Re: SQL*NET/orasrv security problem
Date: 7 Apr 94 07:41:23 GMT
Message-ID: <29103_at_uswnvg.uswnvg.com>
Gunnar Orvarsson (gunnaro_at_hafro.is) wrote:
: This would be great, if we could allow connections from CERTAIN MACHINES
: MACHINES ONLY, i.e. those that are on our network or in our administrative
: domain. But unfortunantely, this doesn't seem to be the way orasrv works.
: Allowing this kind of access to workstations on our network seems to enable
: users with the same login name on ANY machine on the Internet to connect to
: our database.
: Does anyone know a way to make orsrv allow connections from certain machines
: only? Are there any ways at all to prevent logins from machines from the
: outside (and staying on the Internet)? Might there exist some public domain
: security packages to take care of this?
I like the firewall idea - that might be a bit of overkill (depends on your site). A couple of things we've done:
First, in our implementation of orasrv, even with REMOTE_OS_AUTHENT set TRUE, the user MUST have an entry in /etc/passwd on the SERVER machine. No entry, no connect allowed.
Second, we've taken to using "non-standard" tcp ports. Oracle assumes that orasrv is listening on port 1525. We use port 9182 (not really, but I'd rather not post which port we DO use - but it's NOT 1525). Then, only a client that knows the port number (or it's alias) can even get THAT far (let alone past the first requirement).
Anyway - that seems to do it for us. Of course, our internal network is not externally well connected anyway (no direct Internet, for example).
-- Clay Jackson - N7QNM US WEST NewVector Group Inc Bellevue, WA uunet!uswnvg!cjacksoReceived on Thu Apr 07 1994 - 09:41:23 CEST