Skip to main content
Ex Libris Knowledge Center

Restricting the Oracle® Listener by IP Address

  • Article Type: General
  • Product: Voyager
  • Product Version: All
  • Relevant for Installation Type: Dedicated-Direct; Direct; Local; Total Care

Problem symptoms
* Remote user can obtain sensitive information about the system, such as product version numbers and the physical installation path.
* Any user who can send packets to the listener port on the server has the potential to exploit this vulnerability.

Cause
Listener is unrestricted.

Resolution
Oracle customers can help protect against unauthorized access by ensuring that the Oracle Listener is running as a low, privileged user account. Where possible, customers should limit access to their Oracle Listener to trusted users, hosts, and networks.

Ex Libris suggests using firewall or router ACLs (access control lists) to restrict connections to the TCP port used by Oracle Listeners.

Further protection can be acheived by setting TCP valid node checking. See Additional Information for solution steps by version, and if additional questions or assistance needed, open a Case with Ex Libris Customer Support.

Additional Information

1. Log into the server as "oracle"
2. Open the following file in a text editior: $ORA_NET/sqlnet.ora (Enviro. variable $ORA_NET contains pat to file)
3. Add the following two lines to the end of this file. Replace "[allowed IP's] with a comma delimited list of permitted IP addresses:
tcp.validnode_checking = yes
tcp.invited_nodes = ( 127.0.0.1, [allowed IP's] )
4. Restart the listener e.g.:
/oracle/app/oracle/product/8.0.5/bin/lsnrctl stop
/oracle/app/oracle/product/8.0.5/bin/lsnrctl start

Category: Oracle


  • Article last edited: 11/9/2015