ipmi access
Paul S.
contact at winterei.se
Mon Jun 2 12:39:14 UTC 2014
True, excellent point as well.
Multiple openvpn/ipsec entry points on a internal network is probably
the best way to go.
On 6/2/2014 午後 09:33, Jeroen Massar wrote:
> On 2014-06-02 14:23, Paul S. wrote:
> [..]
>> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
>> iptables that works in the same way.
>>
>> You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
>>
>> But unless you have servers with those, I think the best way to go is
>> putting them on internal IPs and then using some sort of a VPN.
> While you are typing the iptables command, do a check of the software
> versions, typically they are running a decade old kernel and a lot of
> unpatched software that is exposed. You really do not want to run that
> on the Interwebs, just the idea of any packet arriving to such a kernel
> is scary.
>
>
> Relevant good reads:
> http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn
> https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK
>
> The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
> of the kernel running on most IPMIs out there.
>
> http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006
>
> 8 years... ouch, yeah, no way that is going to be attached to a public
> network...
>
> Thus please, don't shoot yourself in the foot with that and more
> importantly don't shoot the rest of the Internet in the foot as they'll
> receive the packets.
>
>
> Note: the IPMI that Michael describes is on a unrouted VLAN, the access
> to the OpenVPN port that he runs on the IPMI happens through SSH on a
> jumpbox which is ACLd away.
>
> Greets,
> Jeroen
>
> (who is still awaiting for Zeus4IPMI)
>
More information about the NANOG
mailing list