Oracle监听口令及监听器安全详解
很多Oracle用户都知道,Oracle的监听器一直存在着一个安全隐患,假如对此不设置安全措施,那么能够访问的用户就可以远程关闭监听器。
相关示例如下:
D:>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=eygle)))
命令执行成功
大家可以发现,此时缺省的监听器的日志还无法记录操作地址:
No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) 28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop) (ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0
有鉴于此,为了更好的保证监听器的安全,大家最好为监听设置密码:
[oracle@jumper log]$ lsnrctl LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17 Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> set current_listener listener Current Listener is listener LSNRCTL> change_password Old password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Password changed for listener The command completed successfully LSNRCTL> set password Password: The command completed successfully LSNRCTL> save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) Saved LISTENER configuration parameters. Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak The command completed successfully
在我们设置密码后,远程操作将会因缺失密码而出现失败:
D:>lsnrctl stop eygle LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))
TNS-01169: 监听程序尚未识别口令
注意:此时在服务器端或客户端,都需要我们通过密码来起停监听器:
LSNRCTL> set password Password: The command completed successfully LSNRCTL> stop Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) The command completed successfully LSNRCTL> start Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 9.2.0.4.0 - Production System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production Start Date 28-NOV-2007 10:22:23 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level support Security ON SNMP OFF Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521))) Services Summary... Service "eygle" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... Service "julia" has 1 instance(s). Instance "eygle", status UNKNOWN, has 1 handler(s) for this service... The command completed successfully
另外,ADMIN_RESTRICTIONS参数也是一个重要的安全选项,大家可以在 listener.ora 文件中设置 ADMIN_RESTRICTIONS_ 为 ON,此后所有在运行时对监听器的修改都将会被阻止,所有对监听器的修改都必须通过手工修改listener.ora文件才能顺利完成。
-
Listener架构概述 Listener Listener.DrainType (Enum) Filter FilterChainMatch FilterChain Listener Listener proto { "name": "...", "address": "{...}", "filter_chains": [], "use_original_dst": "{...}
-
Server可以监听多个端口,每个端口都可以设置不同的协议处理方式,例如80端口处理http协议,9507端口处理TCP协议。SSL/TLS传输加密也可以只对特定的端口启用。 !> 例如主服务器是WebSocket或Http协议,新监听的TCP端口(listen的返回值,即Swoole\Server\Port,以下简称port)默认会继承主Server的协议设置。必须单独调用port对象的set方
-
主要内容:监听器的分类,监听对象创建和销毁的监听器,监听属性变更的监听器,监听 Session 中对象状态改变的监听器,注册监听器监听器 Listener 是一个实现特定接口的 Java 程序,这个程序专门用于监听另一个 Java 对象的方法调用或属性改变,当被监听对象发生上述事件后,监听器某个方法将立即自动执行。 监听器的相关概念: 事件:方法调用、属性改变、状态改变等。 事件源:被监听的对象( 例如:request、session、servletContext)。 监听器:用于监听事件源对象
-
性能测试就是以各种形式分析服务器响应,然后将其呈现给客户端。 当JMeter的采样器组件被执行时,监听器提供JMeter收集的关于那些测试用例的数据的图形表示。它便于用户在某些日志文件中以表格,图形,树或简单文本的形式查看采样器结果。 监听器可以在测试的任何地方进行调整,直接包括在测试计划下。JMeter提供了大约15个监听器,但主要使用的是表,树和图形。 以下是JMeter中所有监听器的列表:
-
{ "name": "...", "address": "...", "filters": [], "ssl_context": "{...}", "bind_to_port": "...", "use_proxy_proto": "...", "use_original_dst": "...", "per_connection_buffer_lim
-
Envoy配置顶层包含一个监听器列表。每个单独的监听器配置具有以下格式: v1 API参考 v2 API参考 统计 监听器 每个监听器都有一个以 listener.<address> 为根的统计树。统计如下: 名称 类型 描述 downstream_cx_total Counter 连接总数 downstream_cx_destroy Counter 销毁的连接总数 downstream_cx_a