一、背景:
2023年伊始,我們的工作中多了乙個詞"護網行動",之前聞所未聞;這是乙個從國家層面提出的安全概念,目的是為了保障資訊保安。各個組織機構會定期組織安防演練。咱們資料庫層面為了應對這次安防演練也提出了自己的思想,資料庫白名單策略限制非法裝置對資料庫進行訪問。這是這次配置監聽白名單的整個背景。
#開啟ip限制功能
tcp.validnode_checking=yes#允許訪問資料庫的ip位址列表,多個ip位址使用逗號分開
tcp.invited_nodes=(192.168.1.5,192.168.1.6,10.10.10.2)#禁止訪問資料庫的ip位址列表,多個ip位址使用逗號分開
tcp.excluded_nodes=(192.168.1.1,10.10.10.1)grep host listener.log |awk -f 'host=' '' |awk '' |awk -f ')' '' |grep -v jdbc|sort|uniq |wc -l && grep host listener.log |awk -f 'host=' '' |awk '' |awk -f ')' '' |grep -v jdbc|sort|uniq
5192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.71
tr -s "\n" "," 3.3 編輯sqlnet.ora
tcp.validnode_checking=yes
tcp.invited_nodes=(192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.71)
3.4 關閉監聽
lsnrctl for linux: version 11.2.0.4.0 - production on 28-jul-2020 19:30:20
connecting to (description=(address=(protocol=tcp)(host=testdb)(port=1521)))
the command completed successfully
3.5 重新啟動監聽
lsnrctl for linux: version 11.2.0.4.0 - production on 28-jul-2020 19:30:25
tnslsnr for linux: version 11.2.0.4.0 - production
listening on: (description=(address=(protocol=tcp)(host=testdb)(port=1521)))
listening on: (description=(address=(protocol=ipc)(key=extproc1521)))
connecting to (description=(address=(protocol=tcp)(host=testdb)(port=1521)))
status of the listener
------------------------
alias listener
version tnslsnr for linux: version 11.2.0.4.0 - production
start date 28-jul-2020 19:30:25
uptime 0 days 0 hr. 0 min. 0 sec
trace level off
security on: local os authentication
snmp off
listening endpoints summary...
(description=(address=(protocol=tcp)(host=testdb)(port=1521)))
(description=(address=(protocol=ipc)(key=extproc1521)))
the listener supports no services
the command completed successfully
3.6 手工註冊監聽
sql*plus: release 11.2.0.4.0 production on tue jul 28 19:30:29 2020
connected to:
oracle database 11g enterprise edition release 11.2.0.4.0 - 64bit production
sql> alter system register;
system altered.
sql> !lsnrctl status
lsnrctl for linux: version 11.2.0.4.0 - production on 28-jul-2020 19:30:36
connecting to (description=(address=(protocol=tcp)(host=testdb)(port=1521)))
status of the listener
------------------------
alias listener
version tnslsnr for linux: version 11.2.0.4.0 - production
start date 28-jul-2020 19:30:25
uptime 0 days 0 hr. 0 min. 11 sec
trace level off
security on: local os authentication
snmp off
listening endpoints summary...
(description=(address=(protocol=tcp)(host=testdb)(port=1521)))
(description=(address=(protocol=ipc)(key=extproc1521)))
services summary...
service "orcl" has 1 instance(s).
instance "orcl1", status ready, has 1 handler(s) for this service...
service "orcl1xdb" has 1 instance(s).
the command completed successfully
iptables 配置白名單
編輯iptables配置檔案,將檔案內容更改為如下,則具備了ip位址白名單功能 vim etc sysconfig iptables filter input accept 0 0 forward accept 0 0 output accept 0 0 n whitelist a whitelis...
Redis資料庫如何設定白名單?
為了redis資料庫的安全穩定,在開始使用redis例項前,需要將訪問資料庫的ip位址或者ip段新增到目標例項的白名單中。正確使用白名單可以讓redis得到高階別的訪問安全保護,建議定期維護白名單。白名單功能需要特定版本核心的支援,若例項的核心版本不滿足條件,在設定白名單時會出現提示資訊,此時將小版...
Confluence 6 配置白名單
confluence 管理員可以通過新增 urls 到白名單選擇出入的鏈結和使用 rss 巨集,html 包含巨集和小工具中的內容。如果乙個內容被新增到 confluence 系統中,但是這個 urls 不在允許的鏈結列表中的話,系統將會顯示乙個錯誤資訊,並提示使用者將這個 url 新增到白名單中。...