Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Niall has clarified the ODBC trace issue"] [Next entry: "Jonathan Lewis talks about the hidden benefits of Oracle 10g"]

A useful post on c.d.o.s about ADMIN_RESTRICTIONS_{listener_name}



I saw a useful post to the comp.databases.oracle.server the other day entitled "restrict remote listener administration " where the poster said he had found a way to prevent remote administration of the listener and also remote shutdown of the listener. His suggestion was that instead of using a password for the listener (which he had problems with as it meant changes to the shutdown scripts) he would set the parameter:

ADMIN_RESTRICTIONS_{listener_name}=ON

He wrongly thought that this alone would prevent remote shutdown as a poster informed him :

"admin_restrictions parameter does not prevent from remote shutdown.
It just prevents from modifying the listener.ora file with listener set command."


This parameter is still very useful. I added the following text to the thread;

"You should still set the ADMIN_RESTRICTIONS_{LISTENER_NAME} parameter as
it prevents listener settings being changed via the listener control
utility. You should also still set a listener password of course. If a
listener parameters can be set remotely (or even from inside an
organisation) then it can be possible to use listener commands to hack
the server it runs on. Remember that there are no password management
features for the listener password so the password can be brute forced
so setting ADMIN_RESTRICTIONS provides a valid extra defence.

Set both this parameter and the password."


This is a very useful parameter for security as it prevents changes to the listener configuration with the listener control utility. This parameter should be set as should a password.