允许某IP或IP段访问指定用户

原创 Oracle 作者：maohaiqing0304 时间：2016-05-03 17:05:46 17297 0

链接： http://blog.itpub.net/28602568/viewspace-2092858/

标题：Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户

注释：

接触MysqL的朋友想必都知道MysqL可针对指定IP/IP段来限制用户的访问，在Oracle数据库中默认有账号密码访问主机的权限的IP都可登陆该DB用户；

那么,Oracle 如何实现针对DB、单个用户来限制/允许IP访问呢？

1、整个DB层：可设置$ORACLE_HOME/network/admin/sqlnet.ora文件，限制/允许IP访问； -->不可针对IP段..

2、单个用户：可通过trigger触发器限制/允许某IP或IP段访问； -->实验不可对整个DB层 (AFTER logoN ON database)登陆提示告警..

一、sqlnet.ora

[ [email protected] admin]$ cat sqlnet.ora

tcp.validnode_checking = yes #需要设置成yes，方可激活生效

tcp.invited_nodes=(10.240.1.8,10.240.1.7) #允许访问的IP
#tcp.excluded_nodes=(10.240.1.8,10.240.1.7) #不允许访问的IP

注释：

在9i提供了几个参数：-->9i以前版本更改protocol.ora文件...

TCP.EXCLUDED_NODES ：设置禁止访问数据库的IP地址列表。

TCP.INVITED_NODES ：设置允许访问数据库的IP地址列表，当这个参数和TCP.EXCLUDED_NODES设置的地址相同的时候将覆盖TCP.EXCLUDED_NODES设置。

TCP.VALIDNODE_CHECKING：检测上述参数的设置。

简单演示：

[ [email protected] 10.240.1.8 ~]$ sqlplus lottery/ [email protected]/test

sql*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:15 2016
Copyright (c) 1982,2013,Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning,OLAP,Data Mining and Real Application Testing options

sql>

[ [email protected] 10.240.1.9 ~]$ sqlplus lottery/ [email protected]/test

sql*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:40 2016
Copyright (c) 1982,Oracle. All rights reserved.
ERROR:
ORA-12547: TNS:lost contact
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts,exiting sql*Plus
[ [email protected] ~]$

二、触发器

-->TRIGGER限制10.240.1.%网段访问lottery用户

CREATE OR REPLACE TRIGGER DISABLELOGIN

AFTER logoN ON LOTTERY.SCHEMA -->使用方式为USERNAME.SCHEMA，若直接写database，RAISE_APPLICATION_ERROR部分不起作用..

BEGIN

IF ORA_CLIENT_IP_ADDRESS LIKE (‘10.240.1.%‘) THEN

RAISE_APPLICATION_ERROR(-20001,‘USER ‘||ORA_LOGIN_USER||‘ IS NOT ALLOWED TO CONNECT FROM ‘||ORA_CLIENT_IP_ADDRESS);

END IF;

END;

--不能指定sys.schema，会报《ORA-30510: 系统触发器不能在 SYS 用户方案中定义》

--限制某IP ORA_CLIENT_IP_ADDRESS IN (‘10.240.1.7‘,‘10.240.1.8‘)

简单演示：

[ [email protected] 10.240.1.7 ~]$ sqlplus lottery/ [email protected]/test
sql*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982,Oracle. All rights reserved.
ERROR:
ORA-00604: error occurred at recursive sql level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.7
ORA-06512: at line 3
[ [email protected] admin]$

[ [email protected] 10.240.1.8 ~]$ sqlplus lottery/ [email protected]/test
sql*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982,Oracle. All rights reserved.
ERROR:
ORA-00604: error occurred at recursive sql level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.8
ORA-06512: at line 3
[ [email protected] ~]$

[ [email protected] 10.240.2.8 ~]$ sqlplus lottery/ [email protected]/test

sql*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:23:33 2016
Copyright (c) 1982,Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning,Data Mining and Real Application Testing options
sql>

sql> SELECT * FROM DBA_TRIGGERS WHERE trigger_name=‘DISABLELOGIN‘ ;

【源于本人笔记】若有书写错误，表达错误，请指正...

@H_301_234@

[转帖]Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户

Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户

猜你在找的Oracle相关文章