|
ORACLE SECURITY THROUGH THE LISTENER
The Oracle TNS listener is a process based on the server that provides network
connection to clients, application servers and other databases to an oracle
database.
The listener is very much vulnerable to hackers. If there is no password set on
the LISTENER, someone who knows just a hostname and the default port number
which is 1521 can easily have control over the database. Such a person can
easily stop the listener, set a password and prevent owners of the database to
control the listener. He can also steal detailed information on the listener,
database as well as application configurations by writing trace and log files
that are accessible to the owner of tnslnr.
So without a password set on the listener, any person through the command line
can query the listener using the commands below
LSNRCTL.>STATUS
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
Start Date 09-APR-2008 01:37:37
Uptime 0 days 7 hr. 26 min. 50 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\U1\network\admin\listener.ora
Listener Log File C:\U1\network\log\listener.log
Listener Trace File C:\U1\network\trace\listener.trc
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcons)(PORT=1521)))
Services Summary...
Service "DESAQ.ORCONS" has 1 instance(s).
Instance "desaq", status READY, has 1 handler(s) for this service...
Service "DESAQXDB.ORCONS" has 1 instance(s).
Instance "desaq", status READY, has 1 handler(s) for this service...
Service "DESAQ_XPT.ORCONS" has 1 instance(s).
Instance "desaq", status READY, has 1 handler(s) for this service...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
|
From the above information, the needed information is shown directly, the port
number 1521 is shown as well as the HOST. Since the trace level is OFF, He can
decide to set TRACE LEVEL ON to enable him write trace and log files from the
listener.
To set TRACE LEVEL ON use the command below
LSNRCTL>TRACE 1
LSNRCTL> trace 1
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
Opened trace file: C:\U1\network\trace\listener.trc
The command completed successfully |
To observe the current services being run on the database, the hacker can query
the
listener's services as shown below
LSNRCTL> services
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))
Services Summary...
Service "ASAREQUAYSON.6RC_GH" has 1 instance(s).
Instance "asarequa", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:8 refused:0 state:ready
LOCAL SERVER
"D000" established:69 refused:0 current:24 max:1002 state:ready
DISPATCHER
(ADDRESS=(PROTOCOL=tcp)(HOST=desicons)(PORT=1069))
Service "ASAREQUAYSON_XPT.6RC_GH" has 1 instance(s).
Instance "asarequa", status READY, has 2 handler(s) for this service...
Handler(s):
"DEDICATED" established:8 refused:0 state:ready
LOCAL SERVER
"D000" established:69 refused:0 current:24 max:1002 state:ready
DISPATCHER
(ADDRESS=(PROTOCOL=tcp)(HOST=desicons)(PORT=1069))
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully
LSNRCTL> |
HOW CAN THE DBA PREVENT OTHERS FROM GETTING ACCESS TO THE DATABASE
1.
BY SETTING ADMIN_RESTRICTION PARAMETER
Set ADMIN_RESTRICTIONS in Listener.ora to stop all SET commands from being
executed.
How is this setting going to help you?
By setting the ADMIN_RESTRICTIONS_ to ON in the listener.ora file. Consequently;
hackers cannot execute SET commands both remotely and locally.
Try to do this configuration manually in the listener.ora file.
LISTENER.ORA
ADMIN_RESTRICTIONS_ = ON
After you have made such changes, restart the listener using the RELOAD command
in LSNRCTL for this change to be effected.
2.
BY SETTING PASSWORD ON THE LISTENER
Why should you set a password on the listener?
To enforce security on the database, you need to set a password on the listener.
Use the LSNRCTL to set the password instead of the listener.ora .The reason is
that, setting password in the listener.ora will expose the password in raw text
format without encryption whereas the LSNRCTL will encrypt it.
Password can be set on the LISTENER AS FOLLOWS
LSNRCTL> set current_listener
Current Listener is LISTENER
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File
C:\APP\oracle\product\10.2.0\db_1\network\admin\listen
er.ora
Old Parameter File C:\APP\oracle\product\10.2.0\db_1\network\admin\listener.ba
k
The command completed successfully
LSNRCTL> |
Environment:
Operating System: Windows
Database: Oracle 10g R2
|
