Restricting the Oracle® Listener by IP Address
- Product: Voyager
- Product Version: All
- Relevant for Installation Type: Dedicated-Direct; Direct; Local; Total Care
Problem symptoms
- Remote user can obtain sensitive information about the system, such as product version numbers and the physical installation path.
- Any user who can send packets to the listener port on the server has the potential to exploit this vulnerability.
Cause
Listener is unrestricted.
Resolution
Oracle customers can help protect against unauthorized access by ensuring that the Oracle Listener is running as a low, privileged user account. Where possible, customers should limit access to their Oracle Listener to trusted users, hosts, and networks.
Ex Libris suggests using firewall or router ACLs (access control lists) to restrict connections to the TCP port used by Oracle Listeners.
Further protection can be acheived by setting TCP valid node checking. See Additional Information for solution steps by version, and if additional questions or assistance needed, open a Case with Ex Libris Customer Support.
Additional Information
- Log into the server as "oracle"
- Open the following file in a text editor:
$ORA_NET/sqlnet.ora
(environment variable $ORA_NET contains path to file) - Add the following two lines to the end of this file, replacing "[allowed IP's]" with a comma delimited list of permitted IP addresses:
tcp.validnode_checking = yes
tcp.invited_nodes = ( 127.0.0.1, [allowed IP's] )
- Restart the listener (path may vary and version number - 12.1.0.2 in the example below) may change:
$ORACLE_HOME/bin/lsnrctl stop
$ORACLE_HOME/bin/lsnrctl start
- Article last edited: 16-Oct-2018