Oracle Database11g 增加了一組新參數以加強資料庫的預設安全性。這些參數是系統範圍的靜态參數。
(1)使用區分大小寫的密碼以加強安全性
新參數SEC_CASE_SENSITIVE_LOGON使您可以設定區分大小寫的使用者密碼。Oracle 建議保留預設設定TRUE。将此參數設定為FALSE 可指定不區分大小寫的密碼以實作向後相容性。
ALTER SYSTEM SETSEC_CASE_SENSITIVE_LOGON = FALSE
注:禁用區分大小寫會使密碼在強力攻擊面前變得更脆弱。
(2)防止拒絕服務(DoS) 攻擊
SEC_PROTOCOL_ERROR_FURTHER_ACTION參數:指定了要對客戶機連接配接執行的操作:繼續、斷開連接配接或延遲接受請求。
SEC_PROTOCOL_ERROR_TRACE_ACTION參數:指定了監視操作:NONE、TRACE、LOG 或ALERT。
(3)防止強力攻擊
新的初始化參數SEC_MAX_FAILED_LOGIN_ATTEMPTS的預設設定為10,表示在連接配接嘗試達到指定次數後會自動斷開連接配接。即使未啟用密碼概要檔案,也會強制實施此參數。
此參數可以防止程式連接配接到資料庫,然後成百上千次地嘗試密碼以通過驗證。
SEC_PROTOCOL_ERROR_FURTHER_ACTION
SEC_PROTOCOL_ERROR_FURTHER_ACTION specifies the further execution of a server
process when receiving bad packets from a possibly malicious client.
Values:
■ CONTINUE
The server process continues execution. The database server may be subject to a
Denial of Service (DoS) if bad packets cont inue to be sent by a malicious client.
■ (DELAY,integer)
The client experiences a delay of integer seconds before the server process accepts
the next request from the same client co nnection. Malicious cl ients are prevented
from excessive consumption of server resources while legitimate clients experience
a degradation in performance but can continue to function.
■ (DROP, integer)
The server forcefully terminates the client connection after integer cumulative bad
packets. The server protects itself at the ex pense of the client (for example, a client
transaction may be lost). The client may reconnect and attempt the same
operation.
Property Description
Parameter type Integer
Default value 10
Modifiable No
Range of values 1 to unlimited
Basic No
Parameter type String
Syntax SEC_PROTOCOL_ERROR_FURTHER_ACTION = { CONTINUE |
(DELAY,integer) | (DROP, integer) }
Default value CONTINUE
Modifiable ALTER SESSION , ALTER SYSTEM
SEC_PROTOCOL_ERROR_TRACE_ACTION
1-154 Oracle Database Reference
SEC_PROTOCOL_ERROR_TRACE_ACTION specifies the action th at the database should
take when bad packets are received from a possibly malicious client.
■ NONE
The database server ignores the bad packets and does not generate any trace files
or log messages.
■ TRACE
A detailed trace file is generated when bad packets are received, which can be
used to debug any problems in client/server communication.
■ LOG
A minimal log message is printed in the alert logfile and in the server trace file. A
minimal amount of disk space is used.
■ ALERT
An alert message is sent to a DBA or monitoring console.