oracle 之监听保护

今天是2013-08-24，不对刚刚过了12点，应该是2013-08-25日，今天我的同事对数据库 进行监听安全加固失败，然后 我的哥们也做了同样的实验，结果还是失败，至此我不知道 什么原因，在此想对显伟兄说一句，对此我感到很抱歉，我没有拿出时间来和你研究这个问题的错误，希望得到大家的谅解。写这篇日志，就是为了展示我怎么做的。希望对 大家有帮助。也欢迎高手提出见解和宝贵的意见，小海我坦然耐心虚心接受,我知道不懂的虚心去学习的人，终究会失去成功的机遇。好了。在此记录一下笔记：

其实我一直不赞同设置监听保护，但是可能是为了完成安全扫描的要求才进行整改的。它的安全扫描就一定正确吗？对于我来说只有经历过真正实验过才知道答案，不能胡说八道。
notice：
Ensure that the password has not been set in the listener.ora file. The local operating system authentication will secure the listener administration. The remote listener administration is disabled when the password has not been set. This prevents brute force attacks of the listener password.
 
Remember that the listener password has been deprecated in this release, and will not be supported in the next release of Oracle Database

好，步骤如下：
[oracle@oracle-one admin]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:21:12

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Starting /opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                25-AUG-2013 00:21:12
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))
The listener supports no services
The command completed successfully

ok，看到我们现在的security 为：Local OS Authentication，然后设置password，如下：

[oracle@oracle-one admin]$ lsnrctl

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:21:16

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
Password changed for listener
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Old Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.bak
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
No changes to save for LISTENER.
The command completed successfully
LSNRCTL> exit
[oracle@oracle-one admin]$ pwd
/opt/app/oracle/product/11.2.0/dbhome_1/network/admin
[oracle@oracle-one admin]$ vi listener.ora

# listener.ora Network Configuration File: /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = oracle-one)(PORT = 1521))))

ADR_BASE_LISTENER = /opt/app/oracle

#----ADDED BY TNSLSNR 25-AUG-2013 00:22:10---
PASSWORDS_LISTENER = 555BD864D140F721
#--------------------------------------------
LOCAL_OS_AUTHENTICATION_LISTENER=OFF

[oracle@oracle-one admin]$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:23:10

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
The command completed successfully
[oracle@oracle-one admin]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:23:15

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Starting /opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                25-AUG-2013 00:23:15
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))
The listener supports no services
The command completed successfully
[oracle@oracle-one admin]$

ok，这就好了，看到Security                  ON: Password，然后查看一下状态，发现需要使用密码
[oracle@oracle-one admin]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:23:53

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
TNS-01169: The listener has not recognized the password

ok，然后我输入密码查看状态。如下：

[oracle@oracle-one admin]$ lsnrctl

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:24:00

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                25-AUG-2013 00:23:15
Uptime                    0 days 0 hr. 1 min. 26 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))
Services Summary...
Service "RHYS.ORACLE" has 1 instance(s).
  Instance "RHYS", status READY, has 1 handler(s) for this service...
Service "RHYSXDB.ORACLE" has 1 instance(s).
  Instance "RHYS", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
至此已经完成操作了。

好了 ，回头看一下，他为什么不成功，我猜测
1）密码设置正确，但是没有取消os认证LOCAL_OS_AUTHENTICATION_LISTENER=OFF如下：
[oracle@oracle-one admin]$ lsnrctl

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:28:04

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> start
Starting /opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     listener
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                25-AUG-2013 00:28:20
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))
The listener supports no services
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
Password changed for listener
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
Saved listener configuration parameters.
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Old Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.bak
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
No changes to save for listener.
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
The command completed successfully
LSNRCTL> start
Starting /opt/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     listener
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                25-AUG-2013 00:28:56
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/app/oracle/diag/tnslsnr/oracle-one/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle-one)(PORT=1521)))
The listener supports no services
The command completed successfully
LSNRCTL> exit
[oracle@oracle-one admin]$
[oracle@oracle-one admin]$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-AUG-2013 00:30:17

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-one)(PORT=1521)))
The command completed successfully
[oracle@oracle-one admin]$
看到了，还是可以直接关闭的。
2）监听名字错误。
ok。至此结束了。