Oracle TNS listener is a process based on the server that provides network connection to clients, application servers and other databases to an oracle database.The listener is very much vulnerable to hackers. If there is no password set on the LISTENER, someone who knows just a hostname and the default port number which is 1521 can easily have control over the database. Such a person can easily stop the listener, set a password and prevent owners of the database to control the listener. He can also steal detailed information on the listener, database as well as application configurations by writing trace and log files that are accessible to the owner of tnslnr.So without a password set on the listener, any person through the command line can query the listener using the commands belowLSNRCTL.>STATUS
LSNRCTL> statusConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))STATUS of the LISTENER------------------------Alias LISTENERVersion TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - ProductionStart Date 09-APR-2008 01:37:37Uptime 0 days 7 hr. 26 min. 50 secTrace Level offSecurity ON: Local OS AuthenticationSNMP OFFListener Parameter File C:\U1\network\admin\listener.oraListener Log File C:\U1\network\log\listener.logListener Trace File C:\U1\network\trace\listener.trcListening Endpoints Summary...(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcons)(PORT=1521)))Services Summary...Service "DESAQ.ORCONS" has 1 instance(s).Instance "desaq", status READY, has 1 handler(s) for this service...Service "DESAQXDB.ORCONS" has 1 instance(s).Instance "desaq", status READY, has 1 handler(s) for this service...Service "DESAQ_XPT.ORCONS" has 1 instance(s).Instance "desaq", status READY, has 1 handler(s) for this service...Service "PLSExtProc" has 1 instance(s).Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...The command completed successfullyLSNRCTL>From the above information, the needed information is shown directly, the port number 1521 is shown as well as the HOST. Since the trace level is OFF, He can decide to set TRACE LEVEL ON to enable him write trace and log files from the listener.To set TRACE LEVEL ON use the command belowLSNRCTL>TRACE 1
LSNRCTL> trace 1Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))Opened trace file: C:\U1\network\trace\listener.trcThe command completed successfully
To observe the current services being run on the database, the hacker can query thelistener's services as shown below
LSNRCTL> servicesConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))Services Summary...Service "ASAREQUAYSON.6RC_GH" has 1 instance(s).Instance "asarequa", status READY, has 2 handler(s) for this service...Handler(s):"DEDICATED" established:8 refused:0 state:readyLOCAL SERVER"D000" established:69 refused:0 current:24 max:1002 state:readyDISPATCHER (ADDRESS=(PROTOCOL=tcp)(HOST=desicons)(PORT=1069))Service "ASAREQUAYSON_XPT.6RC_GH" has 1 instance(s).Instance "asarequa", status READY, has 2 handler(s) for this service...Handler(s):"DEDICATED" established:8 refused:0 state:readyLOCAL SERVER"D000" established:69 refused:0 current:24 max:1002 state:readyDISPATCHER (ADDRESS=(PROTOCOL=tcp)(HOST=desicons)(PORT=1069))Service "PLSExtProc" has 1 instance(s).Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...Handler(s):"DEDICATED" established:0 refused:0LOCAL SERVERThe command completed successfullyLSNRCTL>
HOW CAN THE DBA PREVENT OTHERS FROM GETTING ACCESS TO THE DATABASE1. BY SETTING ADMIN_RESTRICTION PARAMETERSet ADMIN_RESTRICTIONS in Listener.ora to stop all SET commands from being executed.How is this setting going to help you?
By setting the ADMIN_RESTRICTIONS_ to ON in the listener.ora file. Consequently; hackers cannot execute SET commands both remotely and locally.
Try to do this configuration manually in the listener.ora file. LISTENER.ORA ADMIN_RESTRICTIONS_ = ON After you have made such changes, restart the listener using the RELOAD command in LSNRCTL for this change to be effected. 2. BY SETTING PASSWORD ON THE LISTENERWhy should you set a password on the listener?To enforce security on the database, you need to set a password on the listener. Use the LSNRCTL to set the password instead of the listener.ora .The reason is that, setting password in the listener.ora will expose the password in raw text format without encryption whereas the LSNRCTL will encrypt it.Password can be set on the LISTENER AS FOLLOWS
LSNRCTL> set current_listenerCurrent Listener is LISTENERLSNRCTL> change_passwordOld password:New password:Reenter new password:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))Password changed for LISTENERThe command completed successfullyLSNRCTL> set passwordPassword:The command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))Saved LISTENER configuration parameters.Listener Parameter File C:\APP\oracle\product\10.2.0\db_1\network\admin\listener.oraOld Parameter File C:\APP\oracle\product\10.2.0\db_1\network\admin\listener.bakThe command completed successfullyLSNRCTL>
oracle is my passion,to Work in a oracle database is a great fascination for me.I am at learning stage,lots of things remained to learn that's why I am here,I am working as a Researcher in KING SAUD UNIVERSITY, Riyadh.
No comments:
Post a Comment