QQ图片20230221101209.png (93.79 KB, 下载次数: 160)
2023-2-21 10:12 上传
在等待事件中,看到failed logon delay平均等待1000ms。
QQ图片20230221101014.png (103.15 KB, 下载次数: 188)
2023-2-21 10:11 上传
管理连接总耗时14491秒
问题分析:
根据MOS文档:Failed Logon Delay Causing Performance Hit (Doc ID 2246758.1)所述,可能是由引入的自动过程引起的,该过程使用错误的密码尝试登录到数据库服务器。原因是延迟登录失败的安全功能。
这由sec_max_failed_login_attempts和sec_protocol_error_further_Action控制。在 11g 中,sec_max_failed_login_attempts是 10,在 12c 中这意味着这种延迟可能会在 12c 中出现更多。
sec_protocol_error_further_Action参数的默认值从 11g 中的 CONTINUE 更改为 12c 中的 (DROP, 3)。如果使用值 CONTINUE(以在升级后保留 11g 设置),则由于 sec_max_failed_login_attempts 的值减少,可能会看到此等待。
解决办法:
对于12c中引入的对于SYS用户的尝试失败登录后的延迟,不在是ibrary cache lock 而是Failed Logon Delay,在11g中event 28401 禁用密码延迟认证的特性可以解决这个问题,在19C中event 28401并不能解决这个问题是由隐含参数“_sys_logon_delay”控制,默认为1秒,加大参数可以防止非法尝试,配置值为0 可以禁用该特性。
具体sql语句:alter system set “_sys_logon_delay”=0 scope=spfile;
MORE
SEC_MAX_FAILED LOGIN_ATTEMPTS is a new feature in Oracle 11g. It specifies the number of authentication attempts that can be made by a client on a connection to the server process. This parameter target against brute force attacks. An intruder could start a server process first and then try to establish connection by guessing/Program generated password. Using that parameter it is possible to limit the number of failed login attempts. After the specified number of authentication attempts fails, the database processes drop the connection. This initialization parameter is designed to stop intruder from attacking application, it does not apply to valid user. It is not a dynamic parameter.
SEC_MAX_FAILED_LOGIN_ATTEMPTS only works application uses OCI Program. It does not work in sqlplus so a user can try unlimited time with guessing password from sqlplus even though the parameter is set but usually intruder attack using OCI program.
| 欢迎光临 重庆思庄Oracle、Redhat认证学习论坛 (http://bbs.cqsztech.com/) | Powered by Discuz! X3.2 |