English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Is the listener also secure? Sure! By default, any user does not need to use any password to operate or shut down the Oracle Listener through the lsnrctl tool, thus causing any new session to be unable to establish a connection. In Oracle 9The Oracle listener allows anyone to manage it remotely using lsnrctl. It is also easy to cause database damage.
1. Stop the listener without setting a password
[oracle@test ~]$ lsnrctl stop listener_demo92 --> Stop the listener, it can be seen that no password is required to stop LSNRCTL for Linux: Version 9.2.0.8.0 - Production on 26-JUN-2011 08:22:26 Copyright (c) 1991, 2006, Oracle Corporation. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) The command completed successfully
2. Restart the listener and set the password
[oracle@test ~]$ lsnrctl LSNRCTL for Linux: Version 9.2.0.8.0 - Production on 26-JUN-2011 08:24:09 Copyright (c) 1991, 2006, Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listener_demo92 --> Set the current listener Current Listener is listener_demo92 LSNRCTL> start --> The startup process also does not require any password, the detailed information of the startup is omitted LSNRCTL> change_password --> Use change_password to set the password Old password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) Password changed for listener_demo92 The command completed successfully LSNRCTL> save_config --> Note that save_config fails here Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) TNS-01169: The listener has not recognized the password LSNRCTL> set password --> Enter the new password to verify Password: The command completed successfully LSNRCTL> save_config --> Again, save_config successful Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) Saved listener_demo92 configuration parameters. Listener Parameter File /oracle/92/network/admin/listener.ora Old Parameter File /oracle/92/network/admin/listener.bak The command completed successfully --After adding the password, you can see a new record in the listener.ora file, namely the password option (note: even though password management is used, the listener can still be started without a password) [oracle@test admin]$ more listener.ora #----ADDED BY TNSLSNR 26-JUN-2011 05:12:48--- PASSWORDS_listener_demo92 = #--------------------------------------------
3. Attempt to stop listener without using a password
[oracle@test ~]$ lsnrctl stop listener_demo92 LSNRCTL for Linux: Version 9.2.0.8.0 - Production on 26-JUN-2011 06:09:51 Copyright (c) 1991, 2006, Oracle Corporation. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) TNS-01169: The listener has not recognized the password -->Received error message, password authentication is required
4. Stop listener using a password
[oracle@test ~]$ lsnrctl LSNRCTL> set current_listener listener_demo92 Current Listener is listener_demo92 LSNRCTL> stop Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) TNS-01169: The listener has not recognized the password LSNRCTL> set password Password: The command completed successfully LSNRCTL> stop Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) The command completed successfully LSNRCTL> status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test)(PORT=1521))) TNS-12541: TNS:no listener TNS-12560: TNS:protocol adapter error TNS-00511: No listener Linux Error: 111: Connection refused Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC))) TNS-12541: TNS:no listener TNS-12560: TNS:protocol adapter error TNS-00511: No listener Linux Error: 2: No such file or directory
5. Issues with save_config failure
-->In Oracle 9using the save_config command will fail in LSNRCTL> save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=<port>))) TNS-01169: The listener has not recognized the password -->You should use set password before save_config, then the configuration will be saved successfully. LSNRCTL> set password Password: <the password you chose> The command completed successfully /*in Oracle 10there will not be similar problems because in10it can use the authentication method based on the operating system. The listener will detect if the user is a member of the dba group will be granted permissions to change passwords, save configurations, and stop listeners, etc. */
6Configure the listener.ora file by setting the ADMIN_RESTRICTIONS parameter
Parameter function:
After setting the ADMIN_RESTRICTIONS parameter in the listener.ora file, no management commands can be executed during the listener operation, and the set command will be unavailable
, it does not work whether executed locally on the server or remotely. At this time, the listener settings can only be modified manually by modifying the listener.ora file, and to take effect, only
Use the lsnrctl reload command or lsnrctl stop/Reload the listener configuration information again with the start command.
Modification method:
Manually add the following line to the listener.ora file
ADMIN_RESTRICTIONS_<listener_name> = ON
Below is the supplement from other netizens:
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ecp-uc-db1)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ecp-uc-db1)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /opt/oracle/product/10.2.0/db_1/network/admin/listener.ora
Old Parameter File /opt/oracle/product/10.2.0/db_1/network/admin/listener.bak
The command completed successfully
[oracle@ecp-uc-db1 admin]$ cat listener.ora
#—-ADDED BY TNSLSNR 10-JUN-2011 18:13:24—
PASSWORDS_LISTENER = 6D7AA003392C436A
#——————————————–
note:10Need to add to the database (restart listener)
LOCAL_OS_AUTHENTICATION_LISTENER = OFF
1Before adding LOCAL_OS_AUTHENTICATION_LISTENER = OFF
Security ON: Password or Local OS Authentication
2After adding LOCAL_OS_AUTHENTICATION_LISTENER = OFF
Security ON: Password
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ecp-uc-db1)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ecp-uc-db1)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password 123456
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ecp-uc-db1)(PORT=1521)))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.4.0 – Production
Start Date 10-JUN-2011 18:15:49
Uptime 0 days 0 hr. 1 min. 16 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /opt/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /opt/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ECP-UC-DB1)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary…
Service “PLSExtProc” has 1 instance(s).
Instance “PLSExtProc”, status UNKNOWN, has 1 handler(s) for this service…
Service “ecp” has 1 instance(s).
Instance “ecp”, status READY, has 1 handler(s) for this service…
Service “ecpXDB” has 1 instance(s).
Instance “ecp”, status READY, has 1 handler(s) for this service…
Service “ecp_XPT” has 1 instance(s).
Instance “ecp”, status READY, has 1 handler(s) for this service…
The command completed successfully