一、背景:

2020年伊始,我们的工作中多了一个词"护网行动",之前闻所未闻;这是一个从国家层面提出的安全概念,目的是为了保障信息安全。各个组织机构会定期组织安防演练。咱们数据库层面为了应对这次安防演练也提出了自己的思想,数据库白名单策略限制非法设备对数据库进行访问。这是这次配置监听白名单的整个背景。

二、技术策略:

编辑sqlnet.ora文件

#开启ip限制功能

1tcp.validnode_checking=yes

#允许访问数据库的IP地址列表,多个IP地址使用逗号分开

1tcp.invited_nodes=(192.168.1.5,192.168.1.6,10.10.10.2)

#禁止访问数据库的IP地址列表,多个IP地址使用逗号分开

1tcp.excluded_nodes=(192.168.1.1,10.10.10.1)

注:

1、需要重启监听器生效。

2、这个方式只是适合TCP协议,适用于9i以上版本。在9i之前的版本使用文件protocol.ora。

3、第二行和第三行任写一行即可,如果tcp.invited_nodes与tcp.excluded_nodes都存在,以tcp.invited_nodes为主。

4、不要禁止服务器本机的IP地址,否则通过lsnrctl将不能启动或停止监听,因为该过程监听程序会通过本机的IP访问监听器。

三、操作步骤

3.1 从监听日志中获取层级访问的设备地址:

1234567grepHOSTlistener.log|awk-F'HOST=''{print$3}'|awk'{print$1}'|awk-F')''{print$1}'|grep-vjdbc|sort|uniq|wc-l&&grepHOSTlistener.log|awk-F'HOST=''{print$3}'|awk'{print$1}'|awk-F')''{print$1}'|grep-vjdbc|sort|uniq5192.168.1.1192.168.1.2192.168.1.3192.168.1.4192.168.1.71

3.2 地址格式化

12tr-s"\n"","<ip.txt;echo192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.71

3.3 编辑sqlnet.ora

123[oracle@TestDB/u01/app/oracle/product/11.2.0/db_1/network/admin]$catsqlnet.oratcp.validnode_checking=yestcp.invited_nodes=(192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.71)

3.4 关闭监听

12345[oracle@TestDB/u01/app/oracle/product/11.2.0/db_1/network/admin]$lsnrctlstopLSNRCTLforLinux:Version11.2.0.4.0-Productionon28-JUL-202019:30:20Copyright(c)1991,2013,Oracle.Allrightsreserved.Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=TestDB)(PORT=1521)))Thecommandcompletedsuccessfully

3.5 重新启动监听

1234567891011121314151617181920212223242526[oracle@TestDB/u01/app/oracle/product/11.2.0/db_1/network/admin]$lsnrctlstartLSNRCTLforLinux:Version11.2.0.4.0-Productionon28-JUL-202019:30:25Copyright(c)1991,2013,Oracle.Allrightsreserved.Starting/u01/app/oracle/product/11.2.0/db_1/bin/tnslsnr:pleasewait...TNSLSNRforLinux:Version11.2.0.4.0-ProductionSystemparameterfileis/u01/app/oracle/product/11.2.0/db_1/network/admin/listener.oraLogmessageswrittento/u01/app/oracle/diag/tnslsnr/TestDB/listener/alert/log.xmlListeningon:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=TestDB)(PORT=1521)))Listeningon:(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=TestDB)(PORT=1521)))STATUSoftheLISTENER------------------------AliasLISTENERVersionTNSLSNRforLinux:Version11.2.0.4.0-ProductionStartDate28-JUL-202019:30:25Uptime0days0hr.0min.0secTraceLeveloffSecurityON:LocalOSAuthenticationSNMPOFFListenerParameterFile/u01/app/oracle/product/11.2.0/db_1/network/admin/listener.oraListenerLogFile/u01/app/oracle/diag/tnslsnr/TestDB/listener/alert/log.xmlListeningEndpointsSummary...(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=TestDB)(PORT=1521)))(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))ThelistenersupportsnoservicesThecommandcompletedsuccessfully

3.6 手工注册监听

12345678910111213141516171819202122232425262728293031[oracle@TestDB/u01/app/oracle/product/11.2.0/db_1/network/admin]$sqlplus/assysdbaSQL*Plus:Release11.2.0.4.0ProductiononTueJul2819:30:292020Copyright(c)1982,2013,Oracle.Allrightsreserved.Connectedto:OracleDatabase11gEnterpriseEditionRelease11.2.0.4.0-64bitProductionWiththePartitioning,OLAP,DataMiningandRealApplicationTestingoptionsSQL>altersystemregister;Systemaltered.SQL>!lsnrctlstatusLSNRCTLforLinux:Version11.2.0.4.0-Productionon28-JUL-202019:30:36Copyright(c)1991,2013,Oracle.Allrightsreserved.Connectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=TestDB)(PORT=1521)))STATUSoftheLISTENER------------------------AliasLISTENERVersionTNSLSNRforLinux:Version11.2.0.4.0-ProductionStartDate28-JUL-202019:30:25Uptime0days0hr.0min.11secTraceLeveloffSecurityON:LocalOSAuthenticationSNMPOFFListenerParameterFile/u01/app/oracle/product/11.2.0/db_1/network/admin/listener.oraListenerLogFile/u01/app/oracle/diag/tnslsnr/TestDB/listener/alert/log.xmlListeningEndpointsSummary...(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=TestDB)(PORT=1521)))(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))ServicesSummary...Service"ORCL"has1instance(s).Instance"ORCL1",statusREADY,has1handler(s)forthisservice...Service"ORCL1XDB"has1instance(s).Thecommandcompletedsuccessfully

原文链接:http://blog.itpub.net/20674423/viewspace-2707617/