Oracle 監聽是外部應用程序連接oracle的入口,用oracle提供的lsnrctl 進行管理。默認監聽在端口1521上的tnslsnr未設置密碼保護,這可能是個安全隱患,也可能會被遠程發起監聽器的管理,導致數據庫被入侵。
更改監聽密碼
如果之前沒有,默認為空
[oracle@test152 ~]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 03-Jun-2020 10:54:45
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start stop status
services version reload
save_config trace spawn
change_password quit exit
set* show*
LSNRCTL> change_password
#之前沒設置密碼直接回車
Old password:
#輸入新的密碼
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
#此時保存是失敗的
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
#需要重新驗證下
LSNRCTL> set password
Password:
The command completed successfully
#這時保存才算成功,save_config 需要執行兩次
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Old Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.bak
The command completed successfully
說明1:Oracle 11g在listener加密的情況下,在本服務器上執行 lsnrctl status listener_name 仍然可以執行,除非listener.ora里加如下內容 LOCAL_OS_AUTHENTICATION_LISTENER = OFF,默認是ON
說明2:配置listener.ora中ADMIN_RESTRICTIONS參數,一般不加
參數作用:
當listener.ora設置了ADMIN_RESTRICTIONS參數后,在監聽器運行時不允許執行任何管理命令,同時set命令將不可用,不論在服務器本地還是從遠程都不行。此時對於監聽的設置僅僅通過手工修改listener.ora文件,要使修改生效,只能使用lsnrctl reload命令或lsnrctl stop/start命令重新載入一次監聽器配置信息。
修改方法:
在listener.ora文件中手動加入下面這樣一行 ADMIN_RESTRICTIONS_<監聽器名> = ON
設置監聽密碼
LSNRCTL> set password
Password:
The command completed successfully
設置完成之后需要保存生效,重要
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
Saved LISTENER configuration parameters.
監聽文件最后會新增一行
[oracle@test152 ]$ cat listener.ora
...
#前面新增的
LOCAL_OS_AUTHENTICATION_LISTENER = OFF
#----ADDED BY TNSLSNR 04-3月 -2020 16:23:16---
PASSWORDS_LISTENER = C7AD988BC0D7DB0A
#----------------------------------------------
查詢監聽狀態
不輸入密碼無法查詢或關啟監聽
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
#輸入上面設置的密碼
LSNRCTL> set password
#輸入密碼
Password:
The command completed successfully
#此時可以正常查詢監聽狀態,也可以關啟監聽
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 03-Jun-2020 15:37:09
Uptime 439 days 3 hr. 18 min. 4 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /u01/app/oracle/product/11.2.0/db_home1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/test152 /listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
Services Summary...
Service "testdb" has 1 instance(s).
Instance "testdb", status READY, has 1 handler(s) for this service...
Service "testdb1" has 1 instance(s).
.
.
.
Instance "testdbdg1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
如何回退?
A、記得原來監聽密碼
[oracle@test152 ~]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 03-Jun-2020 10:54:45
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
Password changed for LISTENER
The command completed successfully
B、不記得原密碼
1、ps -ef|grep lsnr 查詢當前監聽程序的sid
2、kill 該進程
3、進入$ORACLE_HOME/network/admin目錄,打開listener.ora文件,在下面有一行關於密碼的加密的記錄前面加上#,注釋該行。注意:修改前,先備份。
4、再次啟動監聽,此時不再需要密碼了