Skip navigation.

Oracle Listener Protection

Database listeners can be stopped remotely from any operating system account (not just oracle). To prevent this, all listeners on production machines MUST be password protected.

Configuration:

1. Do the following on a test system to obtain an encrypted password value:

LSNRCTL> SET SAVE_CONFIG_ON_STOP ON
LSNRCTL> CHANGE_PASSOWRD
Old password: <enter>
New password: oracledba
Reenter the new password: oracledba
LSNRCTL> SET PASSWORD 
Password: oracledba
LSNRCTL> STOP

Edit or view your LISTENER.ORA file and write down the password value that Oracle added to the listener.ora file (PASSWORDS_LISTENER=...)

2. On your production systems, add the following two lines for all listeners listed in LISTENER.ORA:

PASSWORDS_lsnrname=<VALUE OBTAINED FROM STEP 1>
ADMIN_RESTRICTIONS_lsnrname=ON 

These parameters will allow you to start the listener (without a password). However, trying to stop it will require you to enter the password.

3. Lastly, protect your Oracle Net files at operating system level:

$ chmod ug=rw listener.ora
$ chmod ug=rw,o=r sqlnet.ora tnsnames.ora