Oracle 11g中为了防止暴力破解数据库中用户的密码,提供了一种常见手段:延长失败尝试响应。
这种手段的策略是:在连续使用错误密码反复尝试登录时,从第四次错误尝试开始,每次增加1秒的延迟,最长延迟目前是10秒。
使用这种手段可以相对比较有效的防治用户密码的暴力破解(能够使用到这种手段的前提是FAILED_LOGIN_ATTEMPTS参数设置的足够大或无限大,否则用户密码超过10次的错误尝试之后该用户将被锁定,参考《【故障】“ORACLE用户被锁定”故障处理和分析》http://space.itpub.net/519536/viewspace-608769)。
模拟一下这个暴力破解秘密的过程(为了简便,使用同一个错误密码进行尝试)。
1.修改用户错误密码尝试次数为无限次
sys@11gR2> alter profile default limit failed_login_attempts unlimited;
Profile altered.
2.前三次错误密码尝试
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m0.126s
user 0m0.020s
sys 0m0.020s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m0.123s
user 0m0.000s
sys 0m0.044s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m0.126s
user 0m0.020s
sys 0m0.028s
可见,在前三次错误密码尝试过程中,系统响应是没有延迟的。
3.继续使用错误密码进行尝试,体验每次1秒的时间累加延迟
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m1.132s
user 0m0.004s
sys 0m0.036s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m2.128s
user 0m0.028s
sys 0m0.024s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m3.130s
user 0m0.024s
sys 0m0.024s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m4.127s
user 0m0.012s
sys 0m0.028s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m5.135s
user 0m0.004s
sys 0m0.032s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m6.129s
user 0m0.000s
sys 0m0.040s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m7.126s
user 0m0.000s
sys 0m0.044s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m8.141s
user 0m0.004s
sys 0m0.036s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m9.133s
user 0m0.012s
sys 0m0.028s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m10.128s
user 0m0.024s
sys 0m0.012s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m10.130s
user 0m0.012s
sys 0m0.020s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m10.126s
user 0m0.000s
sys 0m0.040s
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m10.128s
user 0m0.008s
sys 0m0.040s
secooler@secDB /home/oracle$
secooler@secDB /home/oracle$ time echo 'select sysdate from dual;' | sqlplus -s sec/secooler
ERROR:
ORA-01017: invalid username/password; logon denied
real 0m10.128s
user 0m0.012s
sys 0m0.036s
在时间持续累加到10秒之后稳定在10秒。此后再使用错误密码进行破解时,等待时间都将是10秒。
注意:如有过正确输入密码并成功登陆到数据库的尝试,如果再使用错误密码尝试登陆,将进入到下一个轮回:前三次没有延迟,之后每一次的错误尝试都会增加1秒,直到稳定在10秒的延迟!
4.小结
可以预见到,常用的防止密码暴力破解的手段将逐渐的被Oracle所采用,让我们一同期待Oracle带给我们的更多乐趣吧。
Good luck.
secooler
10.06.15
-- The End --
【Password】Oracle 11g防止暴力破解数据库用户密码的手段——延长失败尝试响应
-
secooler
2010-06-15 23:07:24 -
Linux操作系统
- 原创