Home -> Mailing Lists -> Oracle-L -> RE: lsnrctl passwords

RE: lsnrctl passwords

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Mon, 14 Apr 2008 09:15:38 -0400
Message-ID: <D1DC33E67722D54A93F05F702C99E2A90234C48A@usahm208.amer.corp.eds.com> 





This is just the script we use.  We see no need to log so we shut it off
logging each time we restart the listener.  You can always turn logging
and trace on when needed.  In 10 years we have rarely needed to do so.
 



    
  
  •   Mark D Powell -- 
Phone (313) 592-5148 

 



    






        From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Ben Wittmeier

	Sent: Friday, April 11, 2008 1:33 PM
	To: Powell, Mark D; oracle-l_at_freelists.org
	Subject: RE: lsnrctl passwords
	
	
	That works??!!?
	 
	I don't see how the 'set log_status off' and 'trace off' AFTER


the "set password x" and "start" commands would make any difference.  I
have my doubts, but I'll have to try that in our own environment when I
have a chance....
         

	If that works over here, many thanks, Mark!!
	Ben



________________________________


	From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Powell, Mark D
	Sent: Friday, April 11, 2008 11:17 AM
	To: oracle-l_at_freelists.org
	Subject: RE: lsnrctl passwords
	
	
	This works for us.  Make sure you did not use a UNIX


meta-character in the password.
         

	$OH/bin/lsnrctl <<EOFlsnr
	set password x
	start
	set log_status off
	trace off
	exit
	EOFlsnr
	exit
	
	-- Mark D Powell -- 
	Phone (313) 592-5148 
	 




________________________________


		From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Blanchard William
		Sent: Friday, April 11, 2008 12:15 PM
		To: Bradd Piontek; oracle-l_at_freelists.org
		Subject: RE: lsnrctl passwords
		
		

		We tried scripting the startup but it doesn't accept the


password.  We can set it interactively but that is very labor intensive.




                lsnrctl << EOF



                set password <password>



                set current_listener <sid>



                start



                EOF







		From: Bradd Piontek [mailto:piontekdd_at_gmail.com] 
		Sent: Friday, April 11, 2008 11:10 AM
		To: Blanchard William
		Subject: Re: lsnrctl passwords
		
		
		As I understand, many attacks can come from within. This


isn't about being on the internet or internal. It is a simple mechanism
to keep your listener secure. Any user in your enterprise with the
lsnrctl executable could stop the listener remotely with a password in
place.
                


                I don't see how startup scripts are affected. You don't
need a password to start a listener. Stopping the listener requires one.
                

		$ORACLE_HOME/bin/lsnrctl <<EOF
		   set password PASSWORDHASHHERE
		   stop
		EOF
		
		
		
		On Fri, Apr 11, 2008 at 11:00 AM, Blanchard William


<William.Blanchard_at_kohler.com> wrote:
                



                        Wouldn't they need access to your network in
order to access the listener? I know that you can set up a similar entry
in a listener.ora and remotely access the listener (I did this to prove
it) but I was behind the firewall. I tried from home but wasn't able to
access the listener using the same technique. 



                        Another question is that in 9i you can't do a
save_config and have to enter the password interactively in order to use
the listener. So, after a cold backup and a server restart, someone
would have to manually restart every listener. 



                        Has anyone figured out how to script this? We
tried but weren't able to figure out how to script the password entry so
that our startup scripts would work with a password protected listener.

                         



                        William






			From: Andrew Kerber
[mailto:andrew.kerber_at_gmail.com] 
			Sent: Friday, April 11, 2008 10:44 AM
			To: Blanchard William
			Cc: oracle-l_at_freelists.org
			Subject: Re: lsnrctl passwords
			
			
			Several things they could do, for one they could


turn off logging when you need it.  They could also turn on logging,
fille up the drive that the log file is on, and stop your listener, they
could shut down the listener so no one could connect.  ALl of these
could be accidental or on purpose, but a password makes it harder to do
either way.  Also, most Sarbanes-Oxley compliance checklists require it.
                        


                        It is a pain to deal with even so.
                        
                        


                        On Fri, Apr 11, 2008 at 10:09 AM, Blanchard
William <William.Blanchard_at_kohler.com> wrote:
                        



                                Is anyone out there using lsnrctl


passwords?  If so, why?  I realize that there are vulnerabilities but if
they're able to get at the network, why would they waste their time on
the listner?
                                 
                                
                                 


                                William


                        
                        

			-- 
			Andrew W. Kerber
			
			'If at first you dont succeed, dont take up


skydiving.' 


         



        This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. This message contains confidential information and
is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
        



--
http://www.freelists.org/webpage/oracle-l


Received on Mon Apr 14 2008 - 08:15:38 CDT












Original text of this message