When providing dedicated services, what is your best practise to protect IPMI either from public network or through kernel module.
Firstly, I want to be sure that if someone scans my networks and he finds some IPMI cards, he won't be able to get control of it. There were a bug that allows to send emails via supermicro IPMI through Anonymous account. I know it's a good practice to use IPMI only in local networks without public, however clients won't be happy about using VPN to access IPMI much.
Secondly, you can use ipmitool command to manage IPMI configuration without user authentication. I'd like to prevent customers of changing IPMI setting – e.g. IP address, removing my monitoring users, …
What's your best practise? How would you have solved this issue if you had faced it?
Best Answer
The primary benefit of IPMI is out-of-band access for SHTF occasions, in which the kernel is typically non-functional. So, you should allow access outside the operating system. Set up a VPN or the the very least, a way for your clients to access IPMI via an ssh tunnel or something.
You are right in being wary of exposing IPMI to the public internet. If your clients complain about the additional security, then they're not the kind of customers you're going to want to deal with.