I wasn’t aware exactly how old that book was, obviously It has plenty of
information that will always be relevant.
I was referring to 11g because it’s the most recent version with relatively
well known security vulnerabilities (Poison comes to mind, but that may not
be the most severe or easiest to exploit).
Do I think 12c is more secure? Yes. Do I trust its security enough to
expose it directly? No.
Thanks,
Andy
On Fri, 5 Apr 2019 at 20:06, Reen, Elizabeth <elizabeth.reen@xxxxxxxx>
wrote:
True, but there is no sense making it easier for them.
Liz
*From:* [External] oracle-l-bounce@xxxxxxxxxxxxx <
oracle-l-bounce@xxxxxxxxxxxxx> *On Behalf Of *[External] Andy Sayer
*Sent:* Friday, April 05, 2019 1:41 PM
*To:* bdbafh@xxxxxxxxx
*Cc:* Bill Ferguson <wbfergus@xxxxxxxxx>; oracle-l <oracle-l@xxxxxxxxxxxxx>;
watt0012@xxxxxxx
*Subject:* Re: Question regarding Oracle listener port change
Using a non-default listener port offers the same additional security as
installing your front door slightly to the right of your porch.
Back in 11g times, the listener had some very critical security
vulnerabilities so maybe it was worthwhile advise back then - but it wasn’t
exactly going to prevent anything other than a very lazy attack.
My 2c,
Andy
On Fri, 5 Apr 2019 at 18:30, Paul Drake <bdbafh@xxxxxxxxx> wrote:
Bill,
Ah.
Perhaps if a consultant issued the edict?
How about an oldie but goodie?
(Blows dust off a copy fetched from the office bookshelf)
SANS Step-by-Step series
Oracle Security step by step v 2.0
Pete Finnegan
SANS Press 2004
Phase 5 - Networking.
Action 5.1.6
"Avoid running the listener on the normal (tcp) ports of 1521 or 1526."
CIS has a controls doc for Oracle databases including versions 11gR2 and
12c. Apparently changing the port number from default is not mentioned.
They're more on board with making certain that admin commands occur over
IPC and not remote tcp in the clear.
Perhaps NIST does as well. Nope. They refer to the CIS document.
Something to chew upon.
Paul
On Fri, Apr 5, 2019, 10:36 AM Andy Wattenhofer <watt0012@xxxxxxx> wrote:
That's not a problem that is unique to government, in my experience. It
seems to be more a function of size and bureaucracy. In some cases I would
even say that private sector is worse, given the profit motive and the fact
that security doesn't deliver profit.
Andy
On Fri, Apr 5, 2019 at 9:02 AM Bill Ferguson <wbfergus@xxxxxxxxx> wrote:
I tried using a different port roughly 10 years back, and the rest of my
organization really got their feathers ruffled. and I finally had to switch
it back to 1521. The overwhelming majority of "DBA's" within my Federal
Government organization, don't know anything about Oracle, like most of
their software, and install everything with the defaults. I've tried
getting the higher level "management" to issue a few basic security
mandates about changing the ports, not installing with (or at least
de-activating) default settings, etc., and it just falls on deaf ears. When
I try doing a mass email to alert the other Oracle "DBA's", I'd usually get
an official slap on the wrist and told to quit rocking the boat.
Anyway, I think this is a huge part of the problem with security of
Government databases. The people that brown-nosed their way into the
positions where they can dictate the policy and direction of the
organization have absolutely no idea of what they placed in charge of, and
what would be the most common-sense way of approaching the issue. But it is
partly because of these security failures that I never mention which
Department or Agency I work for. It could possibly open us up to a more
concentrated attack, and I also do not want any of opinions to be
considered as indicative of the official position or opinion of the group I
work for (big legal headaches there).
bill Ferguson
On Thu, Mar 28, 2019 at 5:48 PM DRCDBA (Gmail) <drcdba@xxxxxxxxx> wrote:
Personally I don't keep any database - internal or external facing - on
port 1521. Just don't like default settings I guess!
On Mar 28, 2019, at 5:12 PM, Mark W. Farnham <mwf@xxxxxxxx> wrote:
I’m just curious.
Doesn’t everyone with a public network wan change the 1521 port and put a
honey pot on 1521 to absorb attack vectors?
Do folks actually leave it as 1521 for systems that allow
off-closed-campus access?
mwf
*From:* oracle-l-bounce@xxxxxxxxxxxxx [
mailto:oracle-l-bounce@xxxxxxxxxxxxx ;<oracle-l-bounce@xxxxxxxxxxxxx>] *On
Behalf Of *Rakesh Ra
*Sent:* Wednesday, March 27, 2019 9:18 AM
*To:* Shane Borden
*Cc:* Oracle-L Freelists
*Subject:* Re: Question regarding Oracle listener port change
Hi All,
Just to keep you all updated, the reason for port 1521 working was , we
had teleran software installed which was internally swapping the port from
1521 to 1621. Below is the snippet from teleran logs.
managettds.log:03/23/2019 20:05:19:589 TT03235 <INFO> (genericdb)
Connecting to Knowledge Base: jdbc:oracle:thin:@//xxxxx-scan:1521/<SID>
managettds.log:03/23/2019 20:05:29:312 TT00712 <INFO> (ttsystem) Swapping
Oracle port from 1521 to 1621
Regards,
Rakesh RA
On Tue, Mar 26, 2019 at 5:32 PM Shane Borden <sborden76@xxxxxxxxx> wrote:
Did you change the ports on both the scan and the local listener? Update
the database parameters and re-register?
Shane Borden
sborden76@xxxxxxxxx
Sent from my iPhone
On Mar 26, 2019, at 7:50 AM, Rakesh Ra <rakeshra.tr@xxxxxxxxx> wrote:<https://urldefense.proofpoint.com/v2/url?u=http-3A__11.2.0.4&d=DwQFaQ&c=j-EkbjBYwkAB4f8ZbVn1Fw&r=yWMFosURAngbt8VLeJtKLVJGefQxustAZ9UxecV7xpc&m=czIaBKk274PoSNtvtXWN0bq3d9_rHAmiURVcu11xwIY&s=G9eqlm-mB-fu9lzMsWLTYz1XmR8nS3UXM-jEbd124Oc&e=>
Hi All,
We have full rack exadata server X5 version with 11.2.0.4
version DB running on it.. We changed the port number of scan and local
listener from 1521 to 1621.
I tried connecting to the database remotely using scan and defaultservice with port 1521 , connection is going through. I also tried
connecting to the database using scan and default service using 1621 port
as well. With that also I am able to connect. Should I ideally get my
connection request with port 1521 rejected with some TNS errors?? Or is
this is expected??
Regards,
Rakesh RA
--
-- Bill Ferguson
