禁止特定IP访问Oracle数据库
通过使用数据库服务器端的sqlnet.ora文件可以实现禁止指定IP主机访问数据库的功能,这对于提升数据库的安全性有很大的帮助,与此同时,这个技术为我们管理和约束数据库访问控制提供了有效的手段。下面是实现这个目的的具体步骤仅供参考:
1.默认的服务器端sqlnet.ora文件的内容:
这里我们以Oracle 10.2.0.3版本为例进行简述,先来看一下当前sqlnet.ora文件内容:
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
2.确认客户端的IP地址:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 9.123.112.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 9.123.112.1
3.在客户端分别使用tnsping命令和sqlplus命令来验证数据库的连通性:
C:\Documents and Settings\Administrator>tnsping irmdb
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2
010 11:05:09
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 9.123.112.34)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = irmdb)))
OK (20 msec)
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:05:12 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn irmadmin/passw0rd@irmdb
Connected.
到这里说明在客户端两种方式都证明的数据库的可连通性。
4.限制客户端IP地址9.123.112.16对当前irmdb数据库的访问:
我们只需要在服务器端的sqlnet.ora文件中添加下面的内容即可。
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
tcp.validnode_checking=yes
tcp.invited_nodes=(9.123.112.34)
tcp.excluded_nodes=(9.123.112.16)
第一行的含义:开启IP限制功能;
第二行的含义:允许访问数据库的IP地址列表,多个IP地址使用逗号分开,此例中我们写入数据库服务器的IP地址;
第三行的含义:禁止访问数据库的IP地址列表,多个IP地址使用逗号分开,此处我们写入欲限制的IP地址9.123.112.16。
5.重新启服务器端listener后生效(这里也可以通过lsnrctl reload方式实现):
C:\Documents and Settings\Administrator>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:07
:48
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
The command completed successfully
C:\Documents and Settings\Administrator>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:07
:52
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Production
System parameter file is C:\oracle\product\10.2.0\db_1\network\admin\listener.or
a
Log messages written to C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Produ
ction
Start Date 06-APR-2010 11:07:53
Uptime 0 days 0 hr. 0 min. 2 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:07:57 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn / as sysdba;
Connected.
SQL> alter system register;
System altered.
SQL> quit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Pr
oduction
With the Partitioning, OLAP and Data Mining options
C:\Documents and Settings\Administrator>lsnrctl status
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:08
:05
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Produ
ction
Start Date 06-APR-2010 11:07:53
Uptime 0 days 0 hr. 0 min. 12 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "irmdb" has 1 instance(s).
Instance "irmdb", status READY, has 1 handler(s) for this service...
Service "irmdb_XPT" has 1 instance(s).
Instance "irmdb", status READY, has 1 handler(s) for this service...
The command completed successfully
6.在客户端(9.123.112.16)分别再次使用tnsping命令和sqlplus命令来验证数据库的连通性:
C:\Documents and Settings\Administrator>tnsping irmdb
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2
010 11:09:20
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 9.123.112.34)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = irmdb)))
TNS-12537: TNS:connection closed
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:09:23 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn irmadmin/passw0rd@irmdb
ERROR:
ORA-12537: TNS:connection closed
到这里我们就可以证明,通过修改sqlnet.ora的方法,我们实现了限制指定机器IP访问数据库的功能。
最后需要特别注意的是tcp.invited_nodes允许列表的优先级要高于tcp.excluded_nodes受限IP列表。也就是说如果同一个IP地址如果同时出现在两个列表里的话,那么这个IP地址还是可以访问对应的数据库的。
1.默认的服务器端sqlnet.ora文件的内容:
这里我们以Oracle 10.2.0.3版本为例进行简述,先来看一下当前sqlnet.ora文件内容:
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
2.确认客户端的IP地址:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 9.123.112.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 9.123.112.1
3.在客户端分别使用tnsping命令和sqlplus命令来验证数据库的连通性:
C:\Documents and Settings\Administrator>tnsping irmdb
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2
010 11:05:09
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 9.123.112.34)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = irmdb)))
OK (20 msec)
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:05:12 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn irmadmin/passw0rd@irmdb
Connected.
到这里说明在客户端两种方式都证明的数据库的可连通性。
4.限制客户端IP地址9.123.112.16对当前irmdb数据库的访问:
我们只需要在服务器端的sqlnet.ora文件中添加下面的内容即可。
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
tcp.validnode_checking=yes
tcp.invited_nodes=(9.123.112.34)
tcp.excluded_nodes=(9.123.112.16)
第一行的含义:开启IP限制功能;
第二行的含义:允许访问数据库的IP地址列表,多个IP地址使用逗号分开,此例中我们写入数据库服务器的IP地址;
第三行的含义:禁止访问数据库的IP地址列表,多个IP地址使用逗号分开,此处我们写入欲限制的IP地址9.123.112.16。
5.重新启服务器端listener后生效(这里也可以通过lsnrctl reload方式实现):
C:\Documents and Settings\Administrator>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:07
:48
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
The command completed successfully
C:\Documents and Settings\Administrator>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:07
:52
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Production
System parameter file is C:\oracle\product\10.2.0\db_1\network\admin\listener.or
a
Log messages written to C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Produ
ction
Start Date 06-APR-2010 11:07:53
Uptime 0 days 0 hr. 0 min. 2 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:07:57 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn / as sysdba;
Connected.
SQL> alter system register;
System altered.
SQL> quit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Pr
oduction
With the Partitioning, OLAP and Data Mining options
C:\Documents and Settings\Administrator>lsnrctl status
LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2010 11:08
:05
Copyright (c) 1991, 2006, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR
T=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 10.2.0.3.0 - Produ
ction
Start Date 06-APR-2010 11:07:53
Uptime 0 days 0 hr. 0 min. 12 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\oracle\product\10.2.0\db_1\network\admin\listener.o
ra
Listener Log File C:\oracle\product\10.2.0\db_1\network\log\listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "irmdb" has 1 instance(s).
Instance "irmdb", status READY, has 1 handler(s) for this service...
Service "irmdb_XPT" has 1 instance(s).
Instance "irmdb", status READY, has 1 handler(s) for this service...
The command completed successfully
6.在客户端(9.123.112.16)分别再次使用tnsping命令和sqlplus命令来验证数据库的连通性:
C:\Documents and Settings\Administrator>tnsping irmdb
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 06-APR-2
010 11:09:20
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 9.123.112.34)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = irmdb)))
TNS-12537: TNS:connection closed
C:\Documents and Settings\Administrator>sqlplus /nolog
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 6 11:09:23 2010
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
SQL> conn irmadmin/passw0rd@irmdb
ERROR:
ORA-12537: TNS:connection closed
到这里我们就可以证明,通过修改sqlnet.ora的方法,我们实现了限制指定机器IP访问数据库的功能。
最后需要特别注意的是tcp.invited_nodes允许列表的优先级要高于tcp.excluded_nodes受限IP列表。也就是说如果同一个IP地址如果同时出现在两个列表里的话,那么这个IP地址还是可以访问对应的数据库的。
来源:OralanDBA.CN 作者:AlanSawyer 原文地址:http://www.oralandba.cn/a/zuiaiOracle/Oraclebizhibihui/2010/0406/772.html
