Chinaunix首页 | 论坛 | 博客
  • 博客访问: 523903
  • 博文数量: 235
  • 博客积分: 1209
  • 博客等级: 少尉
  • 技术积分: 1417
  • 用 户 组: 普通用户
  • 注册时间: 2011-11-19 19:59
文章分类

全部博文(235)

文章存档

2012年(107)

2011年(128)

分类:

2012-01-12 20:57:34

原文地址:限制IP访问ORACLE数据库 作者:TOMSYAN


如果要灵活的实现限制IP访问ORACLE数据库,最好使用登陆触发器的方式来实现。
下面的方式对于限制单个IP地址访问ORACLE数据库比较方便,但是对于实现一个网段的IP访问数据库就有点繁琐了,
因为这种方法需要把IP地址一个一个的列出来。
 
通过在SQLNET.ORA中增加如下的语句即可实现IP的限制:
 
tcp.validnode_checking = yes //开启IP限制
tcp.invited_nodes=() //允许访问的IP列表,各IP之间用逗号分隔
tcp.excluded_nodes=() //限制访问的IP列表,各个IP之间用逗号分隔
 
本次测试的环境说明如下:
 
数据库服务器在我WINDOWS PC机器上,IP地址为10.223.18.116,监听端口为1521,实例名为yansp。
远程有2台AIX服务器10.192.39.72,10.192.39.76用作测试客户端。

看下面一个简单例子:

正常情况下10.192.39.72是可以正常访问数据库的,如下:
 
[oracle@sxffdb1 ~]$ export PS1="10.192.39.72 > "
10.192.39.72 > sqlplus
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:18:03 2012
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select sysdate from dual;
SYSDATE
-------------------
2012-01-11 10:19:08
SQL>
 

修改sqlnet.ora 增加如下2行
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72,10.192.39.72)

C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>type sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
SQLNET.EXPIRE_TIME=1
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72)
 
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>

重启启动监听器:

C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:36
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
命令执行成功
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:40
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
启动tnslsnr: 请稍候...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
系统参数文件为C:\u01\oracle\product\10.2.0\db_1\network\admin\listener.ora
写入C:\u01\oracle\product\10.2.0\db_1\network\log\listener.log的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
LISTENER 的 STATUS
------------------------
别名                      LISTENER
版本                      TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
ction
启动日期                  11-1月 -2012 10:24:45
正常运行时间              0 天 0 小时 0 分 5 秒
跟踪级别                  off
安全性                    ON: Local OS Authentication
SNMP                      OFF
监听程序参数文件          C:\u01\oracle\product\10.2.0\db_1\network\admin\listen
er.ora
监听程序日志文件          C:\u01\oracle\product\10.2.0\db_1\network\log\listener
.log
监听端点概要...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
服务摘要..
服务 "auxdb" 包含 1 个例程。
  例程 "auxdb", 状态 UNKNOWN, 包含此服务的 1 个处理程序...
命令执行成功
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 1月 11 10:24:49 2012
Copyright (c) 1982, 2005, Oracle.  All rights reserved.

连接到:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> alter system register;
系统已更改。
SQL> exit
从 Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options 断开
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>

再次在10.192.39.72连接数据库就会报ORA-12537错误。
 
10.192.39.72 > sqlplus
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:34:59 2012
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
ERROR:
ORA-12537: TNS:connection closed

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
10.192.39.72 > oerr ora 12537
12537, 00000, "TNS:connection closed"
// *Cause: "End of file" condition has been reached; partner has disconnected.
// *Action: None needed; this is an information message.
10.192.39.72 >
 

而此时10.192.39.76还是可以登录数据库的:
[oracle@sxffdb2 ~]$ export PS1="10.192.39.76 > "
10.192.39.76 > sqlplus
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:39:03 2012
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select sysdate from dual;
SYSDATE
-------------------
2012-01-11 10:39:17
SQL>
 
 
如果将参数tcp.excluded_nodes=(10.192.39.72) 修改为 tcp.invited_nodes=(10.192.39.72) 那么只允许
10.192.39.72可以访问数据库。
修改SQLNET.ORA的内容如下:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
SQLNET.EXPIRE_TIME=1
tcp.validnode_checking = yes
tcp.invited_nodes=(10.192.39.72,10.223.18.116)
 
并且重启监听器。

注意:在使用参数invited_nodes的时候,一定要将数据库服务器的IP地址列入,否则启动监听器回报如下错误:
C:\Documents and Settings\shoupeng.yan>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:4
7:37
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
启动tnslsnr: 请稍候...
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
系统参数文件为C:\u01\oracle\product\10.2.0\db_1\network\admin\listener.ora
写入C:\u01\oracle\product\10.2.0\db_1\network\log\listener.log的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
TNS-12537: TNS: 连接关闭
 TNS-12560: TNS: 协议适配器错误
  TNS-00507: 连接已关闭

现象将会是72可以正常连接数据库,76不可以连接数据库。
10.192.39.72 > sqlplus
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:49:58 2012
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
 

10.192.39.76 > sqlplus
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:50:01 2012
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
ERROR:
ORA-12537: TNS:connection closed

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
10.192.39.76 >
 

注意:如果同时制定了参数tcp.invited_nodes和参数tcp.excluded_nodes那么将优先使用参数tcp.invited_nodes。
 
 
 

 
阅读(645) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~