读书人
栏目

怎么禁止特定IP访问Oracle数据库

发布时间: 2012-09-02 21:00:34 作者: rapoo

如何禁止特定IP访问Oracle数据库

  通过使用数据库服务器端的sqlnet.ora文件可以实现禁止指定IP主机访问数据库的功能,这对于提升数据库的安全性有很大的帮助,与此同时,这个技术为我们管理和约束数据库访问控制提供了有效的手段。下面是实现这个目的的具体步骤仅供参考:

  1.默认的服务器端sqlnet.ora文件的内容:

  这里我们以Oracle10.2.0.3版本为例进行简述,先来看一下当前sqlnet.ora文件内容:

?

  #?This?file?is?actually?generated?by?netca.?But?if?customers?choose?to?
  #?install?"Software?Only",?this?file?wont?exist?and?without?the?native?
  #?authentication,?they?will?not?be?able?to?connect?to?the?database?on?NT.?
  SQLNET.AUTHENTICATION_SERVICES?=?(NTS)

?

  2.确认客户端的IP地址:

?

  C:\Documents?and?Settings\Administrator>ipconfig?
  WindowsIP?Configuration?
  Ethernet?adapter?Local?Area?Connection?2:?
  Media?State?.?.?.?.?.?.?.?.?.?.?.?:?Media?disconnected?
  Ethernet?adapter?Local?Area?Connection:?
  Connection-specific?DNS?Suffix?.?:?
  IP?Address.?.?.?.?.?.?.?.?.?.?.?.?:?9.123.112.16?
  Subnet?Mask?.?.?.?.?.?.?.?.?.?.?.?:?255.255.255.0?
  Default?Gateway?.?.?.?.?.?.?.?.?.?:?9.123.112.1

?

  3.在客户端分别使用tnsping命令和sqlplus命令来验证数据库的连通性:

?

?  C:\Documents?and?Settings\Administrator>tnsping?irmdb?
  TNS?Ping?Utility?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?on?06-APR-2010?11:05:09?
  Copyright?(c)?1997,?2006,?Oracle.?All?rights?reserved.?
  Used?parameter?files:?
  C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora?
  Used?TNSNAMES?adapter?to?resolve?the?alias?
  Attempting?to?contact?(DESCRIPTION?=?(ADDRESS_LIST?=?(ADDRESS?=?(PROTOCOL?=?TCP)?
  (HOST?=?9.123.112.34)(PORT?=?1521)))?(CONNECT_DATA?=?(SERVICE_NAME?=?irmdb)))
  OK?(20?msec)?
  C:\Documents?and?Settings\Administrator>sqlplus?/nolog?
  SQL*Plus:?Release?10.2.0.3.0?-?Production?on?Tue?Apr?6?11:05:12?2010?
  Copyright?(c)?1982,?2006,?Oracle.?All?Rights?Reserved.?
  Connected.

?

  到这里说明在客户端两种方式都证明的数据库的可连通性。

  4.限制客户端IP地址9.123.112.16对当前irmdb数据库的访问:

  我们只需要在服务器端的sqlnet.ora文件中添加下面的内容即可。

?

  #?This?file?is?actually?generated?by?netca.?But?if?customers?choose?to?
  #?install?"Software?Only",?this?file?wont?exist?and?without?the?native?
  #?authentication,?they?will?not?be?able?to?connect?to?the?database?on?NT.?
  SQLNET.AUTHENTICATION_SERVICES?=?(NTS)?
  tcp.validnode_checking=yes?
  tcp.invited_nodes=(9.123.112.34)?
  tcp.excluded_nodes=(9.123.112.16)

?

  第一行的含义:开启IP限制功能;

  第二行的含义:允许访问数据库的IP地址列表,多个IP地址使用逗号分开,此例中我们写入数据库服务器的IP地址;

  第三行的含义:禁止访问数据库的IP地址列表,多个IP地址使用逗号分开,此处我们写入欲限制的IP地址9.123.112.16。

  5.重新启服务器端listener后生效(这里也可以通过lsnrctl reload方式实现):

?

  C:\Documents?and?Settings\Administrator>lsnrctl?stop?
  LSNRCTL?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?on?06-APR-2010?11:07:48
  Copyright?(c)?1991,?2006,?Oracle.?All?rights?reserved.?
  Connecting?to?(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR?
  T=1521)))?
  The?command?completed?successfully?
  C:\Documents?and?Settings\Administrator>lsnrctl?start?
  LSNRCTL?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?on?06-APR-2010?11:07:52
  Copyright?(c)?1991,?2006,?Oracle.?All?rights?reserved.?
  Starting?tnslsnr:?please?wait...?
  TNSLSNR?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?
  System?parameter?file?is?C:\oracle\product\10.2.0\db_1\network\admin\listener.ora?
  Log?messages?written?to?C:\oracle\product\10.2.0\db_1\network\log\listener.log?
  Listening?on:?(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(POR?
  T=1521)))?
  Connecting?to?(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(POR?
  T=1521)))?
  STATUS?of?the?LISTENER?
  ------------------------?
  Alias?LISTENER?
  Version?TNSLSNR?for?32-bit?Windows:?Version?10.2.0.3.0?-?Produ?
  ction?
  Start?Date?06-APR-2010?11:07:53?
  Uptime?0?days?0?hr.?0?min.?2?sec?
  Trace?Level?off?
  Security?ON:?Local?OS?Authentication?
  SNMP?OFF?
  Listener?Parameter?File?C:\oracle\product\10.2.0\db_1\network\admin\listener.o?
  ra?
  Listener?Log?File?C:\oracle\product\10.2.0\db_1\network\log\listener.log?
  Listening?Endpoints?Summary...?
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))?
  Services?Summary...?
  Service?"PLSExtProc"?has?1?instance(s).?
  Instance?"PLSExtProc",?status?UNKNOWN,?has?1?handler(s)?for?this?service...?
  The?command?completed?successfully?
  C:\Documents?and?Settings\Administrator>sqlplus?/nolog?
  SQL*Plus:?Release?10.2.0.3.0?-?Production?on?Tue?Apr?6?11:07:57?2010?
  Copyright?(c)?1982,?2006,?Oracle.?All?Rights?Reserved.?
  SQL>?conn?/?as?sysdba;?
  Connected.?
  SQL>?alter?system?register;?
  System?altered.?
  SQL>?quit?
  Disconnected?from?Oracle?Database?10g?Enterprise?Edition?Release?10.2.0.3.0?-?Pr?
  oduction?
  With?the?Partitioning,?OLAP?and?Data?Mining?options?
  C:\Documents?and?Settings\Administrator>lsnrctl?status?
  LSNRCTL?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?on?06-APR-2010?11:08:05
  Copyright?(c)?1991,?2006,?Oracle.?All?rights?reserved.?
  Connecting?to?(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))?
  STATUS?of?the?LISTENER?
  ------------------------?
  Alias?LISTENER?
  Version?TNSLSNR?for?32-bit?Windows:?Version?10.2.0.3.0?-?Produ?
  ction?
  Start?Date?06-APR-2010?11:07:53?
  Uptime?0?days?0?hr.?0?min.?12?sec?
  Trace?Level?off?
  Security?ON:?Local?OS?Authentication?
  SNMP?OFF?
  Listener?Parameter?File?C:\oracle\product\10.2.0\db_1\network\admin\listener.ora?
  Listener?Log?File?C:\oracle\product\10.2.0\db_1\network\log\listener.log?
  Listening?Endpoints?Summary...?
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rmesvr34.cn.ibm.com)(PORT=1521)))?
  Services?Summary...?
  Service?"PLSExtProc"?has?1?instance(s).?
  Instance?"PLSExtProc",?status?UNKNOWN,?has?1?handler(s)?for?this?service...?
  Service?"irmdb"?has?1?instance(s).?
  Instance?"irmdb",?status?READY,?has?1?handler(s)?for?this?service...?
  Service?"irmdb_XPT"?has?1?instance(s).?
  Instance?"irmdb",?status?READY,?has?1?handler(s)?for?this?service...?
  The?command?completed?successfully

?

  6.在客户端(9.123.112.16)分别再次使用tnsping命令和sqlplus命令来验证数据库的连通性:

?

  C:\Documents?and?Settings\Administrator>tnsping?irmdb?
  TNS?Ping?Utility?for?32-bit?Windows:?Version?10.2.0.3.0?-?Production?on?06-APR-2010?11:09:20?
  Copyright?(c)?1997,?2006,?Oracle.?All?rights?reserved.?
  Used?parameter?files:?
  C:\oracle\product\10.2.0\db_1\network\admin\sqlnet.ora?
  Used?TNSNAMES?adapter?to?resolve?the?alias?
  Attempting?to?contact?(DESCRIPTION?=?(ADDRESS_LIST?=?(ADDRESS?=?(PROTOCOL?=?TCP)?
  (HOST?=?9.123.112.34)(PORT?=?1521)))?(CONNECT_DATA?=?(SERVICE_NAME?=?irmdb)))
  TNS-12537:?TNS:connection?closed?
  C:\Documents?and?Settings\Administrator>sqlplus?/nolog?
  SQL*Plus:?Release?10.2.0.3.0?-?Production?on?Tue?Apr?6?11:09:23?2010?
  Copyright?(c)?1982,?2006,?Oracle.?All?Rights?Reserved.?
  ERROR:?
  ORA-12537:?TNS:connection?closed

?

  到这里我们就可以证明,通过修改sqlnet.ora的方法,我们实现了限制指定机器IP访问数据库的功能。

  最后需要特别注意的是tcp.invited_nodes允许列表的优先级要高于tcp.excluded_nodes受限IP列表。也就是说如果同一个IP地址如果同时出现在两个列表里的话,那么这个IP地址还是可以访问对应的数据库的。

读书人网 >其他数据库

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net