Oracle PASSWORDS_LISTENER 为监听设置密码

Oracle PASSWORDS_LISTENER 为监听设置密码

 

这边数据库加固项有这么一个内容,意思就是为listener设置密码,当使用lsnrctl stop

Listener_name的时候需要输入密码才能将监听停止。

 

注意上面PASSWORDS_LISTENER只对9i生效,对于11G已经被弃用了。

下面只对11G做个测试,只不过这个参数弃用了,如果设置了这个参数,11G可以不通过密码将监听停止,9i要通过监听密码将监听停止。

 

最后引用别人博客的对该项描述就开始实验了:监听器也有安全?Sure!在缺省的情况下,任意用户不需要使用任何密码即通过lsnrctl 工具对Oracle Listener进行操作或关闭,从而造成任意新的会话都将无法建立连接。在Oracle 9i 中Oracle监听器允许任何一个人利用lsnrctl从远程发起对监听器的管理,也容易导致数据库受到损坏。

 

1.未设定密码停止监听

[[email protected] admin]$ lsnrctl stop listener

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 24-MAY-2018 02:59:34

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

The command completed successfully

 

2.重启监听设置密码

[[email protected] admin]$ lsnrctl

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 24-MAY-2018 02:25:39

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Welcome to LSNRCTL, type "help" for information.

 

LSNRCTL> set current_listener LISTENER  -->设置当前要修改密码的监听器

Current Listener is LISTENER

 

 

LSNRCTL> start    ---->启动过程也不需要任何密码,启动的详细信息省略

Starting /u01/app/oracle/product/11.2.0/db_1/bin/tnslsnr: please wait...

 

TNSLSNR for Linux: Version 11.2.0.4.0 - Production

System parameter file is /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/Database2/listener/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Database2)(PORT=1521)))

 

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production

Start Date                24-MAY-2018 02:26:57

Uptime                    0 days 0 hr. 0 min. 0 sec

Trace Level               off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora

Listener Log File         /u01/app/oracle/diag/tnslsnr/Database2/listener/alert/log.xml

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Database2)(PORT=1521)))

Services Summary...

Service "oradba" has 1 instance(s).

  Instance "oradb", status UNKNOWN, has 1 handler(s) for this service...

The command completed successfully

 

LSNRCTL> change_password   -->使用change_password来为指定监听设置密码

Old password:      ---->之前没设置密码,直接按回车

New password:

Reenter new password:

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

Password changed for LISTENER

The command completed successfully

 

 

LSNRCTL> save_config

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

Saved LISTENER configuration parameters.

Listener Parameter File   /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora

Old Parameter File   /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.bak(将原来的监听备份了一下)

The command completed successfully

 

3.给监听设置密码之后再重新查看listener.ora

[[email protected] admin]$ cat listener.ora

# listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora

# Generated by Oracle configuration tools.

SID_LIST_LISTENER =

  (SID_LIST =

    (SID_DESC =

      (GLOBAL_DBNAME = oradba)

      (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1)

      (SID_NAME = oradb)

    )

  )

 

 

#----ADDED BY TNSLSNR 24-MAY-2018 02:27:24---

PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2

#--------------------------------------------

可以看到为名字为LISTENER的监听设置了密码

 

4.测试,尝试停止设置密码的监听

因为我这没有9i,10G的库,引用别人博客在9i下面停止监听的结果

[[email protected] ~]$ lsnrctl stop listener_demo92

LSNRCTL for Linux: Version 9.2.0.8.0 - Production on 26-JUN-2011 06:09:51 Copyright (c) 1991, 2006, Oracle Corporation. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) TNS-01169: The listener has not recognized the password -->收到错误信息,需要使用密码认证

 

下面是在11G下面结果

[[email protected] admin]$ lsnrctl stop listener

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 24-MAY-2018 03:23:12

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

The command completed successfully

 

总结:PASSWORDS_LISTENER针对9i数据库可以加固,对于10G,11G不适用,上面数据库安全加固有这一项只是为了让其他业务对数据库安全扫描的时候这一项通过,其实只是为了应付而已,对于11G这个参数已经废弃。

 

可以参考另外一篇更加详细的文章:https://blog.csdn.net/qq_34556414/article/details/81286831

相关文章:

  • 2021-07-01
  • 2022-01-10
  • 2022-01-06
  • 2021-12-09
  • 2022-12-23
  • 2022-12-23
  • 2021-04-09
猜你喜欢
  • 2022-12-23
  • 2022-12-23
  • 2021-07-09
  • 2021-04-17
  • 2021-06-08
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode