不过在10g里加强了这点,就不能有这个问题了。