ipmi access

• Previous message (by thread): ipmi access
• Next message (by thread): ipmi access
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2014-06-02 14:23, Paul S. wrote:
[..]
> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
> iptables that works in the same way.
> 
> You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
> 
> But unless you have servers with those, I think the best way to go is
> putting them on internal IPs and then using some sort of a VPN.

While you are typing the iptables command, do a check of the software
versions, typically they are running a decade old kernel and a lot of
unpatched software that is exposed. You really do not want to run that
on the Interwebs, just the idea of any packet arriving to such a kernel
is scary.


Relevant good reads:
http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn
https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK

The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
of the kernel running on most IPMIs out there.

http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006

8 years... ouch, yeah, no way that is going to be attached to a public
network...

Thus please, don't shoot yourself in the foot with that and more
importantly don't shoot the rest of the Internet in the foot as they'll
receive the packets.


Note: the IPMI that Michael describes is on a unrouted VLAN, the access
to the OpenVPN port that he runs on the IPMI happens through SSH on a
jumpbox which is ACLd away.

Greets,
 Jeroen

  (who is still awaiting for Zeus4IPMI)

• Previous message (by thread): ipmi access
• Next message (by thread): ipmi access
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]