Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Possible Security Breach

Re: Possible Security Breach

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Sat, 28 Aug 2004 00:34:18 +1000
Message-ID: <412df507$0$18394$afc38c87@news.optusnet.com.au> 





rc wrote:



> Hi

> 

> We run oracle 8.7.1.4 on Solaris 8 Sparc

> 

> I have noticed from our firewall log that our server is trying to

> connect to an IP address on the Internet on port 1521.




You know that port 1521 is the standard port for an Oracle listener, don't
you?



> I have never allowed port 1521 in/out via the firewall




If the connection attempt is being made to the Internet, I suspect it's your
Oracle configuration that needs looking at, not your firewall.
 


> After further hunting, I have found that it is the pmon process that

> is initiating the syn packet. Obviously the pmon process is being told

> to do this something else.




Er, paranoia is a useful quality in some situations. But it also helps to
know something about Oracle so that you can sensibly distinguish between
those occasions when there's a real problem and those where Oracle is just
doing its normal stuff. 



In 8i, we have automatic instance registration, whereby PMON every few
minutes will attempt to make contact with a listener (usually, as
mentioned, running on port 1521) in order to assure the listener that the
instance is still running and to give it some load information.



That way, the listener is in a position to load-balance user requests
appropriately in a cluster situation. Or to connect a user with confidence
of success in a non-cluster situation.



What you are witnessing is, therefore, PMON's normal, hard-coded, behaviour.
That it has maybe been directed to register with a listener outside your
firewall is a configuration issue Check tnsnames.ora and the init.ora
parameter local_listener and maybe remote_listener too. The two parameters
take values of tnsnames.ora aliases, which therefore resolve down to IP
addresses and port numbers. If there is no explicit alias provided for
either parameter, then the default behaviour is for PMON to register with a
listener running on port 1521 on the local host. If the IP address to which
registration is being directed is a definite no-no as far as you are
concerned, the answer lies somewhere in those two files.



> Is there known holes in the version of Oracle we run or can any point

> in the direction to find out what is telling pmon to do this?

> 

> Thanks




Are there known holes? Yes, but you've patched 8i as good as it's going to
get. 



Regards


HJR

Received on Fri Aug 27 2004 - 09:34:18 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US