This discussion is archived
6 Replies Latest reply: Feb 4, 2013 11:34 AM by 972415 RSS

Close all ports but 1521 for Oracle 11g XE

972415 Newbie
Currently Being Moderated
Hello,

After the Oracle 11g installation I tried to make all ports but 1521 visible only to localhost. Unfortunately I could not figure out if it's possible to close also this ones:

<pre>
<b> Port/Prot. Process</b>
<BR> 41293/tcp xe_d000_XE
<BR> 28085/udp xe_mmon_XE
</pre>

What are these processes doing? Is it possible/meaningful to configure the server so that they listen only on the localhost interface?

Thanks a lot.

Edited by: user6956341 on 05-Nov-2012 03:51
  • 1. Re: Close all ports but 1521 for Oracle 11g XE
    clcarter Expert
    Currently Being Moderated
    The d000 is the first dispatacher process, they can be removed by clearing the Dispatchers parameter. But that will also break Apex, the 8080 web pages won't work if those instance parameters are disabled.

    Not sure why it would have a UDP port, that will take some thought.

    mmon is memory monitor, if you think your instance is idle and "not doing anything at all" think again, mmon and other housekeeping chores are continually churning away on something.

    What's the goal for pointing everything to localhost? The 127.0.0.1 loopback address isn't accessible from outside the host. Are you trying to lock down all network access?
  • 2. Re: Close all ports but 1521 for Oracle 11g XE
    972415 Newbie
    Currently Being Moderated
    For security reasons, I shut down all unneeded open ports and restrict to localhost the ones that should be used by the server only. It was quite easy for all the applications but oracle xe. Since I spent now some days on this issue and couldn't figure out how to do it (either with the oracle docs nor with google) I decided to make a post here.
    mmon and other housekeeping
    I think that also if the the database instance isn't idle, it shouldn't open ports to the outside.
    But that will also break Apex, the 8080 web pages won't work
    Restricting the apex to locahost and made it available trough apache (proxy) in a restricted area was easy, but finding out what's going on with these two ports/processes is awkward.
  • 3. Re: Close all ports but 1521 for Oracle 11g XE
    clcarter Expert
    Currently Being Moderated
    What OS? Windows? Linux? And what is the Status showing in `netstat -an`, is it LISTEN[ING] ?

    Mmon might be trying trying to talk with CRS or ONS, although those services aren't part of an XE setup it may be trying to probe for cluster or notification services.
  • 4. Re: Close all ports but 1521 for Oracle 11g XE
    972415 Newbie
    Currently Being Moderated
    The OS is Debian GNU/Linux 3.2.0-3-amd64.

    <pre>
    netstat -nap | grep -E "43459|33379"

    tcp6 0 0 :::43459 :::* LISTEN 11815/xe_d000_XE
    udp6 1536 0 :::33379 :::* 11811/xe_mmon_XE
    </pre>
    or notification services
    I have the change notification privilege activated for some users, but I would wonder if there's a listening tcp port for this.
  • 5. Re: Close all ports but 1521 for Oracle 11g XE
    clcarter Expert
    Currently Being Moderated
    As mentioned earlier, on the dispatcher port ...
    can be removed by clearing the Dispatchers parameter
    i.e. save the dispatchers and shared_servers parameters setting to enable it later ...

    sqlplus /nolog
    conn /as sysdba;
    show parameter dispat
    ... dispatchers ... (PROTOCOL=TCP) (SERVICE=XEXDB)
    show parameter shared_
    ... shared_servers ... 4
    alter system reset dispatchers scope=spfile;
    alter system reset shared_servers scope=spfile;
    shutdown immediate;
    startup;

    And check lsnrctl services output. All dispatcher(s) and XEXDB items should be gone, as well as the d000 dispatcher process and the open TCP port.

    But that breaks Apex, the web pages will no longer work since apex needs a couple shared server settings to handle http requests. So if you don't want Apex, clear dispatchers and shared_server parameters. Otherwise, dispatcher(s) need a TCP port and there's no way I'm aware of that can halt that behavior.
  • 6. Re: Close all ports but 1521 for Oracle 11g XE
    972415 Newbie
    Currently Being Moderated
    very nice, the tcp port is now closed!

    Any suggestion for the <b>xe_mmon_XE upd port</b>? I googled for the Memory Monitor for some time but without success..

    Edited by: user6956341 on Feb 4, 2013 11:34 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points