RE: Listener Vulnerabilities - how to address them
Date: Wed, 09 Apr 2008 18:13:44 +0100
Message-Id: <1207761224.3029.32.camel@comet.sequestor.lan>
On Wed, 2008-04-09 at 12:52 -0400, Johnson, William L (TEIS) wrote:
> If I am not mistaken, you can still password protect your listener and
> then write a wrapper script around your listener commands that will
> permit you to stop and start the listener through batch processes. As
> long as you take the time to ensure the listener.ora file is only
> readable by the Oracle account - and no other accounts on the machine,
> you should be good to go.
>
> You can set the password for a listener command by picking up the
> password out of the listener.ora file.
Good point, but I believe the recommendation is that the password should be encrypted in listener.ora file.
I'm not defending the 'why' of scripts to shutdown the listener, this is a legacy thing, and we will be investigating it's necessity.
So it looks like this is a valid concern for our databases, am looking forward to 'best practises' pointers.
We have considered using a 10g listener for every server (those that are compatible), as it appears that the 10g listener is the least vulnerable, and cannot be remotely managed unless local OS authentication is disabled.
Regards.
-- S. Anthony Sequeira ++ Too much is just enough. -- Mark Twain, on whiskey ++ -- http://www.freelists.org/webpage/oracle-lReceived on Wed Apr 09 2008 - 12:13:44 CDT