ipmi access

Mon Jun 2 14:57:17 UTC 2014

The kernel is the least of your worries here.

This is what you can expect from the Supermicro controllers:

Linux Kernel 2.6.17.13
Lighttpd 1.4.32
pcre 8.31
pcre 8.33
msmtp 1.4.16
tree 1.5.2.2
flex 2.5.35
readline 5.2
termcap 1.3.1
BIND 9.8.1-P1
busybox 1.12.0
ntp 4.2.4p4
openssl 0.9.8h
openlldp 0.3alpha
wide-dhcpv6 20080615
openldap 2.4.11
zlib 1.2.3
glibc 2.3.5
gcc 3.4.4
libxml2 2.6.32

On 6/2/2014 8:33 AM, Jeroen Massar wrote:
> On 2014-06-02 14:23, Paul S. wrote:
> [..]
>> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
>> iptables that works in the same way.
>>
>> You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
>>
>> But unless you have servers with those, I think the best way to go is
>> putting them on internal IPs and then using some sort of a VPN.
> While you are typing the iptables command, do a check of the software
> versions, typically they are running a decade old kernel and a lot of
> unpatched software that is exposed. You really do not want to run that
> on the Interwebs, just the idea of any packet arriving to such a kernel
> is scary.
>
>
> Relevant good reads:
> http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn
> https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK
>
> The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
> of the kernel running on most IPMIs out there.
>
> http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006
>
> 8 years... ouch, yeah, no way that is going to be attached to a public
> network...
>
> Thus please, don't shoot yourself in the foot with that and more
> importantly don't shoot the rest of the Internet in the foot as they'll
> receive the packets.
>
>
> Note: the IPMI that Michael describes is on a unrouted VLAN, the access
> to the OpenVPN port that he runs on the IPMI happens through SSH on a
> jumpbox which is ACLd away.
>
> Greets,
>   Jeroen
>
>    (who is still awaiting for Zeus4IPMI)
>