Several ways to deal with Oracle database services security vulnerabilities

Others 2020-02-28 15:55:38 views: null

Several ways to deal with Oracle database services security vulnerabilities

1, Ultra Search component unknown vulnerabilities

1.1, Ultra Search component is generally used in building search engine functions, such as intranet sites without using, please uninstall ultra search components, run sql file remove,

$ORACLE_HOME/ultrasearch/admin/wk0deinst.sql;

1.2, such as the use of the components still recommend upgrading Oracle version;

 

2. If you can not upgrade, please visit the source IP restrictions:

2.1, configure the IP address whitelist, blacklist by SQLNET.ORA file;

oracle configure access whitelist Tutorial

For improve data security purposes, we may want to visit the oracle of the restrictions, allowing some of the IP connection to the database or deny some of the IP access to the database.

Of course, the use of iptables can head to the limit is reached, but can still take effect from the change listening port restrictions, not only for their own oracle and restrict other ports intermixed and do not need to root account these aspects, the adoption of the configuration file sqlnet.ora to access restrictions may be a better choice.

2.1.1. Sqlnet.ora configuration file

$ Enters the TNS_ADMIN (generally corresponding to the true path of the form

/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin)

Under Windows server platform directly in the following figure ways to find

Sqlnet.ora file and see if there has been configured tcp.validnode_checking, tcp.invited_nodes, tcp.excluded_nodes items.

 

If the file exists and has these items, the modification on the basis of these items; if the file exists but several do not exist, in the last append; if the file does not exist directly New.

oracle The default is no, we do not, for example the new file, and writes the following:

 

tcp.validnode_checking=yes

tcp.invited_nodes=(192.168.220.128,127.0.0.1)

tcp.excluded_nodes=(192.168.220.1)

 

  1. 127.0.0.1 refers to the local server's IP, it can also be their own IP, otherwise the monitor does not work
  2. tcp.validnode_checking-- This is to enable IP legal examination, this must be configured, if you do not enable the other two with it's useless.
  3. tcp.invited_nodes-- this is allowed to connect IP address database, multiple addresses separated by commas (half-width); If this is enabled, must be accompanied by a local address otherwise unable to start listening.

If you want to set up a network segment, you can try using% or? . As the above 192.168.220.128, you can write 192.168.220.% Or 192.168.220.?

  1. This connection is allowed tcp.excluded_nodes-- IP address database, a plurality of addresses separated by a comma (half-width); and if the same IP tcp.invited_nodes, or allow it to access the database IP

tcp.invited_nodes and tcp.excluded_nodes In fact, you can configure only one, with only tcp.invited_nodes is when the white list, all IP in this list to allow access to the database, all this is not in the list of all IP refuse access to the database;

When configured with only tcp.excluded_nodes, all IP in this list are denied access to the database, all this is not in the list of all IP allows access to the database.

 

2.1.2. The configuration is reloaded

If sqlnet.ora not exist before you need to restart the listener

Execute the following commands directly in the CMD command window

 

lsnrctl stop

lsnrctl start

If there is only need to reload before sqlnet.ora configuration can be

 

lsnrctl reload

Difference on the restart and reload, it should be completely stopped to listen and not to a complete stop on the difference; the use of stop / start all currently connected session will be forcibly disconnected, reload does not disconnect the existing session.

If the server and more, should carry out the same operation, the restart made bat file, double-click

 

2.2 , by setting the trigger TRIGGER, IP addresses and users are prohibited from landing.

create or replace trigger logon_ip_control

after logon on database

declare

  ip STRING(30);

  user STRING(30);

begin

SELECT SYS_CONTEXT('USERENV','SESSION_USER') into user from dual;

SELECT SYS_CONTEXT('USERENV','IP_ADDRESS') into ip from dual;

if user='EPAY_USER'

  THEN

      IF ip not in ('192.168.219.20','192.168.219.22') 

      THEN raise_application_error(-20001,'User '||user||' is not allowed to connect from '||ip);

      END IF;

END IF;

end;

 

Knowledge notes

Please pay attention to micro-channel public number: qghktit

 

 

Reference Source

Black and white list

https://www.cnblogs.com/lsdb/p/7729434.html

trigger

https://blog.csdn.net/dbanote/article/details/9231863

jeansmy111
Published 17 original articles · won praise 0 · Views 2190
私信 关注

Guess you like

Origin blog.csdn.net/jeansmy111/article/details/103819712
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com