Blocking Oracle Access by IP Address
The topics covered in listener security management are straightforward, but there are special sqlnet.ora tricks for blocking access by IP address.
Blocking Oracle Access by IP Address
Now comes the fun part: keeping people out of your database! While IP-based blocking is not as suitable as a full firewall, you are able to block clients based on their IP address or hostname.
The secret lies in the SQLNET.ORA file. This file can be found in your $ORACLE_HOME/network/admin directory along with your tnsnames.ora and listener.ora. Open it up and insert the following line:
tcp.validnode_checking = yes
This turns on the hostname/IP checking for your listeners. After this, you can supply lists of nodes to enable/disable, as such:
tcp.invited_nodes = (hostname1, hostname2)
tcp.excluded_nodes = (192.168.10.3)
Note that if you only specify invited nodes, all others will be excluded, so there is really no reason to do both. The same goes for excluded nodes: exclude a list of clients, invite all others.
Even though this will not protect you against advanced attacks (IP and hostname are easy to spoof) it still serves as a deterrent against hacking attempts.
Here are some rules for entering invited/excluded nodes:
- You cannot use wildcards in your specifications.
- You must put all invited nodes in one line; likewise for excluded nodes.
- You should always enter localhost as an invited node.
Once you have set up your rules and enabled valid node checking, you must restart your listeners to reap the benefits. Here is an example:
- PayrollDB is a database server, accessed by Payroll
- SalesDB is a database server, accessed by Sales
- SApp1, SApp2, and SApp3 are application servers using the SalesDB
- PApp1, PApp2, and PApp3 are application servers using the PayrollDB
The sqlnet.ora on PayrollDB would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, PayrollDB, PApp1, PApp2, PApp3)
The sqlnet.ora on SalesDB would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, SalesDB, SApp1, SApp2, SApp3)
Once this has been done, restart the listener. (You did follow the first part of this article and password protect it, didn’t you?)
$ lsnrctl
LSNRCTL> set password
Password: <the password you chose>
The command completed successfully
LSNRCTL> stop
The command completed successfully
LSNRCTL> start
Now PApp1, PApp2, and PApp3 can access PayrollDB but not SalesDB; the same goes for the Sales application servers’ access to PayrollDB.