Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

sec_return_server_release_banner Secure by Default?

Hello World,

Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog.
http://www.scmagazineus.com/scawards2010-finalists/section/1309/

Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security.
http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html
Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured environments. Though IMO this is icing on the cake currently as there are still default scott/tigers, open firewall 1521 ports and… even in high security environments… Aurora bugs to fix first… But it is interesting and got me reading about Oracle security configurations in general when I came across this statement
“The default value of sec_return_server_release_banner is TRUE” at this URL.
http://www.articles.freemegazone.com/oracle-11g-password-features.php?ref=3

Default to secure…? Doesn’t sound right .. better check this to make sure …

SQL> sho parameter sec_return_server_release_banner;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
sec_return_server_release_banner boolean FALSE
--
--that looks more like what I was expecting... so..
--
SQL> alter system set sec_return_server_release_banner=TRUE scope=spfile;
System altered.

Then have to reboot of course.

Don get’s it right with a nice summary of 11g security params here
.. http://www.dba-oracle.com/t_11g_new_hacking_prevention.htm

Ok so the release banner is actually insecure by default but on the positive side the additional secure config params in 11g are an improvement…but these are all still icing on the cake which is currently sitting on a Java Jelly.

Talking of release banners Slavik has observed that Oracle sends a RESEND after every connection attempt perhaps in an attempt to interfere with version identification. Will have a look at this later.
http://www.slaviks-blog.com/2010/03/07/oracle-tns-resend-packet/

I note there is an Oracle Security event in Manchester on the 11th March though check first on the business/technical balance.
http://www.oracle.com/webapps/events/EventsDetail.jsp?p_eventId=103823&src=6808550&src=6808550&Act=23

Have a good week and keep safe and secure.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.