Oracle 使用sqlnet.ora/trigger限制/允許某IP或IP段訪問指定用戶

本文轉載自查看原文 2017-04-07 07:00 2101 oracle

學習了：http://blog.itpub.net/28602568/viewspace-2092858/

注釋：
 接觸MySQL的朋友想必都知道mysql可針對指定IP/IP段來限制用戶的訪問，在Oracle數據庫中默認有賬號密碼訪問主機的權限的IP都可登陸該DB用戶；
  那么,Oracle 如何實現針對DB、單個用戶來限制/允許IP訪問呢？
  1、整個DB層：可設置$ORACLE_HOME/network/admin/sqlnet.ora文件，限制/允許IP訪問；  -->不可針對IP段..
  2、單個用戶：可通過trigger觸發器限制/允許某IP或IP段訪問；                 -->實驗不可對整個DB層 (AFTER LOGON ON database)登陸提示告警..


一、sqlnet.ora  
[oracle@10.240.1.7 admin]$ cat sqlnet.ora
tcp.validnode_checking = yes                       #需要設置成yes，方可激活生效                
tcp.invited_nodes=(10.240.1.8,10.240.1.7)      #允許訪問的IP
#tcp.excluded_nodes=(10.240.1.8,10.240.1.7) #不允許訪問的IP 
注釋：
在9i提供了幾個參數：-->9i以前版本更改protocol.ora文件...
TCP.EXCLUDED_NODES    ：設置禁止訪問數據庫的IP地址列表。
TCP.INVITED_NODES     ：設置允許訪問數據庫的IP地址列表，當這個參數和TCP.EXCLUDED_NODES設置的地址相同的時候將覆蓋TCP.EXCLUDED_NODES設置。
TCP.VALIDNODE_CHECKING：檢測上述參數的設置。 

簡單演示：
[oracle@10.240.1.8 ~]$ sqlplus lottery/lottery@10.240.1.7/test 
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:15 2016 
Copyright (c) 1982, 2013, Oracle.  All rights reserved. 
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 
[oracle@10.240.1.9 ~]$  sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:40 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-12547: TNS:lost contact
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[oracle@10.240.1.9 ~]$ 

二、觸發器
-->TRIGGER限制10.240.1.%網段訪問lottery用戶
CREATE OR REPLACE TRIGGER DISABLELOGIN  
    AFTER LOGON ON LOTTERY.SCHEMA  -->使用方式為USERNAME.SCHEMA，若直接寫database，RAISE_APPLICATION_ERROR部分不起作用..
BEGIN                                                                      
   IF ORA_CLIENT_IP_ADDRESS LIKE ('10.240.1.%') THEN    
   RAISE_APPLICATION_ERROR(-20001,'USER '||ORA_LOGIN_USER||' IS NOT ALLOWED TO CONNECT FROM '||ORA_CLIENT_IP_ADDRESS);
   END IF;
END;
--不能指定sys.schema，會報《ORA-30510: 系統觸發器不能在 SYS 用戶方案中定義》
--限制某IP  ORA_CLIENT_IP_ADDRESS IN ('10.240.1.7','10.240.1.8')

簡單演示：
[oracle@10.240.1.7 ~]$ sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.7
ORA-06512: at line 3
[oracle@10.240.1.7 admin]$

[oracle@10.240.1.8 ~]$ sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.8
ORA-06512: at line 3
[oracle@10.240.1.8 ~]$

[oracle@10.240.2.8 ~]$  sqlplus lottery/lottery@10.240.1.7/test 
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:23:33 2016 
Copyright (c) 1982, 2013, Oracle.  All rights reserved. 
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 
SQL> SELECT * FROM DBA_TRIGGERS WHERE trigger_name='DISABLELOGIN' ;

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Oracle sqlnet.ora配置 sqlnet.ora的作用 oracle三個網絡配置文件（listener.ora、tnsname.ora、sqlnet.ora）的作用 oracle三個連接配置文件 listener.ora、sqlnet.ora、tnsnames.ora Apache限制訪問某目錄或某文件,限制允許指定IP Redis來限制用戶 ------------IP某個時間段內訪問的次數如何限制指定用戶、指定IP訪問特定服務器？ Oracle允許IP訪問配置 Linux MySQL 允許指定ip訪問允許訪問指定庫 Apache中限制和允許特定IP訪問