• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Change_DefaultListenerPort

we are migrating a 9i DB on AIX to 11g DB on (VMware/ RHEL)

Currently we use 1521 for all database connections.

Does it make any sense to change the default listener port to something else to make things more secure? Is not this security using obscurity.

There will be a firewall installed too.

would it involve a lot of work if we decide to change the port?
0
sam15
Asked:
sam15
4 Solutions
 
Chakravarthi AyyalaDatabase AdministratorCommented:
One can change the default port easily.  once you decide the port and after your networking team opens the port, you can change the same in your listener.ora and start your listener.
0
 
sam15Author Commented:
so shall i do that later on after initial install and default configuration?

what port do you nromally switch to? does it really provide extra security.
0
 
Chakravarthi AyyalaDatabase AdministratorCommented:
You can do that later after the install.

what port do you nromally switch to?
  =>i used between 1522-1525, as we set a standard of having a particular port for particular environment viz. 1522 for QA, 1523 for Staging etc.

does it really provide extra security.
  => "In addition to password protection, MOS Note:340009.1 suggests changing the TNS listener default port from 1521 to a different port. This will certainly help prevent generic attacks where worms are specifically targeting port 1521, but will only cause a minor delay for a targeted hack where open ports are scanned."
  => Ref.: http://www.oracle-base.com/articles/misc/BasicSecurityMeasuresForOracle.php
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
OP_ZaharinCommented:
"Does it make any sense to change the default listener port to something else to make things more secure? Is not this security using obscurity."
- if security is your concern, there is a list of checklist of securing your database in the following link that you can go thru:
http://docs.oracle.com/cd/B28359_01/server.111/b28337/toc.htm
http://www.securedba.com/securedba/2007/12/hardening-the-o.html

"There will be a firewall installed too."
- just add that port to your firewall policy

"would it involve a lot of work if we decide to change the port?"
- i would suggest do it during the installation itself as it will handle all the necessary config the the new port.

 


0
 
ytarkanCommented:
Changing the port is very easy you just change the port number in the file listener.ora on server and restart the listener process (lsnrctl stop & lsnrctl start on the OS command) thats all - You need to set the same port number in the clients tnsnames.ora file to be able to connect indeed.

BUT, this does not bring a serious security, this kind of obscurity is not an obstacle even for a lamer. I recommend you to use the original ports. However there are other options to add a bit on security level. For example you can settle a honeypot machine to confuse the attacker. On the other hand tnslistener is quite secure, if you configure your FW to allow only 1521 you dont have to worry much about its security.
0
 
DavidSenior Oracle Database AdministratorCommented:
Sam, what's most time consuming, IMO, is pushing the new port info out to your clients if you're on a two-tier system.  Each user requires a modified TNSNAMES.ora file.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now