Securing Oracle Listener
When an Oracle database is deployed on an internet host, you can use Oracle’s builtin security options to allow access only from certain clients. In this case I didn’t want to setup complex firewall rules or use a SSH tunnel.
Add the following settings to $TNS_ADMIN/sqlnet.ora and list all allowed IPs in tcp.invited_nodes:
tcp.nodelay = yes tcp.validnode_checking = yes tcp.invited_nodes = (127.0.0.1, 123.45.167.289, 123.45.167.290)
Restart the listener:
oracle:~ $ lsnrctl stop && lsnrctl start
The Oracle SQL*Net listener is listening on port 1521 and accepts connections from any:
root:~ # netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 123.45.167.289:1521 0.0.0.0:* LISTEN 1001 18401 5319/tnslsnr tcp 0 0 123.45.167.289:22 0.0.0.0:* LISTEN 0 6881 3316/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 7049 3403/master udp6 0 0 ::1:23824 :::* 1001 18904 5503/ora_pmon_RCAT udp6 0 0 :::27665 :::* 1001 20679 5531/ora_mmon_RCAT udp6 0 0 :::47978 :::* 1001 21789 5751/ora_mmon_AOC udp6 0 0 ::1:23157 :::* 1001 20226 5722/ora_pmon_AOC
To protect the pmon and mmon processes listening on UDP6 ports, I use a simple firewall rule to drop packets received on the outside interface eth0:
root:~ # ip6tables -A INPUT -i eth0 -p udp -j DROP root:~ # ip6tables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp eth0 * ::/0 ::/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
