Database Reference
In-Depth Information
--------
LOCKED
SQL> CONNECT ctxsys/impossible_to_crack_incorrectly_encoded_password
ERROR:
ORA-01017: invalid username/password; logon denied
No matter which approach you prefer, you may always audit failed connect attempts by
setting AUDIT_TRAIL=DB and enabling auditing for connect failures with AUDIT CONNECT WHENEVER
NOT SUCCESSFUL . The following query will then yield failed connect attempts:
SQL> SELECT username, os_username, userhost, terminal, timestamp, returncode
FROM dba_audit_trail
WHERE action_name='LOGON'
AND returncode!=0;
USERNAME OS_USERNAME USERHOST TERMINAL TIMESTAMP RETURNCODE
-------- ----------------- ------------------- --------- -------------- ----------
CTXSYS DBSERVER\ndebes WORKGROUP\DBSERVER DBSERVER 28.09.07 20:22 1017
MDSYS DBSERVER\ndebes WORKGROUP\DBSERVER DBSERVER 28.09.07 20:37 28000
In the context of security, it is worth mentioning that Oracle10 g databases, which were
created based on a seed database such as General Purpose or Transaction Processing with DBCA,
contain a new undocumented profile called MONITORING_PROFILE , which is assigned to the user
DBSNMP . This profile allows an unlimited number of failed login attempts, whereas the standard
profile DEFAULT , which also exists in Oracle9 i and prior releases, allows ten failed login attempts
in Oracle10 g before locking an account.
SQL> SELECT profile, limit FROM dba_profiles
WHERE resource_name='FAILED_LOGIN_ATTEMPTS';
PROFILE LIMIT
------------------------------ ----------------------------------------
DEFAULT 10
MONITORING_PROFILE UNLIMITED
This setting makes the account DBSNMP a likely target for password-cracking routines. This
vulnerability does not apply to databases that were created manually or using Custom Database
in DBCA.
ALTER USER and Unencrypted Passwords
In case you are concerned about sending unencrypted passwords across a network—after all
this is one of the reasons why telnet and ftp have been abandoned in favor of secure shell
(SSH)—you should be aware of the fact that ALTER USER IDENTIFIED BY does just that, unless
your site has licensed and installed the Advanced Security Option, which encrypts all Oracle
Net traffic. It's fairly easy to demonstrate this, since the undocumented Oracle Net trace file
format contains an ASCII dump of the network packages transmitted by a database client when
the highest trace level support is enabled. After setting the following parameters in sqlnet.ora
on a Windows client system, trace files will be written to C:\temp :
 
Search WWH ::




Custom Search