TNS Security

I recently went through a semi-audit where the main focal point was TNS listener security. Although the TNS listener is more secure in Oracle 10g than in previous releases, it is still a good idea to implement some security measures to protect your database. Here are a few of the steps which I have taken to secure my TNS listeners:

1. Password Protect - This one is a given. You should always protect the listener with a password

2. Listener.ora logging - I set logging on the listener so that each attempted connection is logged. This is a good way to see who is trying to access your database. The only issue which may arise with the logging feature is that the log file will continue to grow in size. You must create a job or manually create a new listener log at some point, or your log file will become too large. Creating an automated job to complete log switching is easy, but you must remember that you'll need to stop the listener before you can alter the log file. On a Windows server, you can use a batch script similar to the following (the ping command just pauses the script momentarily...this gives the listener service a chance to stop):

change_log.bat>>
lsnrctl stop
ping -n 11 localhost
echo Change log...
set yymmdd=%date:~12.2%%date:~4.2%%date:~7.2
ren <>\listener.log listener-%yymmdd%.log
lsnrctl start
lsnrctl reload

The above script simply renames your log file and when the listener is restarted, it will create a new log file. You may also wish to copy the archived log file to a new location to free up some space in the TNS log directory.

3. Use the ADMIN_RESTRICTIONS_listener-name=ON listener.ora parameter. This will disable any remote LSNRCTL access.

Hopefully via the usage of these security settings coupled with the server security, the Oracle database TNS listener should be secure.

If anyone has another means of protecting the TNS listener which should be used by default, please let me know. I am always looking for better ways to secure Oracle.