Archive for the 'Security' Category

04
Oct
07

Put a password to that Listener

The oracle listener can be the object of attacks from someone willing to take control of the database.

Putting a password on the listener is easy so let’s get at it.

Open a console:

C:\>LSNRCTL

LSNRCTL>status

If you got some instances described then this is your current listener. The default name is listener and a potential hacker is well aware of that.

It’s good to create the listener with a different name.

If you don’t know your listener’s name, go to the services and look for OracleListenerSomelistenername. Your listener name is Somelistenername.

LSNRCTL>change_password Somelistenername

old password: There was nothing so we just press enter.

new password: Agoodpassword

retype new password: Agoodpassword

LSNRCTL>save_config

The save_config command will add the password encrypted in the listener.ora file located in ORACLE_HOME\NETWORK\Admin

If that command haven’t been performed then no password have been added.

Tips, courtesy of caffeine-addict who should recognize himself if he walks by

Advertisements
10
Aug
06

Check your user passwords

A good tool to monitor your users password is the one developed by Red database security.

It’s called checkpwd.

Download it on there website
On the command line simply type:

C:\checkpwd [oradba_user]/[password]@[tns entry] [your_password _file _location.txt]
On oracle 8i it’s easy but now with Oracle 10g, to connect as sysdba we have to specify for example in SQLPLUS:

SQL>conn sys/[password] as sysdba

This is apparently not taken into account yet and it fails to recognize the command with the extra words “as sysdba”.

27
Jul
06

Consider using profiles for managing passwords… But not only!

When working with oracle, we come quick to realise we have different user types, different needs, different privileges coming with them.

The DBA will want to change dba and developer passwords’ more often than normal users. And normal users’ passwords more often than connection users. Users used for the connectivity of applications, batch job, this kind of stuff.

Now managing those passwords is a nightmare. When prompt to change passwords, users might use the same password by laziness. Or sometimes simply not have a password and just use the username as a password, or username123 which is just the same.

The profiles in Oracle help manage that.

I’ve created 2 profiles:

1) The connect_users with light privileges

Change password every 3 months

Is not allowed to use the same password before having had 3 different passwords

2) The normal users. People connecting to all sort of applications and inputing data all day long.

Change password every 2 months

Are not allowed to use the same password before having had 5 different passwords
Max session 8. We use some apps that opens 2 sessions by opened windows. I force them to use only 4 windows max. (And I still wonder how they can manage 4 at a time…)

3) DBAs and developers

Change password every months. Seriously we have a trained brain able to remember dozens of complexe minmum 10 digit passwords.

Are not allowed to use the same password before having had 10 different passwords.

Why so much different passwords? Well since it expires every months, a user would be able to use a new one in just 5 months compared to 10 months for a normal user. Doesn’t makes sense is it?

There’s something missing in this profile thing… The password complexity. It usually forces users to have at least a number, and at least a capital letter in their password. This is just plain crap. I can make a password like this: Passw0rd and go through the complexity check. Why bother…

Instead, I take time training my users. I’ve found out I’ve had much better result by advocating security rather than forcing it. What is seen as a hassle can be changed into an effort to avoid the bad hacker, the bad employee, the competitor, stealing our work.

You see. The reason why the users can’t be asked changing a password is because they don’t have a clue!

Answer the questions!

Why?

Why me?

Ask them. They’ll answer:

Who’s gonna steal my data?

I have nothing valuable.

The underlying question is how does people could make money with my data anyway. It’s worthless. Therefore, the hacker is a myth.

That usually can be heard at the beginning of the training. Then you bring it the slide with the common questions. They are usually impressed that it could be guessed :o)The reason is not you, your data. It’s your computer, for spamming. To turn your Oracle database in a Gigantic spamming machine. Since it does not concern only Oracle I like to stress the fact that very often it’s the computer which is hacked. Not the user in particular.

I explain the reasons too. Spamming. IRC channels selling hacked computers with admin rights and password. Here is the business model popping up! Making the thing real. Touchable.

2) Who?

It doesn’t need to be fully detailed.

I explain about the script kiddies. I explain how it’s easy to hack by downloading ready to use scripts on the internet. People not having a clue about what they are doing but harming innocent DBAs anyway!

3) How?

I explain the use of security flaws database, the automatic bot looking for it’s target on the web. The passwords dictionnaries. How common they are.

You’ve just thought about an easy-to-remember password? The hacker did that years before you even started thinking about it.

Defend yourself

Here we are. The enemy has a face. It can be identified by the user. Now when you got an enemy and a reason for his acts, you can start defending yourself.

A good password has to be complexe. <– That here is a tricky word. The second you turn your back on it and it kicks you in the face. Simply, complexe for a DBA is really not the same for a user.

Here are some sample of complexe passwords for a user:

a1b2c3d4

!@#$%^&* (This one is the worst. It gives feeling of security where there’s not. If you feel secure, you care less.)
John1978

Here are some sample of Complexe passwords for DBAs:

M02nA2s+3re

B5H-cl1ck-r4t

3le|<+R0n-C0nFuZi0n

Make sure your users understand what complexity means for you

How to choose a good password.

Here are my rules:

1) Change your password creation method from one to another.

You like to replace some letters by numbers looking like it? Don’t do it for the next letter.

2) You like to modify words with numbers or do some design (_|_)?

Find another way by concatenating substrings of different words, or mix them up together.

Make a sentence take the 3 letters of each words. Modify them with Caps, Special Characters and numbers.
3) Make it long. At least 8 for users. At least 10 for DBAs and Administrators.

4) Add it some numbers, letters, characters totally not related to any rules. Coming out of nowhere. :-)Or/cl3(-:

If you do all that, you’ll have an easy to remember password that is hard to break too.

And finding a password can become fun instead of a hassle.

Not as fun as playing WoW or enjoying yourself with your girlfriend. But as fun as something can be fun in the work place.

21
Jul
06

Make Oracle work with a local username on windows

Peole working on a windows domain gets used to having their username/password everywhere they go.

And the reflexe when installing Oracle on a windows server might be to prepare a user on the domain for Oracle. Or worst, use a domain administrator privileged user to install Oracle.Well it’s not the best idea.

It’s best to create a local user. Call that user oracle to make things simple and assign it to your ORA_DBA group.

The ORA_DBA group is a local user group by the way.

This user will have local administrator privilege too in order to be able to install Oracle.

Also, go to control panel>Administration>Local Security Policy>Local Policies>Users Rights Assignment>Log on as a batch job.

Add your new Oracle user to the “Log on as a batch job” list. This is required for backups.

Why using a local oracle user?

With Oracle 10g, a DBA avoids a lot of problems by using a local user at backups time.
You will avoid remote connections to your database using tools like MMC.

It makes hacking your server a little less easy.

Watch out

Since the Oracle server is using a local user, all the domain security policies applied using windows directory won’t apply on a local user.

All the domain security policies must be applied locally.