ipmi access

Brian Rak brak at gameservers.com
Mon Jun 2 14:57:17 UTC 2014

The kernel is the least of your worries here.

This is what you can expect from the Supermicro controllers:

Linux Kernel
Lighttpd 1.4.32
pcre 8.31
pcre 8.33
msmtp 1.4.16
flex 2.5.35
readline 5.2
termcap 1.3.1
BIND 9.8.1-P1
busybox 1.12.0
ntp 4.2.4p4
openssl 0.9.8h
openlldp 0.3alpha
wide-dhcpv6 20080615
openldap 2.4.11
zlib 1.2.3
glibc 2.3.5
gcc 3.4.4
libxml2 2.6.32

On 6/2/2014 8:33 AM, Jeroen Massar wrote:
> On 2014-06-02 14:23, Paul S. wrote:
> [..]
>> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
>> iptables that works in the same way.
>> You could put it on a public net, allow your stuff and DROP
>> But unless you have servers with those, I think the best way to go is
>> putting them on internal IPs and then using some sort of a VPN.
> While you are typing the iptables command, do a check of the software
> versions, typically they are running a decade old kernel and a lot of
> unpatched software that is exposed. You really do not want to run that
> on the Interwebs, just the idea of any packet arriving to such a kernel
> is scary.
> Relevant good reads:
> http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn
> https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK
> The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
> of the kernel running on most IPMIs out there.
> http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006
> 8 years... ouch, yeah, no way that is going to be attached to a public
> network...
> Thus please, don't shoot yourself in the foot with that and more
> importantly don't shoot the rest of the Internet in the foot as they'll
> receive the packets.
> Note: the IPMI that Michael describes is on a unrouted VLAN, the access
> to the OpenVPN port that he runs on the IPMI happens through SSH on a
> jumpbox which is ACLd away.
> Greets,
>   Jeroen
>    (who is still awaiting for Zeus4IPMI)

More information about the NANOG mailing list