RE: lsnrctl passwords

We tried scripting the startup but it doesn't accept the password.  We
can set it interactively but that is very labor intensive.  

lsnrctl << EOF

set password <password>

set current_listener <sid>

start

EOF


________________________________

From: Bradd Piontek [mailto:piontekdd@xxxxxxxxx] 
Sent: Friday, April 11, 2008 11:10 AM
To: Blanchard William
Subject: Re: lsnrctl passwords


As I understand, many attacks can come from within. This isn't about
being on the internet or internal. It is a simple mechanism to keep your
listener secure. Any user in your enterprise with the lsnrctl executable
could stop the listener remotely with a password in place.

I don't see how startup scripts are affected. You don't need a password
to start a listener. Stopping the listener requires one.

$ORACLE_HOME/bin/lsnrctl <<EOF
   set password PASSWORDHASHHERE
   stop
EOF



On Fri, Apr 11, 2008 at 11:00 AM, Blanchard William
<William.Blanchard@xxxxxxxxxx> wrote:


        Wouldn't they need access to your network in order to access the
listener? I know that you can set up a similar entry in a listener.ora
and remotely access the listener (I did this to prove it) but I was
behind the firewall. I tried from home but wasn't able to access the
listener using the same technique. 

        Another question is that in 9i you can't do a save_config and
have to enter the password interactively in order to use the listener.
So, after a cold backup and a server restart, someone would have to
manually restart every listener. 

        Has anyone figured out how to script this? We tried but weren't
able to figure out how to script the password entry so that our startup
scripts would work with a password protected listener.

         

        William


________________________________

        From: Andrew Kerber [mailto:andrew.kerber@xxxxxxxxx] 
        Sent: Friday, April 11, 2008 10:44 AM
        To: Blanchard William
        Cc: oracle-l@xxxxxxxxxxxxx
        Subject: Re: lsnrctl passwords
        
        
        Several things they could do, for one they could turn off
logging when you need it.  They could also turn on logging, fille up the
drive that the log file is on, and stop your listener, they could shut
down the listener so no one could connect.  ALl of these could be
accidental or on purpose, but a password makes it harder to do either
way.  Also, most Sarbanes-Oxley compliance checklists require it.
        
        It is a pain to deal with even so.
        
        
        On Fri, Apr 11, 2008 at 10:09 AM, Blanchard William
<William.Blanchard@xxxxxxxxxx> wrote:
        

                Is anyone out there using lsnrctl passwords?  If so,
why?  I realize that there are vulnerabilities but if they're able to
get at the network, why would they waste their time on the listner?
                 
                
                 
                William


        
        
        -- 
        Andrew W. Kerber
        
        'If at first you dont succeed, dont take up skydiving.'

Other related posts: