Oracle 監聽投毒COST解決
說明
Oracle Database Server 在實現上存在可允許攻擊者向遠端“TNS Listener”元件處理的資料投毒的漏洞。攻擊者可利用此漏洞將資料庫伺服器的合法“TNS Listener”元件中的資料轉向到攻擊者控制的系統,導致控制遠端元件的資料庫例項,造成元件和合法資料庫之間的攻擊者攻擊、會話劫持或拒絕服務攻擊。現以限制監聽註冊的方法來阻止該監聽投毒漏洞。
注意,該文件適用於 10.2.0.3 to 11.2.0.3 版本的單機或者rac資料庫。
如果是11204的資料庫,可以參考 文件 ID 1600630.1,參考文件最下方
前期準備工作
關鍵補丁檢查
存在該補丁12880299。
建立wallet 使用者
節點 1 Oracle 使用者下:
mkdir /oracle/grid/crs_1/network/admin/cost
$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
密碼設定為uni09net
orapki wallet remove -trusted_cert_all -wallet /oracle/grid/crs_1/network/admin/cost
(該步驟可忽略,目的是刪除cost 裡面的所有內容)
將節點1 加到wallet 裡去
orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
PKI-02003: Unable to load the wallet at: /oracle/grid/crs_1/network/admin/cost
[oracle@apple1 ~]$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
展示cost內的內容:
orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary
$ orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
將cost 檔案複製到二節點 oracle 使用者下( 提前建立好目錄)
scp /oracle/grid/crs_1/network/admin/cost/ewallet.p12 apple2:/oracle/grid/crs_1/network/admin/cost
使用者下,兩節點建立sso 檔案
orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login
$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
許可權修改
chmod 640 cwallet.sso
-rw-r-----. 1 oracle oinstall 2485 Aug 2 09:09 cwallet.sso
-rw-------. 1 oracle oinstall 2408 Aug 2 09:07 ewallet.p12
修改listener.ora, 新增一下內容
注意, 所有節點, GI_HOME 的 listener.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/grid/crs_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#### 一個scan就寫一個,多個就繼續新增如下
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
配置scan_listener
$ srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523 (grid 使用者下)
srvctl stop scan_listener
srvctl start scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
修改sqlnet.ora 檔案
兩節點的Oracle 使用者下:
vi $ORACLE_HOME/network/admin/sqlnet.ora ## 沒有該檔案直接建立
新增一下資訊:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/grid/crs_1/network/admin/cost))
)
)
新增完之後,兩節點資料庫重啟
修改remote_listener 引數
原來的:
SQL> show parameter remote_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string apple-scan:1521
修改後
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.240.195)(PORT=1523)))' scope=both sid='*';
SQL> show parameter remote
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_dependencies_mode string TIMESTAMP
remote_listener string (ADDRESS_LIST=(ADDRESS=(PROTOC
OL=TCPS)(HOST=192.168.240.195)
(PORT=1523)))
2.5
將兩個節點grid下面的listener.ora中的註釋刪掉並重啟scan監聽
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
[oracle@rac1]$ srvctl stop scan_listener
[oracle@rac1]$ srvctl start scan_listener
測試成果
測試1 :將其他rac庫的remote listener引數改成如下,192.168.240.195為scan ip
alter system set remote_listener ='192.168.240.195:1521';
可以看到日誌中如下,說明阻止了其他rac註冊到監聽中
Tue Jul 31 13:12:45 2018
31-JUL-2018 13:12:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0
Tue Jul 31 13:13:45 2018
31-JUL-2018 13:13:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0
Tue Jul 31 13:14:39 2018
31-JUL-2018 13:14:39 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
31-JUL-2018 13:14:39 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
測試2:
C:\Users\think>sqlplus system/oracle@192.168.240.195:1521/prod
SQL*Plus: Release 11.2.0.4.0 Production on 星期二 7月 31 13:32:14 2018
Copyright (c) 1982, 2013, Oracle. All rights reserved.
連線到:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> exit
監聽配置
Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.
Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER_PROD = (TCP) ##
這個是單機的
The database must be using the TCP protocol to register with the listener. Check the value of the startup parameter local_listener to confirm.
Important for grid installations: The grid agent uses the IPC protocol to contact and manage the listener so both IPC and TCP must be enabled in this step.
For a grid environment use the following value, ###
下面這個是rac的監聽
SECURE_REGISTER_LISTENER_PROD = (IPC,TCP)
1 alter system set remote_listener='apple-scan:1521' sid='*';
2 rm -rf /oracle/grid/crs_1/network/admin/cost 兩節點
3 /oracle/grid/crs_1/network/admin/listener.ora 中新增的註釋掉 兩節點
4 $ORACLE_HOME/network/amdin/sqlnet.ora 中新增的東西註釋掉 兩節點資料庫重啟
5 grid 使用者下配置scan_listener
srvctl modify scan_listener -p TCP:1521
srvctl stop scan_listener
srvctl start scan_listener
關於 11204 資料監聽偷渡的修改,
VALID_NODE_CHECKING_REGISTRATION
_listener_name
Values:
OFF/0 - Disable VNCR
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
SUBNET/2 - All machines in the subnet are allowed registration.
12c 預設是 ON,11204預設是off;
在listener.ora 將引數新增重啟監聽即可。
。。。。=ON
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69993859/viewspace-2755785/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Oracle 監聽配置詳解Oracle
- ORACLE監聽器 The listener supports no services 問題解決方法Oracle
- ORACLE10G 監聽僵死問題的解決Oracle
- oracle 監聽日誌停止寫入的解決方法Oracle
- Oracle 監聽Oracle
- 監聽啟動失敗解決
- ORACLE啟動監聽器 The listener supports no services 問題解決方法Oracle
- Oracle監聽(1)Oracle
- ORACLE動態監聽與靜態監聽Oracle
- oracle靜態監聽和動態監聽Oracle
- 【oracle】動態監聽與靜態監聽Oracle
- Oracle 靜態監聽註冊詳解Oracle
- 【Oracle】修改oracle監聽埠Oracle
- oracle靜態監聽Oracle
- JMS監聽Oracle AQOracle
- oracle 監聽器配置Oracle
- Oracle監聽的作用Oracle
- ORACLE監聽簡介Oracle
- oracle 監聽重啟Oracle
- oracle11g 配置監聽ora-12514 解決方案Oracle
- 關於監聽不能啟動的解決方法
- 監聽配置詳解
- 【listener】oracle靜態監聽和動態監聽 【轉載】Oracle
- oracle清理監聽日誌Oracle
- Oracle資料庫監聽Oracle資料庫
- oracle 多庫配監聽Oracle
- oracle的監聽問題Oracle
- Oracle 動態監聽配置Oracle
- oracle 監聽器學習Oracle
- Oracle監聽日誌2g-監聽啟動報錯Oracle
- oracle監聽啟動時報TNS-00507問題解決一例Oracle
- kafka監聽出現的問題,解決和剖析Kafka
- Oracle 監聽異常處理Oracle
- Oracle dblink監聽問題Oracle
- Oracle啟動兩個監聽Oracle
- 說說Oracle監聽器(一)Oracle
- 說說Oracle監聽器(二)Oracle
- Oracle 監聽器日誌解析Oracle