如果要灵活的实现限制IP访问ORACLE数据库,最好使用登陆触发器的方式来实现。
下面的方式对于限制单个IP地址访问ORACLE数据库比较方便,但是对于实现一个网段的IP访问数据库就有点繁琐了,
因为这种方法需要把IP地址一个一个的列出来。
通过在SQLNET.ORA中增加如下的语句即可实现IP的限制:
tcp.validnode_checking = yes //开启IP限制
tcp.invited_nodes=() //允许访问的IP列表,各IP之间用逗号分隔
tcp.excluded_nodes=() //限制访问的IP列表,各个IP之间用逗号分隔
本次测试的环境说明如下:
数据库服务器在我WINDOWS PC机器上,IP地址为10.223.18.116,监听端口为1521,实例名为yansp。
远程有2台AIX服务器10.192.39.72,10.192.39.76用作测试客户端。
看下面一个简单例子:
正常情况下10.192.39.72是可以正常访问数据库的,如下:
[oracle@sxffdb1 ~]$ export PS1="10.192.39.72 > "10.192.39.72 > sqlplusyansp/yansp@10.223.18.116/yansp
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:18:03 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select sysdate from dual;
SYSDATE
-------------------
2012-01-11 10:19:08
SQL>
修改sqlnet.ora 增加如下2行
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72,10.192.39.72)
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>type sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
SQLNET.EXPIRE_TIME=1
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72)
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>
重启启动监听器:
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:36
Copyright (c) 1991, 2005, Oracle. All rights reserved.
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
命令执行成功
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:40
Copyright (c) 1991, 2005, Oracle. All rights reserved.
启动tnslsnr: 请稍候...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
系统参数文件为C:\u01\oracle\product\10.2.0\db_1\network\admin\listener.ora
写入C:\u01\oracle\product\10.2.0\db_1\network\log\listener.log的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
LISTENER 的 STATUS
------------------------
别名 LISTENER
版本 TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
启动日期 11-1月 -2012 10:24:45
正常运行时间 0 天 0 小时 0 分 5 秒
跟踪级别 off
安全性 ON: Local OS Authentication
SNMP OFF
监听程序参数文件 C:\u01\oracle\product\10.2.0\db_1\network\admin\listen
er.ora
监听程序日志文件 C:\u01\oracle\product\10.2.0\db_1\network\log\listener
.log
监听端点概要...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
服务摘要..
服务 "auxdb" 包含 1 个例程。
例程 "auxdb", 状态 UNKNOWN, 包含此服务的 1 个处理程序...
命令执行成功
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 1月 11 10:24:49 2012
Copyright (c) 1982, 2005, Oracle. All rights reserved.
连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> alter system register;
系统已更改。
SQL> exit
从 Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options 断开
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>
再次在10.192.39.72连接数据库就会报ORA-12537错误。
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:34:59 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
ERROR:
ORA-12537: TNS:connection closed
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
10.192.39.72 > oerr ora 12537
12537, 00000, "TNS:connection closed"
// *Cause: "End of file" condition has been reached; partner has disconnected.
// *Action: None needed; this is an information message.
10.192.39.72 >
而此时10.192.39.76还是可以登录数据库的:
[oracle@sxffdb2 ~]$ export PS1="10.192.39.76 > "
10.192.39.76 > sqlplusyansp/yansp@10.223.18.116/yansp
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:39:03 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select sysdate from dual;
SYSDATE
-------------------
2012-01-11 10:39:17
SQL>
如果将参数tcp.excluded_nodes=(10.192.39.72) 修改为 tcp.invited_nodes=(10.192.39.72) 那么只允许
10.192.39.72可以访问数据库。
修改SQLNET.ORA的内容如下:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
SQLNET.EXPIRE_TIME=1
tcp.validnode_checking = yes
tcp.invited_nodes=(10.192.39.72,10.223.18.116)
并且重启监听器。
注意:在使用参数invited_nodes的时候,一定要将数据库服务器的IP地址列入,否则启动监听器回报如下错误:
C:\Documents and Settings\shoupeng.yan>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:4
7:37
Copyright (c) 1991, 2005, Oracle. All rights reserved.
启动tnslsnr: 请稍候...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
系统参数文件为C:\u01\oracle\product\10.2.0\db_1\network\admin\listener.ora
写入C:\u01\oracle\product\10.2.0\db_1\network\log\listener.log的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
TNS-12537: TNS: 连接关闭
TNS-12560: TNS: 协议适配器错误
TNS-00507: 连接已关闭
现象将会是72可以正常连接数据库,76不可以连接数据库。
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:49:58 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:50:01 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
ERROR:
ORA-12537: TNS:connection closed
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
10.192.39.76 >
注意:如果同时制定了参数tcp.invited_nodes和参数tcp.excluded_nodes那么将优先使用参数tcp.invited_nodes。
扫一扫
9043
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
