Page:
1
2
3
Multi-Byte Characters in Oracle Passwords:
Oracle 11g supports multi-byte characters in Oracle passwords without quoting. If you are using SQL*Plus connect command or entering the password from the SQL*Plus password prompt, then characters such as $, _, and # can also be included in a password without quoting. The use of multi-byte characters and special characters within your applications must be carefully tested to ensure that they are supported.
Logon Delays:
A hacker may attempt a brute force hack to break into your Oracle Database. In this case they try constant logons to the database using some form of a word list. Oracle 11g includes a logon delay that takes effect after the third failed password entry attempt. This makes the brute force hacking more difficult. After the third failed logon attempt, Oracle will incrementally delay subsequent logon or password prompts up to a maximum of 10 seconds. No delay will occur if the logon is successful.
Configuring Actions:
You can opt to enable or disable communication of the release banner to a client when it connects. These are all controlled by the following new parameters.
sec_protocol_error_further_action:
- sec_protocol_error_further_action parameter defines the action that should take place in the event that a bad packet is received from a remote system.
- sec_protocol_error_further_action parameter can be set to the following options.
CONTINUE |
Do not disconnect the client session. This is the default setting. |
DROP |
Drop the client connection after a specific number of bad packets. This parameter takes an integer argument that defines the number of bad packets that are acceptable. |
DELAY |
Delay accepting client requests after a bad packet is requested. This parameter takes an integer argument that defines the delay time in seconds. |
- Below is an example usage of setting this parameter. The parameter sec_protocol_error_further_action is not a dynamic parameter, so you need to use the scope=spfile setting to properly set this parameter.
ALTER SYSTEM SET sec_protocol_error_further_action='DROP' scope=spfile;
sec_protocol_error_trace_action:
- The sec_protocol_error_trace_action parameter is dynamic.
- sec_protocol_error_trace_action parameter defines the level of tracing that should occur when bad packets are received.
- sec_protocol_error_trace_action parameter can be set to the following values.
NONE |
No logging occurs. |
TRACE |
A trace file is generated when bad packets are received. This is the default setting. |
LOG |
A small logging message is entered in the database alert log. |
ALERT |
An alert message is sent to the DBA via OEM. |
ALTER SYSTEM SET sec_protocol_error_trace_action='LOG';
sec_max_failed_login_attempts:
- sec_max_failed_login_attempts parameter controls the number of authentication attempts that a given client connection can make on the server before the client process is dropped.
- The default value of sec_max_failed_login_attempts is 10.
- The sec_max_failed_login_attempts parameter is not dynamic.
ALTER SYSTEM SET sec_max_failed_login_attempts=5 scope=spfile;
sec_return_server_release_banner:
- sec_return_server_release_banner parameter indicates if the server banner will be returned to a client connection.
- Not returning the banner will make hacking a database more difficult since the user will not know which version of the database they are trying to hack.
- The default value of sec_return_server_release_banner is FALSE. It means only version number of Oracle is shown to the user. However if you set it to TRUE then Oracle will show full version details to the user inlcuding its release no.
- sec_return_server_release_banner is a dynamic parameter.
ALTER SYSTEM SET sec_return_server_release_banner=TRUE scope=spfile;
Page:
1
2
3
More Oracle Articles, Database Articles and DBA Tips
Database Security: Step by step guideline
Common Oracle Errors : Cause & Action
DBA Tips: Handling Recordsets in Oracle Procedures!!
Inside default Oracle users!!
DBA Tips for Resizing Online Redo Logs!
|
