Database Whitelist
If there's only a few clients that use the database, we can make a whitelist to explicitly accept those clients.
We take 2 steps to achieve our goal.
1. Exclude Clients in SQLNET.ORA
We should add clients from connection at Oracle network level, which works with the listener.
[oracle@test ~]$ cd $ORACLE_HOME/network/admin
[oracle@test admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)
TCP.VALIDNODE_CHECKING must be YES and the parameter of TCP.INVITED_NODES accepts any of the followings:
- Specific IP address
- IPV4 with wild card
- Hostname
- CIDR notation for IPV4 and IPV6
RAC DB
For RAC databases, we should add them at grid level.
[grid@primary01 ~]$ cd $ORACLE_HOME/network/admin
[grid@primary01 admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)
2. Restart Listener
To take settings effect immediately, we should restart listener.
[oracle@test admin]$ lsnrctl stop; lsnrctl start
RAC DB
For RAC databases, we should restart the listener by srvctl.
[grid@primary01 admin]$ srvctl stop listener; srvctl start listener; srvctl status listener
Listener LISTENER is enabled
Listener LISTENER is running on node(s): primary01,primary02
From now on, the listener inspects every source before establishing the database connection.
In contrast to whitelist, we can make a blacklist to block unwanted database connections.
pl sql not log in
You may check whether Oracle client has been installed or not, since the Oracle client is the base of any connection tools. Oracle instant client is recommended.