Now comes the fun part: keeping people out of your database! While IP-based blocking is not as suitable as a full firewall, you are able to block clients based on their IP address or hostname.
The secret lies in the SQLNET.ORA file. This file can be found in your $ORACLE_HOME/network/admin directory along with your tnsnames.ora and listener.ora. Open it up and insert the following line:
tcp.validnode_checking = yes
This turns on the hostname/IP checking for your listeners. After this, you can supply lists of nodes to enable/disable, as such:
tcp.invited_nodes = (hostname1, hostname2)
tcp.excluded_nodes = (172.16.1.3)
Note that if you only specify invited nodes, all others will be excluded, so there is really no reason to do both. The same goes for excluded nodes: exclude a list of clients, invite all others.
Even though this will not protect you against advanced attacks (IP and hostname are easy to spoof) it still serves as a deterrent against hacking attempts.
Here are some rules for entering invited/excluded nodes:
- You cannot use wildcards in your specifications.
- You must put all invited nodes in one line; likewise for excluded nodes.
- You should always enter localhost as an invited node.
PayrollDB is a database server, accessed by Payroll
BankingDB is a database server, accessed by Banking
BApp1, BApp2, andBApp3 are application servers using the BankingDB
PApp1, PApp2, and PApp3 are application servers using the PayrollDB
The sqlnet.ora on PayrollDB would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, PayrollDB, PApp1, PApp2, PApp3)
The sqlnet.ora on SalesDB would look like this:
tcp.validnode_checking = yes
tcp.invited_nodes = (localhost, BankingDB, BApp1, BApp2, BApp3)
$ lsnrctl
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> stop
The command completed successfully
LSNRCTL> start
Now PApp1, PApp2, and PApp3 can access PayrollDB but not BankingDB; the same goes for the Banking application servers' access to PayrollDB.
