Dedicated servers - how to protect ipmi
When providing dedicated services, what is your best practise to protect IPMI either from public network or through kernel module.
Firstly, I want to be sure that if someone scans my networks and he finds some IPMI cards, he won't be able to get control of it. There were a bug that allows to send emails via supermicro IPMI through Anonymous account. I know it's a good practice to use IPMI only in local networks without public, however clients won't be happy about using VPN to access IPMI much.
Secondly, you can use ipmitool command to manage IPMI configuration without user authentication. I'd like to prevent customers of changing IPMI setting - e.g. IP address, removing my monitoring users, ...
What's your best practise? How would you have solved this issue if you had faced it?
The primary benefit of IPMI is out-of-band access for SHTF occasions, in which the kernel is typically non-functional. So, you should allow access outside the operating system. Set up a VPN or the the very least, a way for your clients to access IPMI via an ssh tunnel or something.
You are right in being wary of exposing IPMI to the public internet. If your clients complain about the additional security, then they're not the kind of customers you're going to want to deal with.
Firstly, I want to be sure that if someone scans my networks and he finds some IPMI cards, he won't be able to get control of it.
The BMCs on Supermicro systems have had some particularly nasty bugs within the last year. Make sure your systems are running the latest firmware, which addresses most of the bugs like the 'anonymous user' bug and the Infamous cipher zero bug. Note that these firmwares are only available for recent motherboards (The X8, X9 and X10 generations; usually not for the X7 generation which was being shipped 3-4 years ago), so your hardware will need to be modern hardware.
Even with the updates, Supermicro's IPMI is still subject to bugs. Passwords are transmitted over the network in the clear, etc. In my world, IPMI must absolutely be on a private network and available only from a few special management nodes.
I know it's a good practice to use IPMI only in local networks without public, however clients won't be happy about using VPN to access IPMI much.
IPMI is a great management tool for system administrators. By it's nature, this means that its also a nice backdoor for hackers. If I gain access to the IPMI network, I can do interesting things like power off all 200 machines within a few minutes, or tell every single node to PXEboot upon next boot (and potentially overwrite whatever is on the disks at the time). If you can explain this nicely to your customers, they might see the wisdom of a VPN.
Secondly, you can use ipmitool command to manage IPMI configuration without user authentication. I'd like to prevent customers of changing IPMI setting - e.g. IP address, removing my monitoring users, ...
Make sure that ipmitool, FreeIPMI, etc. are not installed by default on the system. In your customer documentation, add a warning that installing these tools on the OS is a potential security problem and if they install these tools they assume some of the risk.
Ok, my probably final solution is very easy. As I have ADMIN user to the IPMI, I can write a simple interface that will run ipmitool commands to start/stop/restart servers.
For webconsole I did some research. Supermicro generates jviewer.jnlp file that contains only port numbers and some credentials. Firstly, I thought there is some signature and I can't change the content. Nevertheless, there is no signature and I can put whatever I want there.
So, as a part of my interface, I am going to create console button, that will configure a firewall to temporarily allow ports needed by console and also will download the jviewer file, update it and pass it to the client.
It'll cost me some development, but it will allow me to have management cards in local network and also have them accessible from public network when needed.