Disabling local host ipmitool access

Question

On servers from most/many vendors, I am able to see potentially sensitive information using commands like:

ipmitool user list 1

or

ipmitool lan print 1

Or set new administrator users, all of which does not require authentication.

This is not necessarily something you would want if you give other users bare metal access. Is there a way to prevent a local host user from accessing/modifying the BMC settings?

By "local user" do you mean a local user on the OS that is installed on the machine with the IPMI? — FRALEWHALE, Feb 17 '22 at 18:27

score 0 · Answer 1 · answered Feb 17 '22 at 18:27

0

Disable OS level or "local" IMPI access, via the vendor-specific procedure for your BMC.

ipmitool and the devices it uses are generally restricted to privilaged OS users. root can get around kernel module blocking or install missing ipmi software.

answered Feb 17 '22 at 18:27

John Mahowald

30,009
1
17
32

score 0 · Answer 2 · answered Feb 17 '22 at 19:24

As @John pointed out. Disabling OS level or "local" IPMI access is a good start. Doing so depends on the vendor of the IPMI device. Also ensuring that IPMItools is not installed on the OS running on the machine with IPMI is also a good option.

Here is a similar thread for securing IPMI.

SuperMicro also has some decent documentation on the topic as well. It mostly boils down to:

Restrict inbound traffic
Use dedicated management interfaces for utilizing IPMI/BMCs.
Change defaults on the IPMI.
Monitor traffic between IPMIs/BMCs from other portions of your network.

Disabling local host ipmitool access

2 Answers2