Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Listener Passwords, who uses them and why?

Re: Listener Passwords, who uses them and why?

From: Pete Finnigan <plsql_at_peterfinnigan.demon.co.uk>
Date: Fri, 5 Aug 2005 21:44:03 +0100
Message-ID: <9btTsLBT+88CRx8a@peterfinnigan.demon.co.uk> 





Hi Dave,



You definitely need to set a listener password and also use 
ADMIN_RESTRICTIONS_{listenername} to prevent any dynamic changes being
made to the listener parameters. 



Quite simply without a password you should be worried about more than
just someone stopping the listener. There are many security issues with
the listener that can allow a hacker to gain DBA privileges in the
database or to own the server or to overwrite any file accessible to the
owner of the listener process on the server.



On the failed_login_attempts profile parameter. I would recommend that
it is set for all database users. You will need to define a suitable
value for different groups of users such as DBA's, developers, normal
application users, power users etc. If you do not set this parameter
then you leave your database open to someone attempting dictionary or
brute force attacks on your users passwords.



There are some good Oracle security checklists on my Oracle security
white papers page http://www.petefinnigan.com/orasec.htm that you might
find useful



kind regards



Pete

-- 
Pete Finnigan (email:pete_at_petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.


Received on Fri Aug 05 2005 - 15:44:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US