Database Reference
In-Depth Information
USERNAME
------------------------------------------------
DBLINK_ACCOUNT
C##GASP
8<-- snip
SYS
55 rows selected.
As soon as the statement is executed, the session is killed:
SQL> /
select username from all_users@TEST_LINK
*
ERROR at line 1:
ORA-28000: the account is locked
ORA-02063: preceding line from TEST_LINK
An important additional consideration for this DB Link blocker is that an attacker could DoS the database by
attempting to link to all accounts in a database from a database link. This would not work for pwfile managed users,
as they can't be locked, but it could perform a partial DoS and lock the application account. If this were a concern, the
account-locking SQL could be replaced with an
'ALTER USER'
password change to a default password, known only
to the account owner, so that an unauthorized DB Link could be blocked, but the account owner could still connect.
The above script is simplified as a PoC so that you can understand it and use it. Care should be taken with hard-coded
passwords, and one should test thoroughly before applying this concept in production. A simplified solution would be
to run the script as
'/ as SYSDBA'
to remove the password. This native IPS PoC can be expanded to block many other
unwanted connection types, where the decision to kill the connection is based on the content of the audit trail, which
represents the session's actual actions. This native IPS is a very powerful concept and is likely to be expanded upon.
The basic principle of the PoC is that the monitoring and securing of Oracle can be done more effectively from the
host Unix OS. This will be a recurring theme throughout the following chapters.
