Oracle Listener Protection
Database listeners can be stopped remotely from any operating system account (not just oracle). To prevent this, all listeners on production machines MUST be password protected.
1. Do the following on a test system to obtain an encrypted password value:
LSNRCTL> SET SAVE_CONFIG_ON_STOP ON LSNRCTL> CHANGE_PASSOWRD Old password: <enter> New password: oracledba Reenter the new password: oracledba LSNRCTL> SET PASSWORD Password: oracledba LSNRCTL> STOP
Edit or view your LISTENER.ORA file and write down the password value that Oracle added to the listener.ora file (PASSWORDS_LISTENER=...)
2. On your production systems, add the following two lines for all listeners listed in LISTENER.ORA:
PASSWORDS_lsnrname=<VALUE OBTAINED FROM STEP 1> ADMIN_RESTRICTIONS_lsnrname=ON
These parameters will allow you to start the listener (without a password). However, trying to stop it will require you to enter the password.
3. Lastly, protect your Oracle Net files at operating system level:
$ chmod ug=rw listener.ora $ chmod ug=rw,o=r sqlnet.ora tnsnames.ora