Portal Home > Knowledgebase > Industry Announcements > Web Hosting Main Forums > IPMI hardening & ROM...
IPMI hardening & ROM...
| Posted by Grumbles, Today, 12:50 AM |
Hey everyone,
We are looking at putting a single Supermicro server (X9DRW-3F board) in a DC for a project specific requirement. Have a few questions regarding the Supermicro IPMI implementation as I'm not familiar with it and we will need to access it via the Internet.
1) I've been advised that before putting the IPMI on the Internet I should lock access down using the firewall and also by adding new administrative users before disabling the default users. Is this enough? I've read a couple of blogs from a few years ago that there are multiple exploits for various vendors regardless of what security precautions are taken.
2) I've looked through the web interface of this Supermicro server and do not see anything regarding a firewall. I also noticed that the IPMI/BMC firmware version is listed as 1.13.0 on this server where the latest revision is listed as 2.19. I can't seem to find anything that looks like release notes and was wondering if it would be worth an upgrade seeing as the version I have is over a year old? There are some fairly strong worded warnings on the Supermicro site regarding updating ROMS. How much of a risk is it? I've done loads of HP & IBM firmware upgrades without issue. |
| Posted by dcdan, Today, 01:14 AM |
|
We ended up moving all IP KVMs into separate VLANs. Then we configured those VLANs so that only our management VPN IP is allowed to access them. Appears to be the best way to deal with this. |
| Posted by Grumbles, Today, 01:25 AM |
Thanks Dan. Makes sense. However in our one server scenario I do not think a private VLAN/VPN is going to be a cost effective option. Really depends what funds the project can cough up, but from our discussions so far I think their preferred method will be to leave the IPMI configure but not connected, then take the downtime hit while a support ticket is created for the local hands to plug it in again.
Was there a specific event which caused you to implement the network design you did just for your IPMI access? Have you ever had issues upgrading firmware with Supermicro? |
| Posted by dcdan, Today, 01:35 AM |
In our case the issue was that we had to maintain quite a variety of systems (different generations of Dells and Supermicros). We had to constantly keep an eye on new vulnerabilities and then quickly apply patches. After we grew to about 20 servers, this became a big pain in the back 
We were never hacked though (maybe because we were paranoid about the updates?)
If you do not have your own switch, then you could ask your DC to configure *their* switch so that only certain IPs can access your IPMI port. This should not be a big deal at all, and you do not even need a VLAN for this to work. |
| Posted by FastServ, Today, 09:32 AM |
|
Use the IP Access Control feature to lock down the BMC. If you don't see it in the Network section, upgrade the firmware to latest. Later X8 boards and most X9 boards have this feature on later firmware revisions. |
| Posted by dcdan, Today, 01:38 PM |
|
I am not sure I would want to fully rely on IP access control. If your management IP changes, how are you going to regain access to the IPMI? Also, IP access control can be vulnerable... |
| Posted by FastServ, Today, 02:17 PM |
Quote:
|
Originally Posted by dcdan
I am not sure I would want to fully rely on IP access control. If your management IP changes, how are you going to regain access to the IPMI? Also, IP access control can be vulnerable...
|
Obviously a private network is optimal, but as an alternative for those without the luxury, IP access control (being iptables based) is pretty solid if done correctly with a deny-all rule at the end. And of course, it would require a static IP/VPN/ect for a remote server admin to maintain access.
One thing you shouldn't ever rely on is IPMI being safe if exposed in any way to the public. Even the latest firmwares are highly vulnerable. |
| Posted by Adrian Andreias, Today, 03:24 PM |
|
IPMI on private IP is the best way. Your DC may provide a VPN service without you needing a device for it. |
| Posted by xnpu, Today, 04:02 PM |
IPMI on VLAN with VPN access only. Definitely.
Many DC's and co-location providers offer private VLAN's with VPN access. If not, you can try sharing a VPN router with others in the same rack or those right next to it. IMHO, even a $30 consumer-grade router running Tomato or OpenWRT beats an exposed or inaccessible IPMI port. |
| Posted by Steven, Today, 07:47 PM |
Quote:
|
1) I've been advised that before putting the IPMI on the Internet I should lock access down using the firewall and also by adding new administrative users before disabling the default users. Is this enough? I've read a couple of blogs from a few years ago that there are multiple exploits for various vendors regardless of what security precautions are taken.
|
Use the ACL function to lock it down at the very least. As far as I am concerned there is no way to secure it if its wide open. There just recently last month ROOT level exploits in the BMC. There is LIKELY more of this. |
| Posted by RRWH, Today, 08:11 PM |
Where it is a single-server deployment and you cannot put it on a private network, then you do need to lock it down via the IP access control settings.
And, yes, in the event that management IP's change there are options - such as using ipmitool from the OS to change the Settings.... |
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
