• Oracle 找到引起账户锁定的IP


     

    在ORACLE数据库中,如果没有修改过FAILED_LOGIN_ATTEMPTS的话,默认10次尝试失败后就会锁住用户。此时再登录数据库,就会遇到ORA-28000: the account is locked

     

    SQL> SELECT * 
      2  FROM DBA_PROFILES
      3  WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS';
     
    PROFILE                        RESOURCE_NAME                    RESOURCE LIMIT
    ------------------------------ -------------------------------- -------- -----
    DEFAULT                        FAILED_LOGIN_ATTEMPTS            PASSWORD 10
    MONITORING_PROFILE             FAILED_LOGIN_ATTEMPTS            PASSWORD UNLIMITED
     
    SQL>

     

    那么在数据库维护过程中,如果出现账号被锁定的情况,如何事后分析是那个IP或主机导致账号被锁定了呢?不同的情形有不同的分析方法,主要看是否开启了数据库审计功能

     

     

    开启了数据库审计

     

    如果开了审计功能的话,这个分析定位就非常简单容易。因为数据库的审计功能会记录这些信息到数据库当中。

     

    检查是否开启审计,主要查看audit_sys_operations参数是否为TRUE。

     

    SQL> show parameter audit
     
    NAME                                 TYPE        VALUE
    ------------------------------------ ----------- ------------------------------
    audit_file_dest                      string      /u01/app/oracle/admin/gsp/adum
                                                     p
    audit_sys_operations                 boolean     TRUE
    audit_syslog_level                   string
    audit_trail                          string      DB_EXTENDED
    SQL> 

     

    如果开启了审计功能,通过下面SQL语句就能轻松找到引起账号锁定的主机(通过主机找到具体IP地址)

     

    ----RETURNCODE=1017 表示登录失败返回ORA-01017: invalid username/password; logon denied错误的会话信息。

     如果 audit_trail= DB

    SELECT USERNAME
           ,USERHOST
           ,TIMESTAMP
           ,RETURNCODE
    FROM dba_audit_session
    WHERE USERNAME='TEST'
        AND RETURNCODE='1017' 
    ORDER BY TIMESTAMP DESC;

     如果 audit_trail= OS

    grep 1017 $ORACLE_BASE/admin/$ORACLE_SID/adump/*2019053004*
    orcl_ora_20432_20190530040340560268143795.aud:SESSIONID:[8] "33072208" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47646))" DBID:[10] "1865135537" 
    orcl_ora_20434_20190530040337550602143795.aud:SESSIONID:[8] "33072205" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47643))" DBID:[10] "1865135537" 
    orcl_ora_20436_20190530040338555761143795.aud:SESSIONID:[8] "33072209" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47642))" DBID:[10] "1865135537" 
    orcl_ora_20438_20190530040343576957143795.aud:SESSIONID:[8] "33072206" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47641))" DBID:[10] "1865135537" 
    orcl_ora_20440_20190530040337545737143795.aud:SESSIONID:[8] "33072207" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47640))" DBID:[10] "1865135537" 
    orcl_ora_20442_20190530040337548685143795.aud:SESSIONID:[8] "33072210" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[4] "scott" USERHOST:[12] "app-01" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.4.15.148)(PORT=47639))" DBID:[10] "1865135537"

     

    数据库审计关闭

     

     如果数据库审计功能是关闭的情况下,那么能否定位、找到导致账号锁定的主机或IP地址呢? 如果出现账号被锁的情况,可以先查一下dba_users试图,看看账号是在什么时间点被锁定的。注意(有些版本有Bug,会出现LOCK_DATE不准确的情况。)

      

    SQL> ALTER SESSION SET NLS_DATE_FORMAT='YYYY-MM-DD HH24:MI:SS';
     Session altered.
    SQL> SELECT username, account_status,lock_date, PROFILE 
      2  FROM dba_users WHERE username='TEST';
     
    USERNAME          ACCOUNT_STATUS       LOCK_DATE         PROFILE
    ------------ ---------------------- ------------------- ----------
    TEST              LOCKED(TIMED)     2018-06-16 23:49:14 DEFAULT
     
    SQL> 

        

     

        网上有些文章信誓旦旦的宣称通过监听日志可以分析出哪些IP导致账号被锁定了,但是经过动手实验分析,发现通过监听日志文件根本无法定位引起账号锁定的IP地址,原因有两个:

     

    1、 无法通过监听日志判断登录会话是否出现ORA-01017错误,因为登录成功与登录失败遭遇ORA-01017错误的会话的监听日志信息是一样。无法区别!

     

    2、 即使账号锁定的时间能定位到秒,但是生产环境中,一秒内有大量的监听日志生成,根本无法定位是哪一个具体IP

     

    3、 登录失败的会话可能不是连续的。而是在一段时间内生成的。通过分析监听日志根本没有这个可能性!

     

    登陆失败或账户锁定 在Listener Log 和Alert Log 中都找不到相关信息。

    不过如果事前你定义了数据库触发器,那么就可以轻松定位到具体IP, 网友提供了一个触发器,如下所示:

     

    CREATE OR REPLACE TRIGGER sys.logon_denied_to_alert
      AFTER servererror ON DATABASE
    DECLARE
      message   VARCHAR2(168);
      ip        VARCHAR2(15);
      v_os_user VARCHAR2(80);
      v_module  VARCHAR2(50);
      v_action  VARCHAR2(50);
      v_pid     VARCHAR2(10);
      v_sid     NUMBER;
      v_program VARCHAR2(48);
      v_username VARCHAR2(32);
    BEGIN
      IF (ora_is_servererror(1017)) THEN
        -- get ip FOR remote connections :
        IF upper(sys_context('userenv', 'network_protocol')) = 'TCP' THEN
          ip := sys_context('userenv', 'ip_address');
        END IF;
        SELECT sid INTO v_sid FROM sys.v_$mystat WHERE rownum < 2;
        SELECT p.spid, v.program
          INTO v_pid, v_program
          FROM v$process p, v$session v
         WHERE p.addr = v.paddr
           AND v.sid = v_sid;
        v_os_user := sys_context('userenv', 'os_user');
        v_username := sys_context('userenv','authenticated_identity');
        dbms_application_info.read_module(v_module, v_action);
        message := to_char(SYSDATE, 'YYYY-MM-DD HH24:MI:SS') ||
                   ' Password Erro: logon denied from ' || nvl(ip, 'localhost') || ' ' ||
                   v_pid || ' User:' || v_os_user || ' with ' || v_program || '' ||
                   v_module || ' ' || v_action||' dbuser:' || v_username;
        sys.dbms_system.ksdwrt(2, message);
      END IF;
    END;
    /

     

     

    在客户端使用SQL*Plus测试,模拟输入错误的密码登录数据库

     

     

    C:Users>sqlplus test/1234@myvm
     
    SQL*Plus: Release 11.2.0.1.0 Production on 星期日 6月 17 00:35:21 2018
     
    Copyright (c) 1982, 2010, Oracle.  All rights reserved.
     
    ERROR:
    ORA-01017: invalid username/password; logon denied

     

     

    此时,触发器捕获到这个错误,就会在告警日志中生成类似下面这样的错误日志信息:

     

     

    Sun Jun 17 08:01:44 2018

    2018-06-17 08:01:44 Password Erro: logon denied from 192.168.125.193 26639 User:KongLB with sqlplus.exe ��� sqlplus.exe  dbuser:test

     

    当然,如果你也可以改写该触发器,将捕获的相关信息写入数据库相关表。

     

    转自:https://www.cnblogs.com/kerrycode/p/9191983.html

     

  • 相关阅读:
    一个关于java线程的面试题
    【Feature】初探Feature
    Foreign Keys in the Entity Framework
    JS keycode
    SQLyog8.3 . 8.4 Enterprise/Ultimate crack
    Win7下使用toad连接oracle出现can't initialize OCI 1
    ADO 数据类型转换表
    简单Jscript(ASP)模版操作文件
    自适应宽度的左右结构DIV+CSS
    一个比较好用的 classic asp Jscript 框架 SmartAsp
  • 原文地址:https://www.cnblogs.com/plluoye/p/10951120.html
Copyright © 2020-2023  润新知