RE: lsnrctl passwords
Date: Fri, 11 Apr 2008 11:33:29 -0600
Message-ID: <2BC7419BF42B0146A7BB8C52A236313D02F1CBCD@E03-GOA-EXCH-66.goa.ds.gov.ab.ca>
That works??!!?
I don't see how the 'set log_status off' and 'trace off' AFTER the "set password x" and "start" commands would make any difference. I have my doubts, but I'll have to try that in our own environment when I have a chance....
If that works over here, many thanks, Mark!! Ben
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Powell, Mark D
Sent: Friday, April 11, 2008 11:17 AM
To: oracle-l_at_freelists.org
Subject: RE: lsnrctl passwords
This works for us. Make sure you did not use a UNIX meta-character in the password.
$OH/bin/lsnrctl <<EOFlsnr
set password x
start
set log_status off
trace off
exit
EOFlsnr
exit
- Mark D Powell --
Phone (313) 592-5148
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Blanchard William
Sent: Friday, April 11, 2008 12:15 PM To: Bradd Piontek; oracle-l_at_freelists.org Subject: RE: lsnrctl passwords We tried scripting the startup but it doesn't accept thepassword. We can set it interactively but that is very labor intensive.
lsnrctl << EOF
set password <password>
set current_listener <sid>
start
EOF
From: Bradd Piontek [mailto:piontekdd_at_gmail.com] Sent: Friday, April 11, 2008 11:10 AM To: Blanchard William Subject: Re: lsnrctl passwords As I understand, many attacks can come from within. This isn'tabout being on the internet or internal. It is a simple mechanism to keep your listener secure. Any user in your enterprise with the lsnrctl executable could stop the listener remotely with a password in place.
I don't see how startup scripts are affected. You don't need a password to start a listener. Stopping the listener requires one.
$ORACLE_HOME/bin/lsnrctl <<EOF set password PASSWORDHASHHERE stop EOF On Fri, Apr 11, 2008 at 11:00 AM, Blanchard William<William.Blanchard_at_kohler.com> wrote:
Wouldn't they need access to your network in order to access the listener? I know that you can set up a similar entry in a listener.ora and remotely access the listener (I did this to prove it) but I was behind the firewall. I tried from home but wasn't able to access the listener using the same technique.
Another question is that in 9i you can't do a save_config and have to enter the password interactively in order to use the listener. So, after a cold backup and a server restart, someone would have to manually restart every listener.
Has anyone figured out how to script this? We tried but weren't able to figure out how to script the password entry so that our startup scripts would work with a password protected listener.
William
From: Andrew Kerber [mailto:andrew.kerber_at_gmail.com] Sent: Friday, April 11, 2008 10:44 AM To: Blanchard William Cc: oracle-l_at_freelists.org Subject: Re: lsnrctl passwords Several things they could do, for one they could turnoff logging when you need it. They could also turn on logging, fille up the drive that the log file is on, and stop your listener, they could shut down the listener so no one could connect. ALl of these could be accidental or on purpose, but a password makes it harder to do either way. Also, most Sarbanes-Oxley compliance checklists require it.
It is a pain to deal with even so.
On Fri, Apr 11, 2008 at 10:09 AM, Blanchard William <William.Blanchard_at_kohler.com> wrote:
Is anyone out there using lsnrctl passwords? If so, why? I realize that there are vulnerabilities but if they're able to get at the network, why would they waste their time on the listner?
William
-- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.'
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Apr 11 2008 - 12:33:29 CDT