Database Blacklist
Unexpected connections may be seen in your listener log, we can make a blacklist to explicitly block those clients.
We take 2 steps to achieve our goal.
1. Exclude Clients in SQLNET.ORA
We should exclude clients from connection at Oracle network level, which works with the listener.
[oracle@test ~]$ cd $ORACLE_HOME/network/admin
[oracle@test admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.EXCLUDED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)
TCP.VALIDNODE_CHECKING must be YES and the parameter of TCP.EXCLUDED_NODES accepts any of the followings:
- Specific IP address
- IPV4 with wild card
- Hostname
- CIDR notation for IPV4 and IPV6
RAC DB
For RAC databases, we should exclude them at grid level.
[grid@primary01 ~]$ cd $ORACLE_HOME/network/admin
[grid@primary01 admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.EXCLUDED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)
2. Restart Listener
To take settings effect immediately, we should restart listener.
[oracle@test admin]$ lsnrctl stop; lsnrctl start
RAC DB
For RAC databases, we should restart the listener by srvctl.
[grid@primary01 admin]$ srvctl stop listener; srvctl start listener; srvctl status listener
Listener LISTENER is enabled
Listener LISTENER is running on node(s): primary01,primary02
From now on, the listener inspects every source before establishing the database connection.
In contrast to blacklist, we can make a whitelist to accept only allowable database connections.