Change_DefaultListenerPort

we are migrating a 9i DB on AIX to 11g DB on (VMware/ RHEL)

Currently we use 1521 for all database connections.

Does it make any sense to change the default listener port to something else to make things more secure? Is not this security using obscurity.

There will be a firewall installed too.

would it involve a lot of work if we decide to change the port?
sam15Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chakravarthi AyyalaDatabase AdministratorCommented:
One can change the default port easily.  once you decide the port and after your networking team opens the port, you can change the same in your listener.ora and start your listener.
0
sam15Author Commented:
so shall i do that later on after initial install and default configuration?

what port do you nromally switch to? does it really provide extra security.
0
Chakravarthi AyyalaDatabase AdministratorCommented:
You can do that later after the install.

what port do you nromally switch to?
  =>i used between 1522-1525, as we set a standard of having a particular port for particular environment viz. 1522 for QA, 1523 for Staging etc.

does it really provide extra security.
  => "In addition to password protection, MOS Note:340009.1 suggests changing the TNS listener default port from 1521 to a different port. This will certainly help prevent generic attacks where worms are specifically targeting port 1521, but will only cause a minor delay for a targeted hack where open ports are scanned."
  => Ref.: http://www.oracle-base.com/articles/misc/BasicSecurityMeasuresForOracle.php
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

OP_ZaharinCommented:
"Does it make any sense to change the default listener port to something else to make things more secure? Is not this security using obscurity."
- if security is your concern, there is a list of checklist of securing your database in the following link that you can go thru:
http://docs.oracle.com/cd/B28359_01/server.111/b28337/toc.htm
http://www.securedba.com/securedba/2007/12/hardening-the-o.html

"There will be a firewall installed too."
- just add that port to your firewall policy

"would it involve a lot of work if we decide to change the port?"
- i would suggest do it during the installation itself as it will handle all the necessary config the the new port.

 


0
ytarkanCommented:
Changing the port is very easy you just change the port number in the file listener.ora on server and restart the listener process (lsnrctl stop & lsnrctl start on the OS command) thats all - You need to set the same port number in the clients tnsnames.ora file to be able to connect indeed.

BUT, this does not bring a serious security, this kind of obscurity is not an obstacle even for a lamer. I recommend you to use the original ports. However there are other options to add a bit on security level. For example you can settle a honeypot machine to confuse the attacker. On the other hand tnslistener is quite secure, if you configure your FW to allow only 1521 you dont have to worry much about its security.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DavidSenior Oracle Database AdministratorCommented:
Sam, what's most time consuming, IMO, is pushing the new port info out to your clients if you're on a two-tier system.  Each user requires a modified TNSNAMES.ora file.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.