设置Oracle tnslsnr监听器口令
2024-08-31 22:57:00
绿盟扫描提示引用程序脆弱账号 Oracle tnslsnr 监听器,加密主要为了防止监听被恶意远程关闭。关于这个安全问题的详细说明参见文字结尾转载的说明《Oracle的监听口令及监听器安全》
主要用到以下几个命令:
1)lsnrctl 进入监听模式;
2)set password设置密码;
3)change_password 修改密码;
4)save_config 保存配置;
5)exit 退出监听;
#1:命令行输入: lsnrctl 回车
C:\Documents and Settings\Administrator>lsnrctl
LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 21-1月 -2018 09:33:30
欢迎来到LSNRCTL,请键入"help"以获得信息。
#2:输入 change_password 回车
LSNRCTL> change_password
Old password: # 输入原密码,空直接回车
New password: # 输入新密码
Reenter new password: # 重复输入新密码
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx-94b9880xr5)(PORT=1521)))
LISTENER的口令已更改
命令执行成功
#3:保存配置
LSNRCTL> set password # 因为更改过密码,需要先设置新密码
Password:
命令执行成功
LSNRCTL> save_config
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx-94b9880xr5)(PORT=1521)))
保存的LISTENER配置参数。
监听器参数文件 E:\oracle\ora92\network\admin\listener.ora
旧的参数文件E:\oracle\ora92\network\admin\listener.bak
命令执行成功
LSNRCTL> save_config # 如果没有设置密码保存,就会提示错误
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rdlg-94b9880xr5)(PORT=1521)))))
TNS-01169: 监听器尚未识别口令
#4:退出
LSNRCTL> exit
#5:验证
打开文件 E:\oracle\ora92\network\admin\listener.ora
新增一下内容
#----ADDED BY TNSLSNR 21-1月 -2018 09:34:41---
PASSWORDS_LISTENER = 6336EEA3D5E41DD9
#---------------------------------------------
Oracle的监听口令及监听器安全
作者:eygle |English 【转载时请标明出处和作者信息】|【恩墨学院 OCM培训传DBA成功之道】
链接:http://www.eygle.com/archives/2007/11/listener_security.html
Oracle的监听器一直以来都存在一个严重的安全问题,那就是:
如果不设置安全措施,那么能够访问的用户就可以远程关闭监听器。 类似如下操作: D:\>lsnrctl stop eygle LSNRCTL for -bit Windows: Version 10.2.0.3. - Production on -11月- :: Copyright (c) , , Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=))
(CONNECT_DATA=(SERVICE_NAME=eygle)))
命令执行成功 而此时缺省的监听器的日志还无法记录操作地址: No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=)))
-NOV- :: * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)
(ARGUMENTS=)(SERVICE=eygle)(VERSION=)) * stop * 这个问题由来已久,为了保证监听器的安全,最好为监听设置密码: [oracle@jumper log]$ lsnrctl LSNRCTL for Linux: Version 9.2.0.4. - Production on -NOV- :: Copyright (c) , , Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=)))
Password changed for listener
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=)))
Saved LISTENER configuration parameters.
Listener Parameter File /opt/oracle/product/9.2./network/admin/listener.ora
Old Parameter File /opt/oracle/product/9.2./network/admin/listener.bak
The command completed successfully 设置密码之后,远程操作将会因确实密码而失败: D:\>lsnrctl stop eygle LSNRCTL for -bit Windows: Version 10.2.0.3. - Production on -11月- ::
Copyright (c) , , Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)
(PORT=))(CONNECT_DATA=(SERVICE_NAME=eygle)))
TNS-: 监听程序尚未识别口令 此时在服务器端或客户端,都需要通过密码来起停监听器: LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=)))
The command completed successfully
LSNRCTL> start
Starting /opt/oracle/product/9.2./bin/tnslsnr: please wait... TNSLSNR for Linux: Version 9.2.0.4. - Production
System parameter file is /opt/oracle/product/9.2./network/admin/listener.ora
Log messages written to /opt/oracle/product/9.2./network/log/listener.log
Trace information written to /opt/oracle/product/9.2./network/trace/listener.trc
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 9.2.0.4. - Production
Start Date -NOV- ::
Uptime days hr. min. sec
Trace Level support
Security ON
SNMP OFF
Listener Parameter File /opt/oracle/product/9.2./network/admin/listener.ora
Listener Log File /opt/oracle/product/9.2./network/log/listener.log
Listener Trace File /opt/oracle/product/9.2./network/trace/listener.trc
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=)))
Services Summary...
Service "eygle" has instance(s).
Instance "eygle", status UNKNOWN, has handler(s) for this service...
Service "julia" has instance(s).
Instance "eygle", status UNKNOWN, has handler(s) for this service...
The command completed successfully 此外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,我们可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_<listener name> 为 ON,此后所有在运行时对监听器的修改都将被阻止,所有对监听器的修改都必须通过手工修改 listener.ora 文件来完成。 关于监听器安全参考文档:
Integrigy_Oracle_Listener_TNS_Security.pdf -The End-
最新文章
- mysql 用户管理和权限设置
- tomcat 7/8 启动非常慢的解决方法
- console.log()与alert()的区别
- Linux命令(31):zip/unzip命令-打包压缩
- Javascript包含对象的数组去重
- Python自动化 【第九篇】:Python基础-线程、进程及python GIL全局解释器锁
- WCF Service Configuration Editor的使用
- [0] C#实现WebBrowser&HTML交互
- DataTables warning (table id = 'DataTables_Table_0');错误解决办法!
- Win10安装cygwin并添加apt-cyg
- golang命令行库cobra的使用
- IIS Service Unavailable HTTP Error 503. The service is unavailable.
- sqlmap的安装
- 在addroutes后,$router.options.routes没有更新的问题(手摸手,带你用vue撸后台 读后感)
- Mysql 性能优化7【重要】sql语句的优化 慢查询
- thinkphp---部署在IIS8.0服务器上
- python xml练习:从database.xml文件取databaselist的ip、name、passwd,写入列表
- Nginx服务器之负载均衡策略(6种)
- 参考 - spring boot 静态变量注入值
- Excel 2010 统计行数
热门文章
- MAVEN Error: Using platform encoding (GBK actually) to copy filtered resources.....
- 13、虚拟驱动vivi.c注册过程分析及怎么写V4L2驱动及启动过程
- 【LeetCode-面试算法经典-Java实现】【104-Maximum Depth of Binary Tree(二叉树的最大深度)】
- css3-10 如何使用滚动条
- 服务器负载均衡lvs(Linux Virtual Server)
- Opencv距离变换distanceTransform应用——细化字符轮廓&&查找物体质心
- ios开发网络学习AFN框架的使用一:get和post请求
- js进阶正则表达式修饰符(i、g、m)(var reg2=/html/gi)
- python排序查找
- php 获取根目录