Showing posts with label oracle security. Show all posts
Showing posts with label oracle security. Show all posts

Monday, January 09, 2012

Securing Oracle Database server using IPTables in Linux

Linux can help administrators create a strong firewall with the powerful, kernel-based netfilter/iptables software. As demonstrated below, iptables can create general or specific packet filters to allow or deny traffic. This enables administrators to protect their servers from a wide variety of hazards, including service attacks and hack attempts. As always, the best way to learn is to get your hands dirty and experiment with iptables on a testing machine.

This article is an example of how you cam secure a Oracle Database server using IPTables in Linux.

Edit the iptables file from the /etc/sysconfig directory:

[root]# vi /etc/sysconfig/iptables

#Nagios Server for real time alerts : 192.168.0.99
#Zabbix Server for historic perf. data : 192.168.0.98
#Trusted VLAN for SSH and SFTP traffic : 192.168.4.0
#Trusted IP's from untrusted VLAN : 192.168.16.xx

# Rule to enable PING from selected IP's
-A INPUT -p tcp -s 192.168.0.99 -j ACCEPT
-A INPUT -p tcp -s 192.168.0.98 -j ACCEPT

# Rule to enable monitoring from selected IP's
-A INPUT -m state --state NEW -m tcp -s 192.168.0.99 -p tcp --dport 5666 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.0.98 -p tcp --dport 10050 -j ACCEPT

# Rule to enable SSH / SFTP from Trusted VLAN
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 22 -j ACCEPT

# Rule to enable Oracle port for IP’s of Application VM’s
-A INPUT -m state --state NEW -m tcp -s 192.168.16.20 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.21 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.22 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.23 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.24 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.25 -p tcp --dport 1521 -j ACCEPT

# Catch All Rule
-A INPUT -m state --state NEW -m tcp -p tcp -j DROP

Restart the iptables service

[root]# service iptables restart

And you are good to go !

Cheers !
Harish.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)