Security Configuration - Oracle & Apache
I will be installing several systems with i386 SUSE Linux 8.2. I would like to install the systems in as secure a fashion as possible. I was thinking this would be done by installing the systems with only the necessary services required for their mission operation. I have 3 configurations I would like to manage. (all with the graphics packages installed) 1. Oracle 9i 9.2.0.1.0 Enterprise Database (with networking to clients) 2. Oracle 9i 9.2.0.1.0 Database Client (with networking) 3. Apache (plus PHP4, SSL, and SHTTP) My worry is that in reducing services I might remove a package form thatg set that is essential to the fucntion of a configuration. (i.e. the romoval of "cron" or other service that Oracle may neet to perform its activities) What better place to ask than a SUSE SECURITY/ORACLE user group eh... I guess what Im asking for is a separate list of installed rpms for each configuration that would yield as high a security level as possible under i386 Suse Linux 8.2 I figure the Oracle Server and client might be pretty much the same. THANKS for any help you might offer on the topic and related issues. Sg also... PLEASE throw in any comments you might have about the use of APACHE 1.3.x vs. 2.x (this message has been posted to both the Security and Oracle mailings) _________________________________________________________________ <b>Get MSN 8</b> and enjoy automatic e-mail virus protection. http://join.msn.com/?page=features/virus
On Tuesday 19 August 2003 18:50, c g wrote:
... 1. Oracle 9i 9.2.0.1.0 Enterprise Database (with networking to clients) 2. Oracle 9i 9.2.0.1.0 Database Client (with networking)
Be sure to use Oracle's Advanced Security option for the SQL*Net ... errr, Net8 ... errr, 9i Net traffic. This is an Extra Cost Option. But without it the Oracle traffic is a clear text protocol. If you don't believe me, feel free to load up GPLed Ethereal and its TNS sniffing (TNS = Transparent Network Substrate, the "technical" temr for Oracle's protocl) and let us know what you see :-)) Something else you will discover is that Oracle's Listener port - 1521 by default - is pretty benign. The client uses it to find the server and a data base thereon. Then the server dynamically assigns a port# (above the magic "1023" threshold) for that client's session and sends it back to the client. The client then, in turn, calls back on that port# to establish its connection with desired data base. This makes it difficult, for example, to do much in the way of filtering with IPTables unless you try to do something dynamically. That port# will be shared with other clients if you are connection to a Multi-Threaded Server (MTS) Dispatcher. And if you can identify that port# through some other means (hint: nmap), then you could actually use a connection descriptor that takes you directly to the Dispatcher, avoiding the Listener altogether ... at least I was able to do that when I tried it on 8i! For the other case, you could also try identifying someone else's Dedicated Server port# and try connecting to that. Hopefully the results of that in 9i are the same as what I found in 8i ;-) Barry J.
participants (2)
-
Barry Johnson -
c g