SEC_MAX_FAILED_LOGIN_ATTEMPTS:specifies the
number of authentication attempts that can be made by a client on a
connection to the server process. After the specified number of failure
attempts, the connection will be automatically dropped by the server process.
确定客户端在连接到服务器进程时可以进行的身份验证尝试次数。 经过指定次数的失败尝试后,服务器进程将自动删除连接。
SEC_PROTOCOL_ERROR_FURTHER_ACTION:specifies the further execution of a server process when receiving bad packets from a possibly malicious client.
CONTINUE
The server process continues execution. The database server may be subject to a Denial of Service (DoS) if bad packets continue to be sent by a malicious client.
(DELAY,integer)
The client experiences a delay of integer seconds before the server process accepts the next request from the same client connection. Malicious clients are prevented from excessive consumption of server resources while legitimate clients experience a degradation in performance but can continue to function.
(DROP,integer)
The server forcefully terminates the client connection after integer cumulative bad packets. The server protects
itself at the expense of the client (for example, a client transaction may be
lost). The client may reconnect and attempt the same operation.
指定从可能的恶意客户端收到错误数据包时服务器的下一步执行动作。
继续
服务器进程继续执行。 如果恶意客户端继续发送错误的数据包,则数据库服务器可能会遭受拒绝服务(DoS)。
(延迟,整数)
在服务器进程接受来自同一客户端连接的下一个请求之前,客户端会经历整数秒的延迟。 防止恶意客户端过度占用服务器资源,而合法客户端的性能下降,但可以继续运行。
(终止,整数)
服务器强制终止客户端连接整数累积的坏包之后。 服务器以牺牲客户端为代价来保护自己(例如,客户端事务可能会丢失)。 客户端可能会重新连接并尝试相同的操作。
SEC_CASE_SENSITIVE_LOGON:enables or disables password case sensitivity in the database.(是否区分大小写,默认true)
FAILED_LOGIN_ATTEMPTS(默认是10次,超过10次就锁定该用户)
ALTER PROFILE app_user LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 1;
This statement causes any user account to which the
app_user profile is assigned to become locked for one day after five consecutive unsuccessful login attempts.
此声明会导致在五次连续失败的登录尝试后,指定了app_user配置文件的任何用户帐户将被锁定一天。
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 100---修改默认10次为100次
PASSWORD_LIFE_TIME(默认180天,超过180天就提示需要修改密码)
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED
select * from dba_profiles where profile='DEFAULT' and RESOURCE_NAME like 'PASSWORD%';--验证SQL
错误密码延迟验证
ALTER SYSTEM SET EVENT = "28401 TRACE NAME CONTEXT FOREVER, LEVEL 1" SCOPE = SPFILE(屏蔽延迟验证)
ALTER SYSTEM SET EVENT = "28401 TRACE NAME
CONTEXT OFF, LEVEL 1" SCOPE = SPFILE(开启延迟验证)
REMOTE_LOGIN_PASSWORDFILE参数可以有三种取值:EXCLUSIVE(默认)、NONE和SHARED
EXCLUSIVE
允许客户端以SYSDBA或SYSOPER权限登录到数据库实例中完成数据库管理操作;
允许授予和回收SYSDBA或SYSOPER权限
NONE
禁止客户端以SYSDBA或SYSOPER权限登录到数据库实例中完成数据库管理操作;
禁止授予和回收SYSDBA或SYSOPER权限。
SHARED
允许客户端以SYSDBA或SYSOPER权限登录到数据库实例中完成数据库管理操作;
禁止授予和回收SYSDBA或SYSOPER权限。
SYSDBA,SYSOPER都可以执行startup、shutdown,区别是SYSDBA显示的是SYS,SYSOPER显示的PUBLIC
SEC_MAX_FAILED_LOGIN_ATTEMPTS与FAILED_LOGIN_ATTEMPTS的区别
alter system set SEC_MAX_FAILED_LOGIN_ATTEMPTS=1
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 10;
使用一次错误密码登录看看,用户会被锁吗,不会锁
alter system set SEC_MAX_FAILED_LOGIN_ATTEMPTS=10
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 1;
使用一次错误密码登录看看,用户会被锁吗,会锁