Oracle 监听是外部应用程序连接oracle的入口,用oracle提供的lsnrctl 进行管理。默认监听在端口1521上的tnslsnr未设置密码保护,这可能是个安全隐患,也可能会被远程发起监听器的管理,导致数据库被入侵。
更改监听密码
如果之前没有,默认为空
[oracle@test152 ~]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 03-Jun-2020 10:54:45
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start stop status
services version reload
save_config trace spawn
change_password quit exit
set* show*
LSNRCTL> change_password
#之前没设置密码直接回车
Old password:
#输入新的密码
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
#此时保存是失败的
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
#需要重新验证下
LSNRCTL> set password
Password:
The command completed successfully
#这时保存才算成功,save_config 需要执行两次
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.xx.xx)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Old Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.bak
The command completed successfully
说明1:Oracle 11g在listener加密的情况下,在本服务器上执行 lsnrctl status listener_name 仍然可以执行,除非listener.ora里加如下内容 LOCAL_OS_AUTHENTICATION_LISTENER = OFF,默认是ON
说明2:配置listener.ora中ADMIN_RESTRICTIONS参数,一般不加
参数作用:
当listener.ora设置了ADMIN_RESTRICTIONS参数后,在监听器运行时不允许执行任何管理命令,同时set命令将不可用,不论在服务器本地还是从远程都不行。此时对于监听的设置仅仅通过手工修改listener.ora文件,要使修改生效,只能使用lsnrctl reload命令或lsnrctl stop/start命令重新载入一次监听器配置信息。
修改方法:
在listener.ora文件中手动加入下面这样一行 ADMIN_RESTRICTIONS_<监听器名> = ON
设置监听密码
LSNRCTL> set password
Password:
The command completed successfully
设置完成之后需要保存生效,重要
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
Saved LISTENER configuration parameters.
监听文件最后会新增一行
[oracle@test152 ]$ cat listener.ora
...
#前面新增的
LOCAL_OS_AUTHENTICATION_LISTENER = OFF
#----ADDED BY TNSLSNR 04-3月 -2020 16:23:16---
PASSWORDS_LISTENER = C7AD988BC0D7DB0A
#----------------------------------------------
查询监听状态
不输入密码无法查询或关启监听
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
TNS-01169: The listener has not recognized the password
#输入上面设置的密码
LSNRCTL> set password
#输入密码
Password:
The command completed successfully
#此时可以正常查询监听状态,也可以关启监听
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 03-Jun-2020 15:37:09
Uptime 439 days 3 hr. 18 min. 4 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /u01/app/oracle/product/11.2.0/db_home1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/test152 /listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.xx.xx)(PORT=1521)))
Services Summary...
Service "testdb" has 1 instance(s).
Instance "testdb", status READY, has 1 handler(s) for this service...
Service "testdb1" has 1 instance(s).
.
.
.
Instance "testdbdg1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
如何回退?
A、记得原来监听密码
[oracle@test152 ~]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 03-Jun-2020 10:54:45
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
Password changed for LISTENER
The command completed successfully
B、不记得原密码
1、ps -ef|grep lsnr 查询当前监听程序的sid
2、kill 该进程
3、进入$ORACLE_HOME/network/admin目录,打开listener.ora文件,在下面有一行关于密码的加密的记录前面加上#,注释该行。注意:修改前,先备份。
4、再次启动监听,此时不再需要密码了