Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> cracking oracle?

cracking oracle?

From: Bill Pribyl <bill_at_datacraft.com>
Date: Tue, 20 Feb 2001 09:57:34 -0800
Message-ID: <F001.002B8CDF.20010220093603@fatcity.com> 






I've been tasked with securing an 8.1.7 server and I'd like to know whether
anybody already has a list of exploits.  I'm concerned with both local
exploits (like someone breaking into a unix dba account and doing a
"connect internal") and remote exploits (like sqlnet denial of service).



In this particular installation, there will be only one or two oracle user
accounts, and all other users will be fetching read-only data via a web
server.  The web pages will be generated by mod_plsql.  Fortunately, the
machine will not be on the public Internet, but the customer is still
security-conscious.



I am aware of the following:



    
  
  1.   Depending on the options you choose when installing, Oracle creates up
to 22 accounts with default passwords (see
http://www.phenoelit.de/dpl/dpl.html )

  
  2.   Oracle's public security announcements are listed at
http://otn.oracle.com/deploy/security/alerts.htm

  
  3.   There are various ways of enforcing complexity rules on passwords (these
are documented in the Administrator's guide)

  
  4.   Unless you set a FAILED_LOGIN_ATTEMPTS limit in the default (or other)
user profile, you may be subject to brute force password-guessing attacks

    
(also documented)
    

  
  5.   Out of the box, Oracle's default Apache web server, which we will be
running, seems to have no security whatsoever, unless you count running on
port 7777 as secure <g>.






Just to make things interesting, we do NOT have a license for the Advanced
Security Option.  However, the customer is not really concerned about data
encryption (I think they should be, but it's not my call).



It seems like there should be an Oracle technical bulletin somewhere that
at least lists relatively simple steps like closing up all the default
passwords--I couldn't find one on Metalink.  But I'd like to go somewhat
beyond closing the obvious gaping holes.



Ideas? Comments?



Thanks


Bill Pribyl

--

______________________________________________
http://www.datacraft.com/    http://plnet.org/


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Bill Pribyl
  INET: bill_at_datacraft.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).


Received on Tue Feb 20 2001 - 11:57:34 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US