Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: restricting listener access

Re: restricting listener access

From: Mark Bole <makbo_at_pacbell.net>
Date: Fri, 17 Sep 2004 19:09:01 GMT
Message-ID: <gDG2d.16907$QJ3.15936@newssvr21.news.prodigy.com> 





FM wrote:



> 

> 

> Sybrand Bakker wrote:

> 


>> On Fri, 17 Sep 2004 15:55:30 GMT, FM <fabrizio.magni_at_mycontinent.com>
>> wrote:
>>
>>
>>> Sometimes I miss the ironic side of a post...
>>> Are you serious?!?!?
>>
>>
>>
>> The obvious solution would be reconfigure the listener and place a
>> password in listener.ora
>> A solution you reject in your initial post.
>> If you reject sensible solutions you shouldn't be surprised someone is
>> trying to be funny.
>>
>>
>> -- 
>> Sybrand Bakker, Senior Oracle DBA




> 

> 

> 

> I'm new to this newsgroup (or to newsgroup in general) so I wasn't sure 

> if it was a serious reply or a joke.

> 

> However I don't believe a password is a good solution because you would 

> have to set it in your booting script.

> 

> The password doesn't solve a couple of trouble I saw after system 

> migration.

> 

> Two days ago an old and forgotten system was shutdown by a system 

> administrator. On that system there was an old listener definition 

> pointing to the migrated system (the ip was exchanged after migration).

> The boot-script shut down the production listener. It would have 

> happened even with a password (if it is possible to pass a password via 

> script).

> 

> It was not the first time I saw a similar situation but they were 

> errors. It could be done deliberately by a milicious attacker.

> 

> I was simply asking if there is a better solution than a password or a 

> firewall.

> 

> Is there?

> 




Pretty sure the password is only required to stop the listener or change 
the listener config, not start.  So at the cost of just killing the 
listener process at server shutdown (instead of graceful stop), the 
password approach is still probably the best.



Of course, if you accidentally copy the same password to another 
machine, your problem could still happen.



My suggestion is more of a general admin practice, not Oracle-specific:
namely, don't get too clever with swapping old and new IP addresses, 
hostnames, etc.  If you are setting up new hardware, give it a new name 
and a new IP address and update your configs appropriately when you cut 
over.



--Mark Bole
Received on Fri Sep 17 2004 - 14:09:01 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US