很多人都知道，Oracle的監(jiān)聽(tīng)器一直存在著一個(gè)安全隱患，假如不設(shè)置安全措施，那么能夠訪問(wèn)的用戶就可以遠(yuǎn)程關(guān)閉監(jiān)聽(tīng)器。

相關(guān)示例：

D:>lsnrctl stop eygle

LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:02:40

Copyright (c) 1991, 2006, Oracle. All rights reserved.

正在連接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521))

(CONNECT_DATA=(SERVICE_NAME=eygle)))

命令執(zhí)行成功

大家可以發(fā)現(xiàn)，此時(shí)缺省的監(jiān)聽(tīng)器的日志還無(wú)法記錄操作地址：

No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

28-NOV-2007 09:59:20 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)

(ARGUMENTS=64)(SERVICE=eygle)(VERSION=169870080)) * stop * 0

為了更好的保證監(jiān)聽(tīng)器的安全，大家最好為監(jiān)聽(tīng)設(shè)置密碼：

[oracle@jumper log]$ lsnrctl

LSNRCTL for Linux: Version 9.2.0.4.0 - Production on 28-NOV-2007 10:18:17

Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> change_password

Old password:

New password:

Reenter new password:

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

Password changed for listener

The command completed successfully

LSNRCTL> set password

Password:

The command completed successfully

LSNRCTL> save_config

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

Saved LISTENER configuration parameters.

Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora

Old Parameter File /opt/oracle/product/9.2.0/network/admin/listener.bak

The command completed successfully

在我們?cè)O(shè)置密碼后，遠(yuǎn)程操作將會(huì)因缺失密碼而出現(xiàn)失敗：

D:>lsnrctl stop eygle

LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 28-11月-2007 10:22:57

Copyright (c) 1991, 2006, Oracle. All rights reserved.

正在連接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)

(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=eygle)))

TNS-01169: 監(jiān)聽(tīng)程序尚未識(shí)別口令

注意：此時(shí)在服務(wù)器端或客戶端，都需要我們通過(guò)密碼來(lái)起停監(jiān)聽(tīng)器：

LSNRCTL> set password

Password:

The command completed successfully

LSNRCTL> stop

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

The command completed successfully

LSNRCTL> start

Starting /opt/oracle/product/9.2.0/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 9.2.0.4.0 - Production

System parameter file is /opt/oracle/product/9.2.0/network/admin/listener.ora

Log messages written to /opt/oracle/product/9.2.0/network/log/listener.log

Trace information written to /opt/oracle/product/9.2.0/network/trace/listener.trc

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.33.11)(PORT=1521)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Linux: Version 9.2.0.4.0 - Production

Start Date 28-NOV-2007 10:22:23

Uptime 0 days 0 hr. 0 min. 0 sec

Trace Level support

Security ON

SNMP OFF

Listener Parameter File /opt/oracle/product/9.2.0/network/admin/listener.ora

Listener Log File /opt/oracle/product/9.2.0/network/log/listener.log

Listener Trace File /opt/oracle/product/9.2.0/network/trace/listener.trc

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.33.11)(PORT=1521)))

Services Summary...

Service "eygle" has 1 instance(s).

Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...

Service "julia" has 1 instance(s).

Instance "eygle", status UNKNOWN, has 1 handler(s) for this service...

The command completed successfully

另外，ADMIN_RESTRICTIONS參數(shù)也是一個(gè)重要的安全選項(xiàng)，大家可以在 listener.ora 文件中設(shè)置 ADMIN_RESTRICTIONS_ 為 ON，此后所有在運(yùn)行時(shí)對(duì)監(jiān)聽(tīng)器的修改都將會(huì)被阻止，所有對(duì)監(jiān)聽(tīng)器的修改都必須通過(guò)手工修改listener.ora文件才能順利完成。

更多信息請(qǐng)查看IT技術(shù)專欄