Database Administration with Style!

Database Diva Presents: Security Tutorials for Overworked Oracle™ Database Administrators

Oracle™ Listener Security

The Oracle listener is extremely vulnerable to attack, unless it has been properly configured. A Nessus scan will reveal any Oracle listeners running on your servers, including the version and the port number (even if it isn't 1521). Once the server and port number are known, anyone with a local Oracle lsnrctl program can connect using the "set current_listener". The following example shows information obtained from a lsnrctl session.

$ lsnrctl
LSNRCTL for Solaris: Version 10.1.0.5.0 - Production on 01-JUN-2006 11:26:18
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Solaris: Version 10.1.0.5.0 - Production
Start Date 26-MAY-2006 14:21:15
Uptime 5 days 21 hr. 5 min. 8 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/oracle/product/infrastructure/network/admin/listener.ora
Listener Log File /opt/oracle/product/infrastructure/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "localhost" has 1 instance(s).
Instance "localdb", status READY, has 3 handler(s) for this service...
The command completed successfully
LSNRCTL> set current_listener 192.168.1.101
Current Listener is 192.168.1.101
LSNRCTL> version
Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=hostname))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.101)(PORT=1521)))
(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=14B88C7949AD-03F5-E044-0003BA02B186) (PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hostname)(PORT=1521)))))
The command completed successfully
LSNRCTL> services
Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=hostname))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.101)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> status
Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=hostname))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.101)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias listener
Version TNSLSNR for Solaris: Version 9.0.1.4.0 - Production
Start Date 10-MAR-2006 15:28:03
Uptime 82 days 18 hr. 59 min. 34 sec
Trace Level off
Security ON
SNMP OFF
Listener Parameter File /opt/oracle/product/ias902/network/admin/listener.ora
Listener Log File /opt/oracle/product/ias902/network/log/listener.log
(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=14B88C7949AD-03F5-E044-0003BA02B186) (PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))))
The command completed successfully

In the example, the local host did not have a password set, so the intruder was able to obtain the instanace names of the databases running on the server, and also that extproc is enabled, making the server vulnerable to operating system commands embedded in stored procedures. The remote host had a password in place, so the attacker was not able to discover instance names, but was still able to obtain some information.

The configuration settings for the listener are stored in $TNS_ADMIN/listener.ora. The default location of this file is $ORACLE_HOME/network/admin/listener.ora. If you used the installer or database creation assistant to build your database, you may have created a listener.ora file, or you may choose to customize the file located in $ORACLE_HOME/network/admin/samples/listener.ora. The listener.ora file should be carefully edited to implement all of the recommended security features.

  1. The single most important step in protecting the listener is to password protect it. This is done by connecting to lsnrctl:
    LSNRCTL> change_password
    Old password: (enter a carriage return)
    New password: (enter new password)
    Re-enter new password: (enter new password)
    LSNRCTL> set password
    Password: (enter password)
    The command completed successfully
    LSNRCTL> save_config
    The command completed successfully
    Using the change_password command in combination with set password and save_config encrypts the password and saves the encrypted value in listener.ora.
    Password protection helps, but a remote user could attempt a brute force attack, using a password dictionary. Be sure to monitor the listener log for messages about failed attempts.

    01-JUN-2006 00:34:09 * services * 1169
    TNS-01169: The listener has not recognized the password
  2. Further restrict remote administration by adding the following line to the listener.ora file:

    ADMIN_RESTRICTIONS_LISTENER=ON

    This will only succeed if the listener is called LISTENER. If the listener has been given a different name, replace LISTENER with the value of the LISTENER name.
    Restricting the admin limits the damage if someone guesses your listener password by prohibiting them from stopping the listener, or changing the listener configuration.
  3. Next, prevent the listener from reading or writing files on the database server by removing references to extproc from listener.ora. If the execution of operating system commands from a stored procedure is a requirement, create a special listener process that runs as an unprivileged user. If it runs as the oracle user, all files owned by the oracle user are at risk.

    EXTPROC_LISTENER=
    (DESCRIPTION=
    (ADDRESS= (PROTOCOL=ipc)(KEY=extproc)))
    SID_LIST_EXTPROC_LISTENER=
    (SID_LIST= (SID_DESC=
    (SID_NAME=plsextproc)
    (ORACLE_HOME=/u1/app/oracle/9.0)
    (PROGRAM=extproc)))
  4. Use SSL when administering the listener, by making the TCPS protocol the first entry in the address list as follows:
    LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=tcps) (HOST = ed-pdsun1.us.oracle.com) (PORT = 8281)))
  5. Enable TCP valid node checking by editing protocol.ora (sqlnet.ora on older versions) to include the following:

    TCP.VALIDNODE_CHECKING = YES TCP.INVITED_NODE = (Comma separated list of valid IP addressses)
  6. If Oracle Advanced Security has been installed, enable network encryption to prevent packets from being compromised.

Links to more information about listener security

Oracle Database Listener Security Guide - Integrigy

Last update 07/05/2006

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates.