Mailinglist Archive: opensuse-security (274 mails)
| < Previous | Next > |
Re: [suse-oracle] Security Configuration - Oracle & Apache
- From: Barry Johnson <BarryJJ@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2003 01:23:55 -0400
- Message-id: <200308200123.55951.BarryJJ@xxxxxxxxxxxxx>
On Tuesday 19 August 2003 18:50, c g wrote:
> ...
> 1. Oracle 9i 9.2.0.1.0 Enterprise Database (with networking to clients)
> 2. Oracle 9i 9.2.0.1.0 Database Client (with networking)
Be sure to use Oracle's Advanced Security option for the SQL*Net ... errr,
Net8 ... errr, 9i Net traffic. This is an Extra Cost Option. But without it
the Oracle traffic is a clear text protocol. If you don't believe me, feel
free to load up GPLed Ethereal and its TNS sniffing (TNS = Transparent
Network Substrate, the "technical" temr for Oracle's protocl) and let us know
what you see :-))
Something else you will discover is that Oracle's Listener port - 1521 by
default - is pretty benign. The client uses it to find the server and a data
base thereon. Then the server dynamically assigns a port# (above the magic
"1023" threshold) for that client's session and sends it back to the client.
The client then, in turn, calls back on that port# to establish its
connection with desired data base. This makes it difficult, for example, to
do much in the way of filtering with IPTables unless you try to do something
dynamically.
That port# will be shared with other clients if you are connection to a
Multi-Threaded Server (MTS) Dispatcher. And if you can identify that port#
through some other means (hint: nmap), then you could actually use a
connection descriptor that takes you directly to the Dispatcher, avoiding the
Listener altogether ... at least I was able to do that when I tried it on 8i!
For the other case, you could also try identifying someone else's Dedicated
Server port# and try connecting to that. Hopefully the results of that in 9i
are the same as what I found in 8i ;-)
Barry J.
> ...
> 1. Oracle 9i 9.2.0.1.0 Enterprise Database (with networking to clients)
> 2. Oracle 9i 9.2.0.1.0 Database Client (with networking)
Be sure to use Oracle's Advanced Security option for the SQL*Net ... errr,
Net8 ... errr, 9i Net traffic. This is an Extra Cost Option. But without it
the Oracle traffic is a clear text protocol. If you don't believe me, feel
free to load up GPLed Ethereal and its TNS sniffing (TNS = Transparent
Network Substrate, the "technical" temr for Oracle's protocl) and let us know
what you see :-))
Something else you will discover is that Oracle's Listener port - 1521 by
default - is pretty benign. The client uses it to find the server and a data
base thereon. Then the server dynamically assigns a port# (above the magic
"1023" threshold) for that client's session and sends it back to the client.
The client then, in turn, calls back on that port# to establish its
connection with desired data base. This makes it difficult, for example, to
do much in the way of filtering with IPTables unless you try to do something
dynamically.
That port# will be shared with other clients if you are connection to a
Multi-Threaded Server (MTS) Dispatcher. And if you can identify that port#
through some other means (hint: nmap), then you could actually use a
connection descriptor that takes you directly to the Dispatcher, avoiding the
Listener altogether ... at least I was able to do that when I tried it on 8i!
For the other case, you could also try identifying someone else's Dedicated
Server port# and try connecting to that. Hopefully the results of that in 9i
are the same as what I found in 8i ;-)
Barry J.
| < Previous | Next > |