0

I have an IPMI server on a super micro motherboard that I am unable to disable. There is not even a jumper to disable this either. After seeing all of the security issues that the IPMI server they present has had, I just decided I want nothing to do with it.

I had an idea to break the networking for this. You can choose DHCP or a static IP address.

My idea was to set the address to something that would never work.

IP: 0.0.0.0 Subnet: 0.0.0.0 Gateway: 0.0.0.0

second idea: IP: 192.168.0.0 Subnet: 255.255.255.255 Gateway: 0.0.0.0

Would either of these work? I'm concerned that if I choose a IP address like 192.168.0.0 it could cause an issue if someone was to directly connect to the port and send packets to the network address. Is there a better IP I can use to break the ability for anyone to connect to my IPMI server?

eyeareque
  • 11
  • 1
  • 1
    Don't use a broadcast IP please. In worst case configure a second subnet in it if you can. Like 192.168.200.1/24 GW 192.168.200.254 (even if that does not exist) – yagmoth555 Jun 26 '15 at 02:07

2 Answers2

5

Would either of these work? I'm concerned that if I choose a IP address like 192.168.0.0 it could cause an issue if someone was to directly connect to the port and send packets to the network address.

If they have physical access to do this, you have much larger problems.

The issue with choosing a random IP address is that essentially anyone will be able to eventually find it. But if they have access to plug in to it, they probably have access to reset the IPMI and just use the defaults. But if they have access to reset the IPMI interface, they have access to just yank the drives out and run with them.

And then there's the fact that IPMI can be configured to share an interface rather than use the internal interface, which means that even unplugging it and epoxying up the interface might not be enough to do what you want.

Oh, right, and then there's the fact that IPMI can be accessed locally using ipmitool. (I think you're actually referring to IPMI Over LAN which is a bolt-on to IPMI).

So, although I sympathise with your situation, I don't think you're going to have much success totally eliminating IPMI from your system. To minimise the IPMI surface area:

  1. Disable guest IPMI accounts, set a very very strong password on the administrator account (throw the password away if you want)
  2. Unplug the IPMI port (gunk it up if you really want to with some epoxy).

That's really about the best you can do. By setting a strong password, you're able to stop people from getting in and setting the IPMI to use a shared interface and stopping them from using ipmitool, and by unplugging and managing the physical security of the server you should be able to stop remote attacks directly against the IPMI Over LAN interface.

Community
  • 1
Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
1

Pick something in the 169.254.x.x auto-configuration range.

Joel Coel
  • 12,910
  • 13
  • 61
  • 99
  • That won't help when the requirement is to make it inaccessible even to hosts on the same Ethernet segment. – kasperd Jun 26 '15 at 06:07