-
加我公众号(orasos)
加我微信(17813235971)
加我QQ(107644445)
标签云
asm恢复 bbed bootstrap$ dul kcbzib_kcrsds_1 kccpb_sanity_check_2 kcratr_nab_less_than_odr MySQL恢复 ORA-00312 ORA-00704 ORA-00742 ORA-01110 ORA-01200 ORA-01555 ORA-01578 ORA-01595 ORA-600 2662 ORA-600 2663 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-600 kcratr_nab_less_than_odr ORA-600 kdsgrp1 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 ORACLE恢复 Oracle 恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (110)
- 数据库 (1,833)
- DB2 (22)
- MySQL (81)
- Oracle (1,662)
- Data Guard (53)
- EXADATA (8)
- GoldenGate (24)
- ORA-xxxxx (168)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (15)
- ORACLE 21C (3)
- Oracle 23ai (8)
- Oracle ASM (69)
- Oracle Bug (8)
- Oracle RAC (54)
- Oracle 安全 (6)
- Oracle 开发 (28)
- Oracle 监听 (29)
- Oracle备份恢复 (628)
- Oracle安装升级 (103)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (88)
- PostgreSQL (37)
- pdu工具 (7)
- PostgreSQL恢复 (13)
- SQL Server (34)
- SQL Server恢复 (14)
- TimesTen (7)
- 达梦数据库 (3)
- 达梦恢复 (1)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (47)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (30)
-
最近发表
- .wman扩展名勒索mysql数据库恢复
- Oracle数据库被勒索加密一键open工具–OraFHR
- 通过alert日志回顾其他dba oracle异常恢复故障处理以及后续open数据库操作
- 年前几例Oracle数据库被加密为.wman的数据库故障恢复
- 文件系统损坏导致数据库异常故障处理
- expdp导出xml列报ORA-22924故障处理
- obet处理ORA-704 ORA-604 ORA-1578故障
- obet修复csc higher than block scn类型坏块
- ORA-600 kcratr_nab_less_than_odr和ORA-600 4193故障处理
- aix环境10g由于控制器异常导致ORA-600 4000故障处理
- ORA-600 3716故障处理
- 不当恢复truncate数据导致数据库不能open处理
- 注意:PostgreSQL库出现readme_to_recover勒索
- Oracle 19c 202601补丁(RUs+OJVM)-19.30
- Patch_SCN快速解决ORA-600 2663故障
- 在生产环境错误执行dd命令破坏asm磁盘故障恢复
- obet实现对数据文件坏块检测功能
- oracle linux 8.10注意pmlogger导致空间被大量占用
- obet快速修改scn/resetlogs恢复数据库(缺少归档,ORA-00308)
- 使用DBMS_PDB.RECOVER抢救单个pdb
分类目录归档:Oracle 监听
ORA-01034 ORA-27101故障分析
客户的数据库通过监听访问报ORA-01034 ORA-27101错误无法正常使用:
SQL> conn app/xxxxx@192.168.129.145/orcl ERROR: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Process ID: 0 Session ID: 0 Serial number: 0 SQL> conn app/xxxxx Connected.
检查数据库状态和tnsping都正常
SQL> select open_mode from v$database; OPEN_MODE -------------------- READ WRITE SQL> !tnsping orcl TNS Ping Utility for Linux: Version 11.2.0.4.0 - Production on 18-OCT-2020 22:11:49 Copyright (c) 1997, 2013, Oracle. All rights reserved. Used parameter files: Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.129.1) (PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl))) OK (0 msec)
检查主机之间ping操作也正常:
[XIFENFEI@DB1 trace]$ [XIFENFEI@DB1 trace]$ ping 192.168.129.1 PING 192.168.129.1 (192.168.129.1) 56(84) bytes of data. 64 bytes from 192.168.129.1: icmp_seq=1 ttl=64 time=0.025 ms 64 bytes from 192.168.129.1: icmp_seq=2 ttl=64 time=0.032 ms 64 bytes from 192.168.129.1: icmp_seq=3 ttl=64 time=0.034 ms ^C --- 192.168.129.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2318ms rtt min/avg/max/mdev = 0.025/0.030/0.034/0.006 ms
检查数据库和监听配置:
[XIFENFEI@DB1 trace]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Sun Oct 18 22:13:50 2020
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show parameter name;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
cell_offloadgroup_name string
db_file_name_convert string
db_name string orcl
db_unique_name string orcl
global_names boolean FALSE
instance_name string oracle
lock_name_space string
log_file_name_convert string
processor_group_name string
service_names string orcl
SQL>
SQL>
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[XIFENFEI@DB1 trace]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 18-OCT-2020 22:15:16
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 18-OCT-2020 22:05:04
Uptime 0 days 0 hr. 10 min. 12 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /usr/local/oracle/product/11.2.0/db_1/network/admin/listener.ora
Listener Log File /usr/local/oracle/diag/tnslsnr/DB1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.129.1)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
[XIFENFEI@DB1 trace]$ cat /usr/local/oracle/product/11.2.0/db_1/network/admin/listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = orcl)
(ORACLE_HOME = /usr/local/oracle/product/11.2.0/db_1)
(GLOBAL_DBNAME= orcl)
)
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /usr/local/oracle/product/11.2.0/db_1)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.129.1) (PORT = 1521))
)
)
ADR_BASE_LISTENER = /usr/local/oracle
[XIFENFEI@DB1 trace]$
[XIFENFEI@DB1 trace]$
这里看到数据库配置和监听配置不匹配,因此需要调整。
[XIFENFEI@DB1 admin]$ sqlplus / as sysdba SQL*Plus: Release 11.2.0.4.0 Production on Sun Oct 18 22:21:16 2020 Copyright (c) 1982, 2013, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> conn app/xxxxx@192.168.129.145/orcl Connected. SQL> SQL> SQL> exit Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options [XIFENFEI@DB1 admin]$
利用VNCR修复CVE-2012-1675漏洞
随着对安全的重视,TNS Listener远程数据投毒漏洞(CVE-2012-1675)被很多单位要求进行整改,而且级别是高危
如果是11.2.0.4之前版本,特别是在rac环境中,如果要整改该问题相对比较麻烦,需要通过配置Oracle wallet来实现,配置比较复杂,而且还要重启实例,影响比较大,具体参考:Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC (Doc ID 1340831.1),对于单机环境直接参考以前文章:Oracle Database Server ‘TNS Listener’远程数据投毒漏洞(CVE-2012-1675)的解决方案.从11.2.0.4开始Oracle引入了Valid Node Checking For Registration (VNCR)新特性,可以通过简单的配置即可完成该漏洞修复
在listener.ora文件中增加(grid/oracle用户)
VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(hisdb1,hisdb2)
重启监听
LSNRCTL>set current_listener listener_name LSNRCTL>stop LSNRCTL>start
验证是否生效
1.在远程机器尝试远程注册
alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.115.15)(PORT=1521))' scope=memory;
2.观察监听日志
类似这样证明已经生效.
补充说明
VALID_NODE_CHECKING_REGISTRATION_listener_name Values: OFF/0 - Disable VNCR//禁用VNCR,此功能不会对注册过来的service进行check; ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register. 启用VNCR,默认只允许本机的所有IP的服务注册到本监听,可通过REGISTRATION_INVITED_NODES参数添加其他有必要的服务器; SUBNET/2 - All machines in the subnet are allowed registration.//指定子网内的服务器可以注册过来 REGISTRATION_INVITED_NODES_listener-name 控制允许链接过来的节点,可以通过IP地址/主机名/网段来指定 Values are valid IPs, valid hosts, a subnet using CIDR notation (for ip4/6), or wildcard (*) for ipv4. For example:REGISTRATION_INVITED_NODES_Listener=(net-vm1, 127.98.45.209, 127.42.5.*) Note that when an INVITED list is set, it will automatically include the machine's local IP in the list. There is no need to include it. --11.2.0.4和12c不一样之处 在12.1 RAC数据库上,listener的参数VALID_NODE_CHECKING_REGISTRATION_listener_name默认设置为SUBNET / 2, 即子网中的所有计算机都允许注册.所以12c默认不能解决CVE-2012-1675漏洞
参考文档
Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)
Oracle Database Server ‘TNS Listener’远程数据投毒漏洞(CVE-2012-1675)的解决方案
根据oracle mos官方描述,该问题需要打patch和配置同步进行,这篇主要提供单机Oracle Database Server ‘TNS Listener’远程数据投毒漏洞(CVE-2012-1675)的解决方案,参考文档Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1),因为文档本身描述比较繁琐,这里对其进行简单总结:
数据库版本要求
包含12880299补丁,最低版本要求(高于以下版本即可)
通过$ORACL_HOME/OPatch/opatch lsinventory 命令获取版本信息,大于等于上述文档版本即可,具体版本对应关系参考:数据库补丁对应关系
listener.ora文件配置
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost.localdomain)(PORT = 1521))
# (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) --注释掉,一般不会使用ipc,绝大部分应用使用tcp连接数据库
)
)
ADR_BASE_LISTENER = /home/u01/app/oracle
SECURE_REGISTER_LISTENER = (TCP) --增加该参数
重启监听
lsnrctl stop lsnrctl start
验证配置生效
1.查看数据库监听日志 $ORACLE_BASE/diag/tnslsnr/主机名/listener/trace/listener.log 2.在局域网中找一台数据库服务器(单机环境),登录数据库 Sqlplus / as sysdba Show parameter remote_listener;--记录该值(一般是空) alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=ip)(PORT=1521))' scope=memory; IP为修改为上述监听的数据库服务器地址 3.再次查看监听日志,会发现类似记录(亦可在数据库中之执行alter system register观察) 02-NOV-2018 20:37:53 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport 02-NOV-2018 20:37:56 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport 观察一会儿,表明我们的监听配置生效,数据库拒绝远程监听,修复该漏洞. 如果没有出现类似记录,请核查数据库版本补丁是否满足要求,listener.ora参数配置是否正确 4.还原remote_listener参数以前值 sqlplus / as sysdba alter system set remote_listener='2中查询记录的值' scope=memory;
对于rac环境,配置比较复杂,参考mos文档:Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC (Doc ID 1340831.1)
