Thursday, October 11, 2007

Oracle listener password

Ever been in a situation where your database listener has been shutdown by an end user ? Yes , thats right, the default database listener configuration in 9i comes *WITHOUT* a password and any client or end user who obtains the listener name and a TNS entry(listener port and host name) , can shutdown the database server's listener sitting from that client machine !!! . All the places that i worked so far had their database server listeners' unsecured when i first checked them.

Quarterly database and apps CPU patches are recommended to fix security gaps and loopholes, but database listener security is often overlooked and easiest thing to break.

Problem



Database listeners are not always password protected. They are vulnerable to security attacks from any host in the network with a TNS information of the target database and an oracle client software. The TNS connection information is already widely distributed to users for e.g to run queries using TOAD or SQL*Navigator etc., so any user can easily *stop* database listeners inadvertently thereby comprising new database connections.

Below is a simulation of how these listeners can be stopped from a client machine

1) Obtain target database TNS connection descriptor
2) Put the connection descriptor in a client machine’s tnsnames.ora
3) Login to the client machine and issue ‘lsnrctl stop db listener name’


This stop command from the client machine will stop the database listeners on the server

Solution



Password protection is the solution for this problem. Passwords can be either encrypted or unencrypted. For maximum security the database listeners should be password protected with encryption.

Implementation

Setting Encrypted Password

1) Login to each of the database instance server host as oracle owner
2) lsnrctl
3) LSNRCTL> set current_listener listener_name3) LSNRCTL> change_password
Old password : Hit Enter KeyNew password : Type the new passwordReenter new password: Retype the new password4) LSNRCTL>set password
Password: Enter the newly created password5) LSNRCTL> save_config listener name
This will create a new passwords parameter in the $TNS_ADMIN/listener.ora and it is encrypted in the file. The old file will be backed up with a listener.bak extention.

Resetting the password if its forgotten

1) Login to the database instance server as oracle owner
2) kill -9 listener pid3) Open the listener.ora and delete the passwords_listener_name line
4) lsnrctl
5) LSNRCTL> set current_listener listener name
6) LSNRCTL> start
7) LSNRCTL> change_password
Old password: Hit Enter key
New password: Type a new passwordReenter new password: Retype the new password
8) LSNRCTL> set password
Password: Enter the newly typed password again
9) LSNRCTL> save_config listener name

Changing an existing password

1) Login to the database instance server as oracle owner
2) kill -9 listener pid
3) lsnrctl
4) LSNRCTL> set current_listener listener name
5) LSNRCTL> start
6) LSNRCTL> change_password
Old password: Enter old passwordNew password: Type a new password
Reenter new password: Retype the new password
7) LSNRCTL> set password
Password: Enter the new password again
8) LSNRCTL> save_config listener name

Listener administration with a password

start

Starting the listener does not require a password. A listener can be started in the conventional method without setting any password

stop

Stopping the listener always requires a password.

1) lsnrctl
2) LSNRCTL>set password
Password: Enter the password3) stop listener name

status

A password is also required for finding the status of a listener

1) lsnrctl
2) LSNRCTL>set password
Password: Enter the password
3) status listener name
Testing

1) Obtain the database TNS descriptor information
2) Put the connection descriptor in a client machine’s tnsnames.ora
3) Login to the client machine and issue ‘lsnrctl stop
The stop command will fail with the following message.

TNS-01169: The listener has not recognized the password

Uninstall (Status Quo)

1) Login to the database instance server as oracle owner
2) kill -9 listener pid
3) Open the listener.ora and delete the passwords_listener_name line
4) lsnrctl
5) LSNRCTL> set current_listener listener name
6) LSNRCTL> start

Caveats

1) A client can still stop/status a listener after setting the password explicitly. Hence its always recommended to choose a strong password with encryption.

No comments: