Oracle listener is an indispensable component of the Oracle network architecture, and it’s subjected to the majority of hacker attacks. Most of the attacks in the listener start either by passing a malicious command to be executed in the operating system or by modifying the listener settings. The former is handled by applying the security patches as suggested by the alerts. The latter can be handled by securing the listener itself through a strong password. In part one of this series, you will learn how to effectively secure the listener using a simple mechanism of passwords plus related issues and solutions.

Setting the Password

Setting a password for listener is the least security you should maintain for it. By default, it doesn't have any password and many DBAs simply do not create one. Part of the reason is the perceived complexity in specifying and using a password. This lesson hopefully will repel that myth.

Most of the settings in the listener can be set via the command line, from the LSNRCTL prompt. The hackers use this to pass a damaging command. For instance, the hacker may send the command STOP, to stop the listener process. Of course, this does not damage the database itself, but all of the client connections subsequent to this operation will fail — same as what happens in a Denial of Service attack. This is as bad as the database being down.

Another tactic the hackers employ is using the SERVICES command that shows all the relevant information about the process, the database services it is listening for, the status of these services, etc. This information may be useful to launch future attacks and should only be seen by authorized personnel.

Both of these potential vulnerabilities can be resolved simply by placing a password for the . If a password is set for the listener, you will need to supply a correct password for any command other than START, STATUS and HELP.

When the listener is first created, there is no password. The password is set by the command from LSNRCTL prompt:

LSNRCTL> change_password

This will prompt for the old and new passwords; and when entered, they are not displayed on the screen. When the listener is initially created, the password is not set, or null. So, just press the return key when prompted for the old password.

Once the passwords are changed, you have to supply the password before doing any administrative work such as changing a parameter or stopping the listener. The password is set by the command SET PASSWORD <password>. For instance, to stop the listener, you would use the following commands in LSNRCTL utility, assuming the password is t0p53r3t:

LSNRCTL> set password
Password: Enter t0p53cr3t here; it will not be displayed.
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=PROLIGENCE1)
(PORT=1521)))
The command completed successfully
LSNRCTL>

This will make the work of the hacker impossible unless the password is known.

The password feature in listener control is a little cumbersome to understand. In this section, we will unveil some of these idiosyncrasies and how to resolve them.

Entering Passwords

The password can be set either by specifying through the command CHANGE_PASSWORD, or through a parameter in listener.ora file. We saw how to do that through the command earlier. If the password is changed that way, it should not be specified in the listener.ora file. The password is not displayed anywhere. When supplying the password in the listener control utility, you must supply it at the password prompt as shown above. You cannot specify the password in one line as shown below:

LSNRCTL> set password t0p53cr3t
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
TNS-01169: The listener has not recognized the password
LSNRCTL>

The password has to be specified on the prompt as follows:

LSNRCTL> set password
Password: Enter t0p53cr3t here; it will not be displayed.
The command completed successfully
LSNRCTL> stop

The other method of setting the password is through the parameter file. In the file listener.ora, place the following line:

passwords_listener = t0p53cr3t

To specify passwords for other listeners, use the name appended to the word passwords above, for example

passwords_listener1 = t0p53cr3t

sets the password for listener1. This method of setting the password has to be passed in one line such as:

LSNRCTL> set password t0p53cr3t

The other method of getting a prompt and entering the non-displayed password will not work.

However, when the password is changed in the case when the password is explicitly mentioned in the parameter file, the operation will never be successful.

LSNRCTL> set password manager1
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DBDEV1)
(PORT=1526)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DBDEV1)
(PORT=1526)))
TNS-01169: The listener has not recognized the password
LSNRCTL>

Regardless of how you enter the password, through a single line or on the prompt, the change will not be successful. To change the password, you have to remove the line passwords_listener in the file listener.ora and then change the password.

Encrypted Passwords

The other option in specifying the password of the listener is to record the password encrypted in the parameter file. This is done by recording the configuration changes automatically in the parameter file as described below:

LSNRCTL> set save_config_on_stop on
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
LISTENER parameter "save_config_on_stop" set to ON
The command completed successfully
LSNRCTL> set password t0p53cr3t
The command completed successfully
LSNRCTL>

The commands will instruct the listener to save the configuration on the file after stopping the listener, as mentioned by the command set save_config_on_stop on. This will place the following lines in the file listener.ora:

#----ADDED BY TNSLSNR 05-JUL-2003 00:12:48---
SAVE_CONFIG_ON_STOP_LISTENER = ON
#--------------------------------------------

#----ADDED BY TNSLSNR 05-JUL-2003 00:13:49---
PASSWORDS_LISTENER = 8D5438362F7F2951
#--------------------------------------------

Note how the password has been recorded in the file but in encrypted manner.

In this setup where the encrypted password is mentioned in the parameter file, the behavior of setting a password is like the case where the password is not specified in the parameter file.

Similarly, while changing the password, you can change it using change_password command; there is no need to remove the line from the parameter file.

How to Check If the Password is Set

From the listener control prompt, issue the command STATUS. If the Security setting is shown as ON, then the password is set for the listener. This is shown below with the relevant display indicated by a sign .

LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ANANDA)(
PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
Start Date                05-JUL-2003 15:23:19
Uptime                    0 days 6 hr. 24 min. 56 sec
Trace Level               off
Security                  ON
SNMP                      OFF
Listener Parameter File   d:\ora9\network\admin\listener.ora
Listener Log File         d:\ora9\network\log\listener.log
Services Summary...
  ANANDA                has 1 service handler(s)
  ANANDA                has 2 service handler(s)
  ANANDA                has 2 service handler(s)
The command completed successfully
LSNRCTL>

--

Arup Nanda is the recipient of the coveted DBA of the Year 2003 award by Oracle. This award is among the most highly respected in the database industry, and each year only one of more than a quarter million Oracle professionals are honored by this distinction. A decade of experience as a DBA has made Arup an expert in many Oracle areas including Oracle Design, Security, Performance Tuning and Backup & Recovery. He is the President of Proligence, a New York area-based company providing specialized Oracle services.