Skip to content
Home » Oracle Database » How to Make a BlackList for DB Connection

How to Make a BlackList for DB Connection

Database Blacklist

Unexpected connections may be seen in your listener log, we can make a blacklist to explicitly block those clients.

We take 2 steps to achieve our goal.

1. Exclude Clients in SQLNET.ORA

We should exclude clients from connection at Oracle network level, which works with the listener.

[oracle@test ~]$ cd $ORACLE_HOME/network/admin
[oracle@test admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.EXCLUDED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)

TCP.VALIDNODE_CHECKING must be YES and the parameter of TCP.EXCLUDED_NODES accepts any of the followings:

  • Specific IP address
  • IPV4 with wild card
  • Hostname
  • CIDR notation for IPV4 and IPV6

RAC DB

For RAC databases, we should exclude them at grid level.

[grid@primary01 ~]$ cd $ORACLE_HOME/network/admin
[grid@primary01 admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.EXCLUDED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)

2. Restart Listener

To take settings effect immediately, we should restart listener.

[oracle@test admin]$ lsnrctl stop; lsnrctl start

RAC DB

For RAC databases, we should restart the listener by srvctl.

[grid@primary01 admin]$ srvctl stop listener; srvctl start listener; srvctl status listener
Listener LISTENER is enabled
Listener LISTENER is running on node(s): primary01,primary02

From now on, the listener inspects every source before establishing the database connection.

In contrast to blacklist, we can make a whitelist to accept only allowable database connections.

Leave a Reply

Your email address will not be published. Required fields are marked *