Oracle MVA

Numerous people have written about the embedded ldap (see here). These blog posts show that access to the embedded ldap is always enabled, just the username and password is unknown.

Others have posted about connection filters (see here). A connection filter allows the server to reject unwanted connections based on some filter criteria.

Since the embedded ldap is probe to brute force attacks, one should secure the ldap (and ldaps) port using a connection filter. When constructing the connection filter, you should remember that the managed servers use each others embedded ldap, therefore you should only block remote traffic.

For single server setups this rule would suffice:


0.0.0.0/0 * * deny ldap ldaps


Breakdown:
For all remote IP’s deny access to any server running on any local IP adres and any port for protocols ldap and ldaps

For clustered setups I would advice to allow local addresses in your server backbone and block all remote addresses. If your local server backbone would run on 172.16.X.X these two rules would be applicable:


172.16.0.0/0 * * allow
0.0.0.0/0 * * deny ldap ldaps


Breakdown:
Allow access to any server running on any port for all protocols if the originating IP address is in the 172.16.0.0 range. If the originating IP address is in any other range, deny access to any server running on any port for protocols ldap and ldaps.

Hope this helps.