Re: Question re security
- From: Nuno Souto <dbvision@xxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Fri, 17 Jan 2014 17:59:56 +1100
Sorry if I wasn't very clear.
1521 is the default Oracle listener port since the deluge. Using that
port is
an open avenue for any hacker worth his/her salt to run a sniffer in a
Linux node to get all Oracle pwds.
First thing I do in any site I run is change the port to something else
- which is NOT disclosed other than through tnsnames.
Uh-huh, not with this mob. 1521 is "the recommended port" and that is
what must be used.
REALLY?
This mob also wanted the listener to ASK for a password on first connection.
Nothing to do with adding a password to start/stop/control the listener.
Clearly they read somewhere the listener can "be protected by password".
Which in their two-cell brain immediately means:
"one must enter a password to access Oracle listener from client w/s, in
order for it to be secure".
#facepalm...
--
Cheers
Nuno Souto
dbvision@xxxxxxxxxxxx
On 17/01/2014 4:11 AM, mohammed bhatti wrote:
I'm fairly certain that these guidelines are taken from the DISA
STIG. I haven't seen a commercial version of the database STIG but I
do recall in the pre-11g DISA STIG the listener required a password to
be set. Also, the listener pre-11g had to be started under it's own
dedicated account and not the account that owns the Oracle software.
None of these is now required in the 11g STIG.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
