Skip to main content
ExLibris
  • Subscribe by RSS
    • Back
    Voyager
    Ex Libris Knowledge Center

    Restricting the Oracle® Listener by IP Address

    1. Last updated
    2. Save as PDF
    • Product: Voyager
    • Product Version: All
    • Relevant for Installation Type: Dedicated-Direct; Direct; Local; Total Care

    Problem symptoms

    • Remote user can obtain sensitive information about the system, such as product version numbers and the physical installation path.
    • Any user who can send packets to the listener port on the server has the potential to exploit this vulnerability.

    Cause

    Listener is unrestricted.

    Resolution

    Oracle customers can help protect against unauthorized access by ensuring that the Oracle Listener is running as a low, privileged user account. Where possible, customers should limit access to their Oracle Listener to trusted users, hosts, and networks.

    Ex Libris suggests using firewall or router ACLs (access control lists) to restrict connections to the TCP port used by Oracle Listeners.

    Further protection can be acheived by setting TCP valid node checking. See Additional Information for solution steps by version, and if additional questions or assistance needed, open a Case with Ex Libris Customer Support.

    Additional Information

    1. Log into the server as "oracle"
    2. Open the following file in a text editor: $ORA_NET/sqlnet.ora (environment variable $ORA_NET contains path to file)
    3. Add the following two lines to the end of this file, replacing "[allowed IP's]" with a comma delimited list of permitted IP addresses:

    tcp.validnode_checking = yes
    tcp.invited_nodes = ( 127.0.0.1, [allowed IP's] )

    1. Restart the listener (path may vary and version number - 12.1.0.2 in the example below) may change:

    $ORACLE_HOME/bin/lsnrctl stop
    $ORACLE_HOME/bin/lsnrctl start

    • Article last edited: 16-Oct-2018