SecuringtheListenerObjectivesAftercompletingthislesson,youshouldbeabletodothefollowing:DescribehowtolimittheprivilegesofthelistenerAdministerthelistenersecurelyAnalyzelistenerlogfilesListenerSecurity:ChecklistRestricttheprivilegesofthelistener.Secureadministrationby:ProtectingthelistenerwithapasswordforremoteadministrationUsingSSLwhenadministeringthelistenerProtectagainstdenial-of-serviceattacks.Monitorlisteneractivity.RestrictingthePrivilegesoftheListenerRestricttheprivilegesofaseparatelistenerprocess.Asampleconfigurationis:EXTPROC_LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))SID_LIST_EXTPROC_LISTENER=(SID_LIST=(SID_DESC=(SID_NAME=plsextproc)(ORACLE_HOME= /u1/app/oracle/product/10.1.0/db_1)(PROGRAM=extproc)))(hidden)UsetheCREATE

LIBRARY

PrivilegeSparinglyExternalprocedures:AreexecutedfromalibraryRunwiththeprivilegesofthelistenerBydefault,thelistenerhasthewriteprivilegeto:DatabasefilesThememoryspaceoftheinstanceToavoidmisuseofthisprivilege:UseitonlywhenneededLimittheprivilegesofthelistenerPasswordProtecttheListenerEstablishapasswordfortheOraclelistenertopreventunauthorizedlisteneradministration.FromtheListenerControlutility,issuethefollowingcommand:LSNRCTL>CHANGE_PASSWORDOldpassword:lsnrc80Newpassword:lsnrc90Reenternewpassword:lsnrc90LSNRCTL>SETPASSWORDPassword:ThecommandcompletedsuccessfullyLSNRCTL>SAVE_CONFIGThecommandcompletedsuccessfullyPreventingOnlineAdministration

oftheListenerListenerconfigurationcannotbechangedonline.Tochangetheconfiguration,youmust:MakethechangesintheLISTENER.ORAfileReloadtheconfigurationIntheLISTENER.ORAfile,enterthefollowing:Thisconfigurationrequirestheadministratortohave:WriteprivilegesontheLISTENER.ORAfileADMIN_RESTRICTIONS_LISTENER=ONAdministeringtheListenerUsing

TCP/IPwithSSLUseTCP/IPwithSSLwhenadministeringoveraninsecurenetwork.MaketheTCPSprotocolthefirstentryintheaddresslist.Example(LISTENER.ORAfileconfiguredforSSL):LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcps)(HOST=)(PORT=8281)))...INBOUND_CONNECT_TIMEOUTProtectthelistenerfromdenial-of-serviceattackswiththefollowingnetworkparameters:SQLNET.INBOUND_CONNECT_TIMEOUTINBOUND_CONNECT_TIMEOUT_listener_name

Theseparameters:SetthetimeallowedforaconnectiontocompleteauthenticationLogfailureswithsourceIPaddresses(hidden)SettingListenerLoggingParametersIntheLISTENER.ORAfile:LOG_DIRECTORY_listener_nameLOG_FILE_listener_nameWithOracleNetManager:WiththeSETcommandintheListenerControlutility:LOG_DIRECTORYLOG_FILE(hidden)AnalyzingListenerLogFilesThelistenerlogcontainsthefollowinginformation:Listenerlogaudits:ClientconnectionrequestListenerControlutilitycommandsListenerserviceregistrationevents:service_registerservice_updateservice_diedListenerdirecthand-offinformation(hidden)ListenerLogConnect:Examples24-APR-200518:02:51*(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=sqlplus)(HOST=EDRSR3P1)(USER=oracle)))*(ADDRESS=(PROTOCOL=tcp)(HOST=03)(PORT=56688))*establish*orcl*0...24-APR-200518:03:05*(CONNECT_DATA=(SERVICE_NAME=mydb)(CID=(PROGRAM=sqlplus)(HOST=EDRSR3P1)(USER=oracle)))*(ADDRESS=(PROTOCOL=tcp)(HOST=03)(PORT=1067))*establish*mydb*12514TNS-12514:TNS:listenerdoesnotcurrentlyknowofservicerequestedinconnectdescriptor...ListenerLogCommand:ExamplesTNSLSNRforLinux:Version.0......Systemparameterfileis......Startedwithpid=2280Listeningon:......23-APR-200511:52:02*...*status*0...23-APR-200512:35:48*...*reload*0...Nolongerlisteningon:...