In older versions of Oracle database such as Oracle 9i etc, one can stop a listener remotely. This was a serious security problem because all that is needed by any client or end user is the listener name and a TNS entry(listener port and host name) to shutdown the listener sitting from that client machine !!!. This can be prevented by securing the listener with a password. We published a blog post about this security issue a few years ago.
But this password feature is deprecated since Oracle database 11g R2 release. This is no security problem because the listener is now secured using local operating system authentication. Therefore, no client or end user can remotely shutdown a database listener anymore. If one attempts to stop a database listener process from a remote machine, one receives the error "TNS-01189: The listener could not authenticate the user". A listener can be only be stopped after logging into the database server (and connecting to the Oracle software owner account) that hosts the listener process. This experience is similar to how Oracle does not allow remote connections to the sys built-in administrative database account.
Therefore, there is no need of protecting Oracle database listeners with passwords since Oracle database 11g R2 release.
No comments:
Post a Comment