Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "New Online Oracle Security PUBLIC Training Dates Including USA Time Zones"] [Next entry: "Oracle Security 12cR2 and Oracle Security Training Dates"]

Oracle 12cR2 Security - Listener Port



I downloaded Oracle 12cR2 from Oracle when it became available in March and installed a legacy SE2 database and also a single PDB multitenant database and started some investigations to discover and look at the new security features added in Oracle 12cR2 and also more importantly to investigate the subtle changes made to the database that affect Oracle security and also the bigger non-security changes added to Oracle 12cR2 that could have a security angle.

I have made a lot of notes and I will make some blog posts around some of the new security features / changes in 12cR2 as time allows. The last few weeks have been extremely busy due to client work, teaching training classes, product development on PFCLScan and also company year end so blogging has taken a back seat for a few weeks.

I wanted to make this first post on Oracle 12cR2 Security a simple and short one about the fact that when you install 12cR2 and choose to have a sample database the installer now did not choose by default the port 1521 for the listener and instead in my case it chose 1539 - well, at least in my case. This is not massively different from 1521 but it was nice to see that Oracle did not choose 1521 as its default. I checked with netstat and nothing else was using 1521 to force it to use 1539 instead. I did not find any documentation (yet) that states that Oracle use 1539 instead and a search of Google shows one post from 2016 where someone with 12.1 had Oracle change the port to 1539.

So I decided on Friday evening to try this again and installed a new Oracle Linux 7.3 VM and then installed Oracle 12cR2 SE2 database (My company is a Silver partner currently so we are limited to SE and SE2 at this time). I used the same settings as I did in March and chose defaults except to choose SE2 and also to choose non-CDB. Everything ran correctly except the necta failed and I looked at the logs and it claimed that port 1521 was in use - This was not true and I checked with netstat. So i clicked try again and it succeeded so the choice of port 1521 / 1539 could be related to the fact that necta failed and not a better security setting. The install in March did not fail in nectar and 1539 was also used as i noted it but have now deleted the VM so cannot look further into the install logs.

After the installation completed the listener is not running:

No Listener running after 12cR2 install


Then I changed the current_listener to LISTENER and then started the listener BUT no services; this is to be expected as the auto registration works only in 1521. Here is the listener running but no services:

No Listener services after start of listener


The listener is up and running so lets add the local_listener database parameter and then register the services and see what happens:

Add the local_listener


Finally we can now get into the database via the listener:

The listener has services


In summary, its a good thing that Oracle chose a non 1521 port for my listener; whether its intended as a new security feature I am not yet certain as I need to install the database software again as there is no evidence that i can find that this is normal as the installer said necta failed and then allowed me to try again. Irrespective of this you should not run your database on 1521 as its not just a known default but some things work because of 1521; i.e. alter system register; or connect to the listener and not set the current_listener if the listener is running on port 1521.

As an aside the default port of 5500 for the database manager website is still used and the XDB service is also still enabled by default in 12cR2!!

Changing the port will not stop any determined person as a port scanner would find the database listener anyway but its a default and defaults sometimes make it easier for a script kiddie type attacker who doesn't "know"