Tuesday, November 22, 2005

How to secure Oracle Database Listener

To secure Oracle Database Listener
1. set listener password [recommended]
LSNRCTL> set current_listener
LSNRCTL> change_password
LSNRCTL> set password
LSNRCTL> save_config
2. turn on logging [recommended]
LSNRCTL> set current_listener
LSNRCTL> set password
LSNRCTL> set log_directory /network/admin
LSNRCTL> set log_file .log
LSNRCTL> set log_status on
LSNRCTL> save_config
3. Set ADMIN_RESTRICTIONS [recommended]
add "ADMIN_RESTRICTIONS_ = ON" to listener.ora
4. Apply Listener Patches [recommended]
5. Block SQL*Net on Firewalls [recommended]
6. Secure the $TNS_ADMIN Directory [recommended]
7. Remove Unused Services [recommended]
8. Setup Valid Node Checking [optional]
$ORACLE_HOME/network/admin/sqlnet.ora in Oracle 9i
$ORACLE_HOME/network/admin/protocol.ora in Oracle 8i/8
add

tcp.validnode_checking = yes
tcp.invited_nodes = (x.x.x.x | name, x.x.x.x | name)
tcp.excluded_nodes=( x.x.x.x | name, x.x.x.x | name)

use either invited_nodes or excluded_nodes, but not both. No wildcards or subnets are allowed.
9. Monitor the Logfile [optional]
on your own.

Some step may need to reload or restart listener. You can read the full guide on
ref: http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)