Database Reference
In-Depth Information
to reduce the computing power needed for a brute-force attack, an attacker will aim for a comprehensive and
targeted dictionary to supply likely passwords. this approach is discussed in the next chapter.
Note
The immediate answer is to ensure the use of complex passwords and reasonably regular expiry on all accounts,
especially privileged ones. Let's consider the situation where all accounts are subject to the user profile controls, such
as password complexity and regular expiration. Is it still possible for an attacker to brute force their way into an Oracle
database? Unfortunately it is, mainly due to the lack of security controls for the most privileged account guaranteed
to be present and open—SYS.
Attacking the SYS Account
The only account that is sure to be present and unlocked is the SYS account. Therefore one would hope that Oracle
would by default spend the most effort securing this account. Unfortunately, the opposite is the case. SYS is completely
immune to the basic password controls listed below, which are applicable to all non-password file-managed users,
i.e., the low-privileged, less-important accounts ( http://bit.ly/16kgKV3 ) .
FAILED_LOGIN_ATTEMPTS
PASSWORD_LIFE_TIME
PASSWORD_GRACE_TIME
PASSWORD_REUSE_TIME
PASSWORD_REUSE_MAX
PASSWORD_LOCK_TIME
PASSWORD_VERIFY_FUNCTION
Additionally, there is no failed logon delay throttling for the SYS account, but lower-privileged accounts do have
this delay to make a basic remote, brute-force logon infeasible. The issue of this lack of a delay has been raised on
multiple occasions to Oracle directly by the author, and Oracle has implemented that recommendation in 12c, as we
shall see later. First, let's demonstrate the SYS delay throttling issue in 11g?
[oracle@orlin dbs]$ while true;do sqlplus -S -L sys/wrongpw@orlin:1521/orcl_plug as sysdba;sleep
0;done;
ERROR:
ORA-01017: invalid username/password; logon denied
.... 8< .....snip
no failed logon delay for SYS account
[oracle@orlin dbs]$ while true;do sqlplus -S -L system/wrongpw@orlin:1521/orcl_plug;sleep 0;done;
ERROR:
ORA-01017: invalid username/password; logon denied
.... 8< ....snip
failed logon delay starts for non-SYS account
 
 
Search WWH ::




Custom Search