[转帖]Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指
发布时间:2020-12-12 13:02:20 所属栏目:百科 来源:网络整理
导读:Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户 原创?Oracle?作者:maohaiqing0304?时间:2016-05-03 17:05:46? ? 17297? ? 0 ? 链接: http://blog.itpub.net/28602568/viewspace-2092858/ 标题:Oracle 使用sqlnet.ora/trigger限制/允许某
Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户原创?Oracle?作者:maohaiqing0304?时间:2016-05-03 17:05:46??17297??0 ?链接: http://blog.itpub.net/28602568/viewspace-2092858/ 标题:Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户? 作者: lōττéry?版权所有[文章允许转载,但必须以链接方式注明源地址,否则追究法律责任.]? 注释: ?接触MySQL的朋友想必都知道mysql可针对指定IP/IP段来限制用户的访问,在Oracle数据库中默认有账号密码访问主机的权限的IP都可登陆该DB用户; ? 那么,Oracle 如何实现针对DB、单个用户来限制/允许IP访问呢? ? 1、整个DB层:可设置$ORACLE_HOME/network/admin/sqlnet.ora文件,限制/允许IP访问; ?-->不可针对IP段.. ? 2、单个用户:可通过trigger触发器限制/允许某IP或IP段访问; ? ? ? ? ? ? ? ??-->实验不可对整个DB层 (AFTER LOGON ON database)登陆提示告警.. ? ? 一、sqlnet.ora ? [ [email?protected] admin]$? cat sqlnet.ora tcp.validnode_checking = yes ? ? ? ? ? ? ? ? ? ? ? #需要设置成yes,方可激活生效? ? ? ? ? ? ? ?? tcp.invited_nodes=(10.240.1.8,10.240.1.7) ? ? ?#允许访问的IP #tcp.excluded_nodes=(10.240.1.8,10.240.1.7) #不允许访问的IP? 注释: 在9i提供了几个参数:-->9i以前版本更改protocol.ora文件... TCP.EXCLUDED_NODES ? ?:设置禁止访问数据库的IP地址列表。 TCP.INVITED_NODES ? ? :设置允许访问数据库的IP地址列表,当这个参数和TCP.EXCLUDED_NODES设置的地址相同的时候将覆盖TCP.EXCLUDED_NODES设置。 TCP.VALIDNODE_CHECKING:检测上述参数的设置。? ? 简单演示: [ [email?protected] 10.240.1.8?~]$ sqlplus lottery/ [email?protected]/test? SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:15 2016? Copyright (c) 1982,2013,Oracle.? All rights reserved.? Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning,OLAP,Data Mining and Real Application Testing options SQL>? [ [email?protected] 10.240.1.9?~]$? sqlplus lottery/ [email?protected]/test SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:40 2016 Copyright (c) 1982,Oracle.? All rights reserved. ERROR: ORA-12547: TNS:lost contact ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts,exiting SQL*Plus [ [email?protected]?~]$? 二、触发器 -->TRIGGER限制10.240.1.%网段访问lottery用户 CREATE OR REPLACE TRIGGER DISABLELOGIN ? ??? AFTER LOGON ON LOTTERY.SCHEMA? -->使用方式为USERNAME.SCHEMA,若直接写database,RAISE_APPLICATION_ERROR部分不起作用.. BEGIN?????????????????????????????????????????????????????????????????????? ?? IF ORA_CLIENT_IP_ADDRESS LIKE (‘10.240.1.%‘) THEN???? ? ?RAISE_APPLICATION_ERROR(-20001,‘USER ‘||ORA_LOGIN_USER||‘ IS NOT ALLOWED TO CONNECT FROM ‘||ORA_CLIENT_IP_ADDRESS); ?? END IF; END; --不能指定sys.schema,会报《ORA-30510: 系统触发器不能在 SYS 用户方案中定义》 --限制某IP ?ORA_CLIENT_IP_ADDRESS IN (‘10.240.1.7‘,‘10.240.1.8‘) ? 简单演示: [ [email?protected] 10.240.1.7?~]$ sqlplus lottery/ [email?protected]/test SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016 Copyright (c) 1982,Oracle.? All rights reserved. ERROR: ORA-00604: error occurred at recursive SQL level 1 ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.7 ORA-06512: at line 3 [ [email?protected]?admin]$ ? [ [email?protected] 10.240.1.8 ~]$ sqlplus lottery/ [email?protected]/test SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016 Copyright (c) 1982,Oracle.? All rights reserved. ERROR: ORA-00604: error occurred at recursive SQL level 1 ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.8 ORA-06512: at line 3 [ [email?protected]?~]$ ? [ [email?protected] 10.240.2.8 ?~]$? sqlplus lottery/ [email?protected]/test? SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:23:33 2016? Copyright (c) 1982,Oracle.? All rights reserved.? Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning,Data Mining and Real Application Testing options SQL>? SQL> SELECT?*?FROM?DBA_TRIGGERS?WHERE?trigger_name=‘DISABLELOGIN‘?;
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
.png)
