Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
 

Oracle Tips by Burleson

Listener Security

redirect the processes, the listener process has to have some operating system level permission to do what it plans to do. The hackers use this capability of the listener to mount attacks.

Oracle MetaLink has examples of what types of attack are possible and what has been done to prevent them. The good news is that applying the listener patches for that particular attack can prevent all of these known potential attacks. 

For instance, one attack sends a large string to the listener to execute. Upon receiving the string, the listener can't handle the size of the data coming in and therefore errors out with a buffer overflow condition. The hacker exploits this to bring down the listener, to achieve what is known as a Denial of Service attack. After this vulnerability was discovered, Oracle immediately released a patch that prevented the listener from accepting strings of large size, foiling the attacker's strategy of making the buffer overflow.

Oracle makes known to the community the vulnerabilities and the solutions through an alert system. These alerts can be found at Oracle Technology Network's Security Alerts (http://otn.oracle.com/deploy/security/alerts.htm), for which you do not have to be an Oracle customer under support contract. A sample shot of the website is given in Figure 7.7.

Figure 7.7 Security Alerts in Oracle Technology Network Website

However, the patches are downloaded from Oracle MetaLink, for which you need to have a valid Oracle Support contract. Since these potential holes have been sealed by these patches, the problems will cease to exist simply by applying the patches.

For this reason, the security patches must be applied as soon as they are released. If you have applied them, then the vulnerabilities are no longer applicable. Therefore, this book does not discuss the details of a problem that no longer exists.  If you are still interested to know how

these vulnerabilities are manifested and resolved, you can visit the webpage to see the details.

We strongly advise you to apply these security patches, if not the regular patchsets, without testing.

Visit the Oracle security alerts website and apply the security-related patches as soon as they are available.

Listener Password

Most of the attacks in the listener are executed either by passing a malicious command to be executed in the operating system, or by modifying the listener settings. The former is handled by applying the security patches as suggested by the alerts. The latter can be handled by securing the listener itself.

Most of the settings in the listener can be set via the command line, from the LSNRCTL prompt. Hackers use this to pass a damaging command. For instance, the hacker may send the command STOP, to stop the listener process. Of course, this does not damage the database itself, but all the client connections subsequent to this operation will fail, same as in a Denial of Service attack. This is as bad as the database being down itself.

Another tactic hackers employ is using the SERVICES command that shows all the relevant information about the listener process, the database services it is listening for, the status of these services, etc. This information may be useful to launch future attacks and should not be shown in an unauthorized manner.

Both of these potential vulnerabilities can be resolved simply by placing a password for the listener. If a

password is set for the listener, any command other than START, STATUS and HELP will first require a correct password.

Setting a password for listener is the least security you should have for the listener. By default, it doesn't have any password and many DBAs simply do not create one. Part of the reason is the perceived complexity in specifying and using a password. Here is an explanation of setting the password of a listener.

When the listener is first created, there is no password. The password is set by the command from the lsnrctl prompt

LSNRCTL> change_password

This will prompt for the old and new passwords, and when entered, they are not displayed on the screen. When the listener is initially created, the password is not set, or null. So, just press the return key when prompted for the old password.

Once the passwords are changed, you have to supply the password before doing any administrative work, such as changing a parameter or stopping the listener. The password is set by the command SET PASSWORD <password>. For instance, to stop the listener, you would use the following commands in LSNRCTL utility, assuming the password is t0p53r3t.

LSNRCTL> set password
Password: Enter t0p53cr3t here; it will not be displayed.
The command completed successfully

 

LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=PROLIGENCE1)(PORT=1521)))
The command completed successfully
LSNRCTL>

This will make the work of the hacker impossible unless the password is known.



 


Download your Oracle scripts now:

www.oracle-script.com

The definitive Oracle Script collection for every Oracle professional DBA

 

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks