Oracle Listener Protection

Database listeners can be stopped remotely from any operating system account (not just oracle). To prevent this, all listeners on production machines MUST be password protected.

Configuration:

1. Do the following on a test system to obtain an encrypted password value:

LSNRCTL> SET SAVE_CONFIG_ON_STOP ON
LSNRCTL> CHANGE_PASSOWRD
Old password: <enter>
New password: oracledba
Reenter the new password: oracledba
LSNRCTL> SET PASSWORD 
Password: oracledba
LSNRCTL> STOP

Edit or view your LISTENER.ORA file and write down the password value that Oracle added to the listener.ora file (PASSWORDS_LISTENER=...)

2. On your production systems, add the following two lines for all listeners listed in LISTENER.ORA:

PASSWORDS_lsnrname=<VALUE OBTAINED FROM STEP 1>
ADMIN_RESTRICTIONS_lsnrname=ON 

These parameters will allow you to start the listener (without a password). However, trying to stop it will require you to enter the password.

3. Lastly, protect your Oracle Net files at operating system level:

$ chmod ug=rw listener.ora
$ chmod ug=rw,o=r sqlnet.ora tnsnames.ora

articles: