amuck-landowner

Watch out for your IPMI or KVM-over-IP

sundaymouse

New Member
http://lowendtalk.com/discussion/comment/481716/#Comment_481716

dhamaniasad: @ftpit @W1V_Lee No, our server was hacked using the IPMI console. The IP for the IPMI console was nulled for the past 2 weeks as someone tried DDoSing it, I just got the null route closed last night, and I woke up to a blank server. There's not much more I can say about this.
Keep a good access control over them, or just don't leave them connected 24/7. Don't get yourself destroyed  :D
 
Last edited by a moderator:

notFound

Don't take me seriously!
Verified Provider
I wouldn't have them connected to the internet at all, best way is through a VPN or some sort of tunnel. Supermicro IPMI has had far too many vulnerabilities to let me trust it enough.
 

TruvisT

Server Management Specialist
Verified Provider
Lets also not forget about when a data center gives IPMI/KVM access to wrong servers or allows access to others all over one network. Its surprising how often that happens.
 

Virtovo

New Member
Verified Provider
I thought this was common knowledge about Supermicro IPMI.  It's like Swiss cheese.

At very least keep tight access control over them to single/limited IPs

At best put them behind a VPN and use private IP to connect.  PFSense can be used cheaply for this.
 

blergh

New Member
Verified Provider
Unfortunately I know of a handful of people too stubborn and stupid enough to not tighten stuff like this down. "Who knows that this is an IPMI?" is an actual excuse it seems.
 

CraigA

New Member
Verified Provider
Leaving any kind of device that is not frequently patched publicly accessable is always a bad idea, whether it be IPMI, KVM-over-IP, a switched PDU, etc.

We have all of our IPMI/switched PDUs on a private subnet that we access through a hardened linux jumpbox.
 

fileMEDIA

New Member
Verified Provider
All supermicro IPMI devices should be in an internal network with VPN access. There are lot's of exploits and metasploit plugins for serval versions of IPMI firmwares from supermicro. Most of them don't get any patches.

Thus, it is really dangerous. Protect it with an internal network.
 

Wintereise

New Member
All supermicro IPMI devices should be in an internal network with VPN access. There are lot's of exploits and metasploit plugins for serval versions of IPMI firmwares from supermicro. Most of them don't get any patches.

Thus, it is really dangerous. Protect it with an internal network.
Or use the firewall that's built in -- it appears iptables like, and works fine.
 

fileMEDIA

New Member
Verified Provider
@Wintereise

But it can be very risky too. Because you reach the management interface from the internet and a network stack exploit or other manipulated packets are enough to exploit it and then they have full access to it. They only must reboot your server, set a new root password (recovery mode) and have all data..

I think it's to risky to open the access to the Internet with the included firewall or ACL lists too.
 

Wintereise

New Member
@Wintereise

But it can be very risky too. Because you reach the management interface from the internet and a network stack exploit or other manipulated packets are enough to exploit it and then they have full access to it. They only must reboot your server, set a new root password (recovery mode) and have all data..

I think it's to risky to open the access to the Internet with the included firewall or ACL lists too.
Nothing is really stopping people from flooding your VPN endpoint if they really want to.

Like everything, that option has tradeoffs too ;)
 

fileMEDIA

New Member
Verified Provider
On flooding you don't lose any custom data or someone has access to it. That should be better than you lose all of it.
 
Top
amuck-landowner