Re: SQL*NET/orasrv security problem

Gunnar Orvarsson (gunnaro_at_hafro.is) wrote:
: This would be great, if we could allow connections from CERTAIN MACHINES
: MACHINES ONLY, i.e. those that are on our network or in our administrative
: domain. But unfortunantely, this doesn't seem to be the way orasrv works.
: Allowing this kind of access to workstations on our network seems to enable
: users with the same login name on ANY machine on the Internet to connect to
: our database.
 

: So my question is:
 

: Does anyone know a way to make orsrv allow connections from certain machines
: only? Are there any ways at all to prevent logins from machines from the
: outside (and staying on the Internet)? Might there exist some public domain
: security packages to take care of this?

I like the firewall idea - that might be a bit of overkill (depends on your site). A couple of things we've done:

First, in our implementation of orasrv, even with REMOTE_OS_AUTHENT set TRUE, the user MUST have an entry in /etc/passwd on the SERVER machine. No entry, no connect allowed.

Second, we've taken to using "non-standard" tcp ports. Oracle assumes that orasrv is listening on port 1525. We use port 9182 (not really, but I'd rather not post which port we DO use - but it's NOT 1525). Then, only a client that knows the port number (or it's alias) can even get THAT far (let alone past the first requirement).

Anyway - that seems to do it for us. Of course, our internal network is not externally well connected anyway (no direct Internet, for example).

--
Clay Jackson - N7QNM
US WEST NewVector Group Inc
Bellevue, WA
uunet!uswnvg!cjackso