Solution Beacon Security Best Practice #9 - Restrict Network
Access – Set Password on Database Listener
<
back
For
Oracle database releases prior to the 10g Release, it is
very important to set a password for the Oracle TNS listener
because any computer can access (and administer) the
database listener remotely. For Oracle Database 10g Release
1 (and higher) the default authentication mode is local OS
authentication, which requires the account executing the
listener command to be a member of the local ‘dba’ group.
It is a best practice to always place a password on the
Oracle listener to prevent remote configuration of the
Oracle listener (regardless of the version).
Using
the
lsnrctl utility, the
change_password command is used to set the password for the
first time, or to change an existing password.
|
$ lsnrctl
LSNRCTL> change_password
Old password: <hit Enter if no prior password
value>
New password: <new password value>
Reenter new password: <new password value>
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<host>)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL>
|
The
"Old password:" value should be left blank if the password
is being set for the first time. Once the new password is
set, the configuration should be saved using the save_config
command.
|
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<host>)(PORT=1521)))
Saved <listener name> configuration parameters.
Listener Parameter File <oracle home>/listener.ora
Old Parameter File <oracle home>/listener.bak
LSNRCTL>
|
Once
the password is set, subsequent attempts to perform
privileged operations such as save_config and stop will fail
unless the password is set using the set password command.
On
another note, if the listener you are protecting does not
have the default name of LISTENER, you must do
set current <listener name>
before issuing the
change_password command.
^ top
<
back
|
