Oracle Security by Connection and Login Restrictions

The below recommendations will implement proper authentication mechanism and password policies in oracle 11g. Applying these recommendations will deter brute force attacks and improve the oracle security.

FAILED_LOGIN_ATTEMPTS Setting

The failed_login_attempts setting specifies how many failed login attempts are permitted before the system locks the user’s account. This setting is used to mitigate brute-force login attacks.
Solution:
SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 5;

PASSWORD_LOCK_TIME Setting

The PASSWORD_LOCK_TIME setting specifies the number of days the user account to be unlocked after the set number of failed login attempts has occurred.
Solution:
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 1;

PASSWORD_LIFE_TIME Setting

The password_life_time setting determines the number of days userĀ  password may be used before the user is required to be change it. This setting will deter brute force attacks and improve the oracle security.
Solution:
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90;

PASSWORD_REUSE_MAX setting

The password_reuse_max setting specifies the number of password changes required before the current password can be reused. This will prevent social-engineering and brute-force password-based attacks.
Solution:
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 20;

PASSWORD_REUSE_TIME Setting

The password_reuse_time setting specifies the number of days before which a password cannot be reused. This setting will prevent brute force attacks and improve the oracle security.
Solution:
SQL> ALTER PROFILE DEFAULT PASSWORD_REUSE_TIME 365;

PASSWORD_GRACE_TIME Setting

The password_grace_time setting specifies the number of days that a user has to change his or her password before it expires.
Solution:
SQL> ALTER PROFILE DEFAULT PASSWORD_GRACE_TIME 5;

Limiting EXTERNAL user login

The password=’EXTERNAL’ setting specifies whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization. Allowing remote OS authentication of a user to the database can potentially allow privileged users to connect as authenticated.
Solution:
SQL> SELECT USERNAME FROM DBA_USERS WHERE AUTHENTICATION_TYPE=’EXTERNAL’;
SQL> ALTER USER username IDENTIFIED BY password;

PASSWORD_VERIFY_FUNCTION Setting

The password_verify_function specifies password settings requirements when a user password is changed.
Solution:
Create a password verification function which accomplishes the password requirements of the organization.

SESSIONS_PER_USER Setting

The SESSIONS_PER_USER specifies the maximum number of user sessions that are allowed to be open simultaneously. Restricting the number of the SESSIONS_PER_USER can help prevent memory resource exhaustion or intentional Denial-of-Service attacks.
Solution:
SQL> ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 10;

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>