The below recommendations will implement proper authentication mechanism and password policies in oracle 11g. Applying these recommendations will deter brute force attacks and improve the oracle security.
- Learn How to Secure Listener in oracle 11g
- Learn How to Secure initialization parameters in oracle 11g
The failed_login_attempts setting specifies how many failed login attempts are permitted before the system locks the user’s account. This setting is used to mitigate brute-force login attacks.
SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 5;
The PASSWORD_LOCK_TIME setting specifies the number of days the user account to be unlocked after the set number of failed login attempts has occurred.
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 1;
The password_life_time setting determines the number of days user password may be used before the user is required to be change it. This setting will deter brute force attacks and improve the oracle security.
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90;
The password_reuse_max setting specifies the number of password changes required before the current password can be reused. This will prevent social-engineering and brute-force password-based attacks.
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 20;
The password_reuse_time setting specifies the number of days before which a password cannot be reused. This setting will prevent brute force attacks and improve the oracle security.
SQL> ALTER PROFILE DEFAULT PASSWORD_REUSE_TIME 365;
The password_grace_time setting specifies the number of days that a user has to change his or her password before it expires.
SQL> ALTER PROFILE DEFAULT PASSWORD_GRACE_TIME 5;
Limiting EXTERNAL user login
The password=’EXTERNAL’ setting specifies whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization. Allowing remote OS authentication of a user to the database can potentially allow privileged users to connect as authenticated.
SQL> SELECT USERNAME FROM DBA_USERS WHERE AUTHENTICATION_TYPE=’EXTERNAL’;
SQL> ALTER USER username IDENTIFIED BY password;
The password_verify_function specifies password settings requirements when a user password is changed.
Create a password verification function which accomplishes the password requirements of the organization.
The SESSIONS_PER_USER specifies the maximum number of user sessions that are allowed to be open simultaneously. Restricting the number of the SESSIONS_PER_USER can help prevent memory resource exhaustion or intentional Denial-of-Service attacks.
SQL> ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 10;