jeroen at massar.ch
Mon Jun 2 12:24:21 UTC 2014
On 2014-06-02 14:10, Randy Bush wrote:
> so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
> of the time i want it blocked off. but that other 1%, i want kvm
> console, remote media, and dim sum.
> currently, i just block the ip address chunk into which i put ipmi at
> the border of the rack. when i want access, i reconfig the acl. bit of
> a pita.
Depends on how many boxes you have at the same location. If you only
have one, that is likely the way to go, if you have a few more, use one
or multiple (backup :) VMs on the boxes as management access, properly
ACL that away, put OpenVPN on it, route the IPMI network on that presto.
Of course, the IPMI boxes should always live in their own VLAN where
possible, and those VLAN addresses should never be routed publicly or
NATted to anything public. With the OpenVPN trick or whatever your VPN
tool of choice is, you don't have to NAT mind you. Do note that if you
have multiple mgmt/access boxes you should have a floating gateway IP
and/or bridge that network onto your VPN. Bridging is typically easier
also as it avoids having to configure a default gateway which again
avoids all kinds of accidental typos.
Do note that the above does not allow you access if the datacenter's
switching or routing is borked too heavily, hence a GSM/4G backup USB
stick in the management box to allow 'dial in'[*] can be useful too ;)
That is of course if there is signal in the datacenter...
[*] Cheap variant: get a 4G USB stick with a pre-paid number, set it up
so that you can SMS to it, and that based on the SMS (src-number verify
etc) it connects to the network and contacts a remote OpenVPN,
configures that VPN and voila, you are in.
[*] If you don't want extra services like OpenVPN, keep in mind that
ACLs keeps baddies out and that one can alternatively do tunneling in a
similar method with sshd (and key restrictions to not allow them
anything else ;)
More information about the NANOG