HPE Community
Operating System - HP-UX
1833739 Members
2544 Online
110063 Solutions
New Discussion

oracle listener (and other tcp port) security

 
SOLVED
Go to solution
DECORSE Olivier
Occasional Advisor

‎02-22-2002 04:23 AM

‎02-22-2002 04:23 AM

oracle listener (and other tcp port) security

Hi all.

I'm trying to secure an HP-UX 10.20 machine, to deny acces to differents applications. I've read that Ftp , telnet (and co.) are easy to secure, because they're run with inetd (configure /var/adm/inetd.sec), but i also want to secure other tcp port, like the oracle listener port (1526), snmp port, and particular port application.
So my questions are :
1) can the oracle listener be also easy configured, with a simple file that explain the hosts that are allowed/denied ? I don't want to install and configure Kerberos, SSL or other softs.
2) is there a generic way (tools ?) to secure ports that are not managed with inetd ?

Thank's a lot for all response !!
0 Kudos
Reply
11 REPLIES 11
Bill McNAMARA_1
Honored Contributor

‎02-22-2002 04:27 AM

‎02-22-2002 04:27 AM

Re: oracle listener (and other tcp port) security

They must be defined in /etc/services too.

Bill
It works for me (tm)
0 Kudos
Reply
Alexander M. Ermes
Honored Contributor

‎02-22-2002 04:39 AM

‎02-22-2002 04:39 AM

Re: oracle listener (and other tcp port) security

Hi there.
Listener port must be defined in /etc/services on a unix system.
Here a sample / extract from a listener.ora :
Start of sample

--------------------------------------------
#
# Installation Generated Net8 Configuration
# Version Date: Jun-17-97
# Filename: Listener.ora
#
LSN_P022 =
(ADDRESS_LIST =
(ADDRESS= (PROTOCOL= IPC)(KEY= P022))
(ADDRESS= (PROTOCOL= IPC)(KEY= P022.domain))
(ADDRESS= (PROTOCOL= TCP)(Host= xxx.xxx.xxx.xxx)(Port= xxxx))
)
SID_LIST_LSN_P022 =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME= P022.domain)
(ORACLE_HOME= /u001/app/oracle/product/8.0.5)
(SID_NAME = P022)
)
)
STARTUP_WAIT_TIME_LSN_P022 = 0
CONNECT_TIMEOUT_LSN_P022= 10
TRACE_LEVEL_LSN_P022 = OFF
----------------------------------------
end of sample
This file can be created with the network assistant.
Rgds
Alexander M. Ermes

.. and all these memories are going to vanish like tears in the rain! final words from Rutger Hauer in "Blade Runner"
0 Kudos
Reply
DECORSE Olivier
Occasional Advisor

‎02-22-2002 04:42 AM

‎02-22-2002 04:42 AM

Re: oracle listener (and other tcp port) security

Do you mean that other applications ports just have to be insert in /etc/services, so that they can be managed with inetd, and so secure with inetd.sec !!!???

I've just try adding there in /etc/services and it's not working better.

I precise that this applications (oracle listener and co.) have there own deamon, and are not launch by inetd !!!

Any other solution ?
0 Kudos
Reply
DECORSE Olivier
Occasional Advisor

‎02-22-2002 05:09 AM

‎02-22-2002 05:09 AM

Re: oracle listener (and other tcp port) security

Thank you for you're response, Bill & Alexander, but i think i don't really have understand everything, so i have more questions :
1) The /etc/services must containt something like that !?
oracle 1526/tcp # Oracle listener connect.

2) in your listener.ora, Alexander, what tells oracle that the listener must be secure ? I think that the ip address (x.x.x.x) is the address from you local host ? Or may be the oracle connections are made with inetd, that is not what i want : in my machine, the listener is a independant daemon !!

Thank's in advance for your response !!
Olivier.
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎02-22-2002 05:30 AM

‎02-22-2002 05:30 AM

Re: oracle listener (and other tcp port) security

TNS listener doesn't use inetd so it isn't affected by inetd.conf or inetd.sec.

You'd hope that SQLNet would have this built in, but I haven't seen it. (Frankly, I was surprised there was even a security section in the Oracle Networking book ;-) ).

Use something like IPFilter/9000
https://software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B9901AA&date=

to provide the IP/host based network security.

There are some other packages out there that might work as well - you might want to check out ipchains.

0 Kudos
Reply
DECORSE Olivier
Occasional Advisor

‎02-22-2002 06:43 AM

‎02-22-2002 06:43 AM

Re: oracle listener (and other tcp port) security

Thank you, Christopher. ipfilter or tcpwrapper seems to solution my problem, execpt that they'running only with HP-UX v11.00 et 11.11 !!!
Any other solution, or i'm wrong with this information !!??

Thank's a lot !
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎02-22-2002 12:12 PM

‎02-22-2002 12:12 PM

Solution

Re: oracle listener (and other tcp port) security

Try

http://coombs.anu.edu.au/~avalon/ip-filter.html

http://freshmeat.net/projects/ipchains/

for ip based filters you can compile yourself (you'll probably want to know a bit about compiling and porting).


Try

ftp://ftp.porcupine.org/pub/security/index.html

for tcp_wrappers.
Reply
harry d brown jr
Honored Contributor

‎02-22-2002 12:15 PM

‎02-22-2002 12:15 PM

Re: oracle listener (and other tcp port) security

Olivier,

Is this server on the internet or on some untrusted network? If so, May I suggest you simply put a router in front of it and manage the ports that way.


live free or die
harry
Live Free or Die
0 Kudos
Reply
Craig Rants
Honored Contributor

‎02-22-2002 12:19 PM

‎02-22-2002 12:19 PM

Re: oracle listener (and other tcp port) security

I agree with Christopher that the best way to protect the listener is with packet filtering. I would recommend that you use it anyway. It is good troubleshooting tool even if you don't specifiy any denials. The line to protect the listener would look like:

pass in quick proto tcp from 10.15.2.0/16 to 10.15.1.2/32 port = 1526 keep state group 200

In this example you would allow listener access from 10.15.2 subnet to your oracle box ip 10.15.1.2.

It takes a while to learn packet filtering, but if I had one security tool to use, this would be it.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Wodisch
Honored Contributor

‎02-22-2002 01:10 PM

‎02-22-2002 01:10 PM

Re: oracle listener (and other tcp port) security

Hello,

there is an Oracle product for encryption of the communication between Net8-Listener and the Net8-Client!

And Oracle does NOT need any entries in "/etc/services" (since most DBAs use port-numbers, not service-names).

HTH,
Wodisch
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-27-2002 11:16 PM

‎02-27-2002 11:16 PM

Re: oracle listener (and other tcp port) security

Hi,

One area you should not overlook is host-based security for the oracle listener.

lsnrctl and tnslsnr are used to launch the Oracle listener. However, the default permissions for both executables are -rwxr-x--x which implies executable by everyone.

Even with the executable bit set, a normal user cannot startup the listener. However, any user can shutdown the listener easily by executing:

# $ORACLE_HOME/bin/lsnrctl stop

You will need to restrict executable permissions to these executables in order to prevent this from happening.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.