ITPub博客

首页 > 数据库 > Oracle > [20211014]19C Failed Logon Delay.txt

[20211014]19C Failed Logon Delay.txt

原创 Oracle 作者:lfree 时间:2021-10-14 16:50:31 0 删除 编辑

[20211014]19C Failed Logon Delay.txt

--//看了生产系统awk报表出现Failed Logon Delay.从来没有遇到这个等待,也许19c以后特有的,探究一下:

1.环境:
SYS@127.0.0.1:17101/DDHHH> @ ver1
SYS@127.0.0.1:17101/DDHHH> @ prxx
==============================
PORT_STRING                   : x86_64/Linux 2.4.xx
VERSION                       : 19.0.0.0.0
BANNER                        : Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
BANNER_FULL                   : Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.9.0.0.0
BANNER_LEGACY                 : Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
CON_ID                        : 0
PL/SQL procedure successfully completed.

SYS@127.0.0.1:17101/DDHHH> @ ev_name "Failed Logon Delay"
SYS@127.0.0.1:17101/DDHHH> @ prxx
==============================
EVENT#                        : 1405
EVENT_ID                      : 387973045
NAME                          : Failed Logon Delay
PARAMETER1                    :
PARAMETER2                    :
PARAMETER3                    :
WAIT_CLASS_ID                 : 1893977003
WAIT_CLASS#                   : 0
WAIT_CLASS                    : Other
DISPLAY_NAME                  : Failed Logon Delay
CON_ID                        : 0
PL/SQL procedure successfully completed.

SYS@127.0.0.1:17101/DDHHH> @ ashtop machine,event "upper(event) like '%FAILED%'" sysdate-1 sysdate
    Total
  Seconds     AAS %This   MACHINE                                  EVENT                                    FIRST_SEEN          LAST_SEEN
--------- ------- ------- ---------------------------------------- ---------------------------------------- ------------------- -------------------
      166      .0   89% | localhost.localdomain                    Failed Logon Delay                       2021-10-13 12:00:36 2021-10-14 11:40:36
       19      .0   10% | WorkGroup\MS-EVYNMRYAYERK                Failed Logon Delay                       2021-10-13 11:44:15 2021-10-14 11:38:54
        1      .0    1% | WORKGROUP\WEIP-XP-PB11                   Failed Logon Delay                       2021-10-14 10:57:44 2021-10-14 10:57:44

--//嗯怎么是本机的程序呢.

SYS@127.0.0.1:17101/DDHHH> @ dashtop machine,event "upper(event) like '%FAILED%'" (sysdate)-100 sysdate
                                                                                             Total
%This  MACHINE                                  EVENT                                      Seconds FIRST_SEEN          LAST_SEEN
------ ---------------------------------------- ---------------------------------------- --------- ------------------- -------------------
  88%  localhost.localdomain                    Failed Logon Delay                            2590 2021-09-29 12:50:34 2021-10-14 12:20:36
   6%  WorkGroup\MS-EVYNMRYAYERK                Failed Logon Delay                             190 2021-09-27 11:23:03 2021-10-14 10:10:32
   2%  WORKGROUP\WEBSERVICE-11                  Failed Logon Delay                              50 2021-09-17 19:26:16 2021-10-09 16:15:10
   1%  JAJA                                     Failed Logon Delay                              30 2021-09-02 16:54:54 2021-09-02 16:57:48
   1%  WORKGROUP\DESKTOP-BQD5V1H                Failed Logon Delay                              20 2021-08-24 15:06:34 2021-09-24 17:01:43
   0%  WORKGROUP\DESKTOP-2S0NO58                Failed Logon Delay                              10 2021-10-11 10:15:58 2021-10-11 10:15:58
   0%  WORKGROUP\DESKTOP-AB23BGD                Failed Logon Delay                              10 2021-08-23 08:52:03 2021-08-23 08:52:03
   0%  WORKGROUP\DESKTOP-CDINB53                Failed Logon Delay                              10 2021-08-19 12:37:25 2021-08-19 12:37:25
   0%  WORKGROUP\DESKTOP-KG36OJT                Failed Logon Delay                              10 2021-08-31 11:57:19 2021-08-31 11:57:19
   0%  WORKGROUP\PC-DY000                       Failed Logon Delay                              10 2021-09-06 10:27:28 2021-09-06 10:27:28
   0%  WORKGROUP\PC-DY149                       Failed Logon Delay                              10 2021-08-24 10:52:58 2021-08-24 10:52:58
   0%  WORKGROUP\YAOHH                          Failed Logon Delay                              10 2021-09-16 08:52:02 2021-09-16 08:52:02
12 rows selected.
--//dashtop脚本查询的是dba_hist_active_sess_history视图,时间被放大10倍,也就是30秒相当于仅仅出现3次.主要集中在前3个,也许是2个.

SYS@127.0.0.1:17101/DDHHH> @ashtop machine,event "upper(event) like '%FAILED%'" trunc(sysdate)+12/24 sysdate
    Total
  Seconds     AAS %This   MACHINE                                  EVENT                                    FIRST_SEEN          LAST_SEEN
--------- ------- ------- ---------------------------------------- ---------------------------------------- ------------------- -------------------
       33      .0  100% | localhost.localdomain                    Failed Logon Delay                       2021-10-14 12:00:36 2021-10-14 16:40:36

SELECT *
  FROM V$ACTIVE_SESSION_HISTORY
 WHERE event = 'Failed Logon Delay' AND sample_time >= TRUNC (SYSDATE) + 12/24
--//结果不贴出了,不知道谁安装的服务器,机器名就是localhost.localdomain,真心无语.真是人越多干活的人越少.

select * from v$session where machine='localhost.localdomain';
--//确定sid.

SYS@127.0.0.1:17101/DDHHH> @ sid 4265
sid = 4265
SPID       PID        SID    SERIAL# CLIENT_INFO          PNAME  TRACEFILE                                                          PROGRAM          TERMINAL     SQL_ID STATUS   C50
------ ------- ---------- ---------- -------------------- ------ ------------------------------------------------------------------ ---------------- ------------ ------ -------- --------------------------------------------------
69428      274       4265      15259                             /u01/app/oracle/diag/rdbms/DDHHH/DDHHH1/trace/DDHHH1_ora_69428.trc JDBC Thin Client unknown             INACTIVE alter system kill session '4265,15259' immediate;

--//理论讲程序是这个是开发写的程序,不应该出现口令错误.而且我没有权限访问数据库主机,主要想知道该机器的IP地址.

SELECT count( return_code),return_code
  FROM unified_AUDIT_trail
 WHERE     EVENT_TIMESTAMP >= TRUNC (SYSDATE)
       AND UNIFIED_AUDIT_POLICIES = 'ORA_LOGON_FAILURES'
       AND userhost = 'localhost.localdomain'
       group by return_code;
       
COUNT(RETURN_CODE) RETURN_CODE
------------------ -----------
               117        1017
      
--//注:视图unified_AUDIT_trail的字段AUTHENTICATION_TYPE,可以知道连接的IP地址,不过这个IP不是真实的IP,是nat后的IP地址.

$ oerr ora 1017
01017, 00000, "invalid username/password; logon denied"
// *Cause:
// *Action:
--//昏,还真是口令不对.
--//很奇怪既然这样,还有连上的时候,为什么,不知道...

SYS@127.0.0.1:17101/DDHHH> show parameter sec_
NAME                                 TYPE     VALUE
------------------------------------ -------- ------------
db_securefile                        string   PREFERRED
optimizer_secure_view_merging        boolean  TRUE
sec_case_sensitive_logon             boolean  TRUE
sec_max_failed_login_attempts        integer  3
sec_protocol_error_further_action    string   (DROP,3)
sec_protocol_error_trace_action      string   TRACE
sec_return_server_release_banner     boolean  FALSE
sql92_security                       boolean  TRUE

--//现在的版本sec_max_failed_login_attempts=3次,这样如果不对,更加频繁.
--//sec_protocol_error_further_action = (DROP,3),11g以前的版本是CONTINUE.

--//
这个等待事件常常是因为有程序尝试使用错误的用户密码登录数据库, 如暴力破解程序.

这是一个安全特性用于控制延迟失败的登录,在oracle 11g版本是引入,但是在11g时常因为这个特性带来性能 问题,需要用event 28401
禁用密码延迟认证的特性。 控制认证失败尝试特性是有 sec_max_failed_login_attempts 和sec_protocol_error_further_Action 参数
控制,但是在oracle 12c后对于以上参数值有了新的变化, sec_max_failed_login_attempts尝试失败次数(多个用户)11G是10次,在
12ck中减少为3, 所以延迟的登录会更多, 这个参数不同于user profile中的失效次数主要是单个用户失败和多个用户失败。
sec_protocol_error_further_Action  这个参数控制失败后的处理方式,在11g时是CONTINUE 也就是可以继续,但是在12c 中默认改变
为(DROP, 3), 为了系统稳定牺牲一个连接。

--//在12c中默认改变为(DROP,3),为了系统稳定牺牲一个连接,如何理解,难道在等待事件看到1次Failed Logon Delay吗?

解决方法就是找错误尝试的主机,修正密码后即可。

_sys_logon_delay

另外对于12c中引入的对于SYS用户的尝试失败登录后的延迟是有参数新的参数"_sys_logon_delay"控制的,默认为1秒,加大参数可以
防止非法尝试,配置值为0 可以禁用该特性。
==================================================

SYS@127.0.0.1:17101/DDHHH> @ hide _sys_logon_delay
NAME             DESCRIPTION                                      DEFAULT_VALUE SESSION_VALUE SYSTEM_VALUE ISSES ISSYS_MOD
---------------- ------------------------------------------------ ------------- ------------- ------------ ----- ---------
_sys_logon_delay The failed logon delay for the database instance TRUE          1             1            FALSE FALSE

/* Formatted on 2021/10/14 15:51:15 (QP5 v5.269.14213.34769) */
SELECT program,count(*)
  FROM V$ACTIVE_SESSION_HISTORY
 WHERE event = 'Failed Logon Delay' AND sample_time >= TRUNC (SYSDATE)-100
 and machine<>'localhost.localdomain'
 group by program
 
PROGRAM                                    COUNT(*)
---------------------------------------- ----------
PlSqlDev.exe                                      1
plsqldev.exe                                      1
pb90.exe                                         17

SELECT count(*),client_program_name
  FROM unified_AUDIT_trail
 WHERE     EVENT_TIMESTAMP >= TRUNC (SYSDATE)
       AND UNIFIED_AUDIT_POLICIES = 'ORA_LOGON_FAILURES'
       AND userhost <> 'localhost.localdomain'
       group by client_program_name

  COUNT(*) CLIENT_PROGRAM_NAME
---------- ------------------------------------------------
         1 PlSqlDev.exe
        17 pb90.exe

--//从这里也基本排除其它程序登录的错误,这些基本是开发登录错误引起的.
--//既然这样提交叫同事解决问题,有点奇怪的,应用不出问题吗,怎么没人反馈呢.

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/267265/viewspace-2808232/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
熟悉oracle相关技术,擅长sql优化,rman备份与恢复,熟悉linux shell编程。

注册时间:2008-01-03

  • 博文量
    3048
  • 访问量
    6781969