On Sun, September 18, 2016 19:08, Keith Keller wrote:
>
> Make sure you do not allow the IPMI's IP to be accessible
> on a public network. Either keep the IP on a private network
> (better), keep the IP firewalled to only certain IPs,
> or change the admin password from the default.
In order of importance:
1. ALWAYS change the administrative account credentials from their
defaults to something reasonably difficult to infer. Supermicro
allows one to select the user name of the administrative account in
addition to setting the password. Change both.
2. Always restrict access to IPMI from specific source addresses. If
you need to obtain access from from a different point of origin then
set up one or more of the hosts having a permitted IP as an sshd/vpn
service in advance and relay to the IPMI port from there.
3. Firewall any IPMI IP addresses at the gateway for all protocols and
prevent any direct access to it whatsoever from the internet.
4. Where feasible place all IPMI IP addresses on their own private IP
network ([192.168.X.0/24] or similar) and set up the gateway router
internal interface to suit.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
