通过监听设置实现登录控制

通过监听设置实现登录控制

作者:PrudentWoo  QQ:286507175

happy-wuweilong@hotmail.com

WebTitle: http://www.prudentwoo.com

   我们大家都知道一个问题，通常情况下，Oracle客户端只要获取了服务器端的监听信息就可以无止境的访问数据库了，尤其是很多DBA和系统管理员都喜欢将Oralce的sys和system等具有最高权限的用户的密码设置为非常简单，有的甚至就直接设置成’oracle’,’orcl’,’123456’,’password’等极不安全的密码，这就使得非法访问更加的便捷化。

如此便捷的访问必然会给数据库带来不必要的麻烦，那么难道就没有其它办法可以得以解决了吗，答案是否定的，肯定能解决，而且很简单，在今天我就把这个共享出来和大家一起分享这个小技巧，通过简单的监听设置，似的非法用户即使知道用户名和密码也无法访问数据库。

操作步骤:

1、 修改$ORACLE_HOME/network/admin/sqlnet.ora，添加限制参数。

2、 重启监听

3、 测试验证

一、 修改$ORACLE_HOME/network/admin/sqlnet.ora，添加限制参数。

[oracle@db01 ~]$ cd $ORACLE_HOME/network/admin

[oracle@db01 admin]$ ls

listener.ora  samples  shrept.lst  tnsnames.ora

[oracle@db01 admin]$ vi sqlnet.ora

TCP.VALIDNODE_CHECKING=yes             ---打开IP地址检查功能

TCP.INVITED_NODES=(172.168.9.8,172.168.9.1)  ---设置允许访问的ip地址，逗号分割

TCP.EXCLUDED_NODES=()                   ---禁止访问的IP地址，如空禁止所有

注意：TCP.INVITED.NODES与TCP.EXCLUDED_NODES参数都同时存在的情况下，以TCP.INVITED_NODES为主，不要禁止本机的IP地址。

二、 修改完成后，重启监听

 

[oracle@db01 admin]$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 21-NOV-2012 20:05:15

Copyright (c) 1991, 2005, Oracle.  All rights reserved.


Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.168.9.8)(PORT=1521)))

The command completed successfully


[oracle@db01 admin]$ lsnrctl start

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 21-NOV-2012 20:05:27

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting /DBSOFT/produce/10.2.0/db_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production

System parameter file is /DBSOFT/produce/10.2.0/db_1/network/admin/listener.ora

Log messages written to /DBSOFT/produce/10.2.0/db_1/network/log/listener.log

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.168.9.8)(PORT=1521)))

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))Connecting to 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.168.9.8)(PORT=1521)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production

Start Date                21-NOV-2012 20:05:27

Uptime                    0 days 0 hr. 0 min. 0 sec

Trace Level               off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /DBSOFT/produce/10.2.0/db_1/network/admin/listener.ora

Listener Log File         /DBSOFT/produce/10.2.0/db_1/network/log/listener.log

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.168.9.8)(PORT=1521)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))

Services Summary...

Service "PLSExtProc" has 1 instance(s).

  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...

Service "meizi" has 1 instance(s).

  Instance "meizi", status UNKNOWN, has 1 handler(s) for this service...

The command completed successfully

[oracle@db01 admin]$

 

三、 监听重启完毕，正式测试;

  首先我们通过信任列表里面的172.168.9.1和其本机172.168.9.8 进行测试：

C:\>ipconfig


Windows IP Configuration

Ethernet adapter VMware Network Adapter VMnet1:


   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 172.168.9.1

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :


C:\>sqlplus system/oracle@meizi

SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 11月 21 20:07:56 2012

Copyright (c) 1982, 2005, Oracle.  All rights reserved.


连接到:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL>


[oracle@db01 admin]$ ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:0C:29:A0:BC:10  

          inet addr:172.168.9.8  Bcast:172.168.9.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fea0:bc10/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2053 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1856 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:207367 (202.5 KiB)  TX bytes:244432 (238.7 KiB)

          Interrupt:67 Base address:0x2024 


[oracle@db01 admin]$ sqlplus system/oracle@meizi

SQL*Plus: Release 10.2.0.1.0 - Production on Wed Nov 21 20:09:43 2012

Copyright (c) 1982, 2005, Oracle.  All rights reserved.


Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL>

由此可以见得，信任列表里面的是可以正常登录，那么我们再测试下信任列表之外的172.168.9.15这台机器是否能够登录到数据库，结果是不能登录。

*===============================================================                               

Welcome to Microsoft Telnet Server.                                                            

*===============================================================                               

C:\Documents and Settings\Administrator>ipconfig                                               

Windows IP Configuration

Ethernet adapter  本地连接:


   Connection-specific DNS Suffix  . :

   IP Address. . . . . . . . . . . . : 172.168.9.15

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 172.168.9.1


C:\Documents and Settings\Administrator>cd\

C:\>sqlplus system/oracle@meizi

SQL*Plus: Release 10.2.0.4.0 - Production on 星期三 11月 21 20:14:44 2012

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

ERROR:

ORA-12537: TNS: 连接关闭


请输入用户名：system/oracle@meizi

ERROR:

ORA-12547： TNS： 连接丢失

SP2-0157：在3次尝试之后无法连接到ORACLE，退出SQL*Plus

C:>