Book Image

Oracle 11g Anti-hacker's Cookbook

By : Adrian Neagu
Book Image

Oracle 11g Anti-hacker's Cookbook

By: Adrian Neagu

Overview of this book

For almost all organizations, data security is a matter of prestige and credibility. The Oracle Database is one of the most rich in features and probably the most used Database in a variety of industries where security is essential. To ensure security of data both in transit and on the disk, Oracle has implemented the security technologies to achieve a reliable and solid system. In Oracle 11g Anti-Hacker's Cookbook, you will learn about the most important solutions that can be used for better database security."Oracle 11g Anti-hacker's Cookbook" covers all the important security measures and includes various tips and tricks to protect your Oracle Database."Oracle 11g Anti-hacker's Cookbook" uses real-world scenarios to show you how to secure the Oracle Database server from different perspectives and against different attack scenarios. Almost every chapter has a possible threads section, which describes the major dangers that can be confronted. The initial chapters cover how to defend the operating system, the network, the data and the users. The defense scenarios are linked and designed to prevent these attacks. The later chapters cover Oracle Vault, Oracle VPD, Oracle Labels, and Oracle Audit. Finally, in the Appendices, the book demonstrates how to perform a security assessment against the operating system and the database, and how to use a DAM tool for monitoring.
Table of Contents (16 chapters)
Oracle 11g Anti-hacker's Cookbook
Credits
Foreword
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Using TCP wrappers to allow and deny remote connections


By using TCP wrappers you can control the accepting or denying of incoming connections from specified servers and networks. You may use this capability to protect your network in conjunction with a firewall. In the following recipe, we will allow connections opened through ssh only from the nodeorcl5 host and deny from all others by using TCP wrappers.

Getting ready

All steps will be performed on nodeorcl1 as root.

How to do it...

TCP wrappers at host level are controlled by two files located in the /etc directory called hosts.allow and hosts.deny.

  1. First we will start to deny all incoming connections from all hosts using all services by adding the following line into /etc/hosts.deny:

    # hosts.deny    This file describes the names of the hosts which are
    #               *not* allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow.  In particular
    # you should know that NFS uses portmap!
    ALL:ALL
    ................................................................
    
  2. In this moment if we try to establish a connection from nodeorcl5 it will be denied:

    [oraclient@nodeorcl5 ~]$ ssh -l oracle nodeorcl1
    ssh_exchange_identification: Connection closed by remote host
    
    [oraclient@nodeorcl5 .ssh]$ ssh -l oracle nodeorcl1
    oracle@nodeorcl1's password:
    Last login: Sun Aug 12 19:47:21 2012 from nodeorcl5
    [oracle@nodeorcl1 ~]$
    
  3. To allow incoming connections only with ssh include the following in /etc/hosts.allow:

    #
    #
    # hosts.allow   This file describes the names of the hosts which are
    #               allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    sshd: nodeorcl5
    ……………………………………………………………………………………
    

How it works...

All changes to hosts.deny and hosts.allow takes immediately in effect; hosts.allow has precedence over the hosts.deny file.

The format for rules is composed by a service or daemon, and host name or IP address. In our examples, we denied all services from all hosts and allowed only ssh connections from nodeorcl5.

There is more...

You can set rules for an entire network as follows:

Sshd :10.241.132.0/225.255.255.0

Exceptions can be set by using the EXCEPT clause:

Sshd : ALL EXCEPT 10.241.132.122