Security – Securing a SuperMicro IPMI BMC

ipmiSecuritysupermicro

I've recently acquired a SuperMicro X8DTU-F motherboard, which has a built-in BMC, which basically runs the IPMI system. It turns out to be a small Linux system running on an ARM processor.

Unfortunately, it's running a boatload of software, much of which I don't need, and I don't have the ability to put it behind a firewall. However, I do want the IPMI functionality. Does anybody who has used one of these have some specific suggestions on how to secure the thing? It boots from what is essentially a ROM filesystem, and there don't even seem to be any hooks to turn off any of the various servers it runs….

I'd also be interested in how I might verify the list of names and passwords that can be used to access the system through all of the various services. The default is ADMIN / ADMIN, but none of the files in /conf or /etc have 'ADMIN' in them, which rather worries me. There are /conf/shadow and /conf/webshadow files, with mysterious 'test' IDs in them, which doesn't make me feel particularly comfortable either.

Best Answer

Using /conf/crontab, as dlawson pointed out, sounds like an excellent idea to me. This allows me to run a script once a minute that ensures everything but http and ssh is shut down:

/etc/init.d/cdserver stop
/etc/init.d/fdserver stop
/etc/init.d/cim_sfcb stop
/etc/init.d/webgo stop

That still leaves me with a web server with password-based access control (I can see no way to have it validate client certificates) and who knows what remote vulnerabilities. Turning it off when I'm not using it (which is most of the time) seems like a reasonable solution; adding a crontab entry to shut it down every five or ten minutes would catch those cases where someone forgets to shut it down when he's done.

The ssh daemon is a version of dropbear that appears to be fairly heavily modified. It reads usernames and plaintext passwords from /conf/PMConfig.dat (which is also used by the web server), logs in any valid name and password as the root user, and ignores the ~/.ssh/authorized_keys file. This last problem is annoying; it forces you to allow password logins and opens the possibility of backdoors depending on from where-all it gets its names and passwords.

So that's the dilemma you face: how much do you really trust this modified ssh daemon installed on a system that was fairly obviously designed by security-naïve developers? Not much at all, given the number of broken bits of cruft I've seen in their shell scripts. There are unusual naming conventions (/etc/rc?.d/sshd is a symlink to /etc/init.d/ssh), huge amount of code that appear to be unused, and features in just the ssh startup script, such as the /conf/portcfg_ssh file and even the restart command are entirely broken. (Don't try using these; sshd won't restart and you'll be screwed unless you have an existing login. We rebooted the BMC and ended up having to reflash it.)

The best option I can think of, if one's going to use the thing at all, is to start ssh on an alternate port using a cron job, so at least it's less likely to appear in a portscan.

The final component is the IPMI network management ports; I can't see how to turn these off.

Best Answer

Related Solutions

IPMI – How Does Sideband Share Ethernet Port with Host?

Using Supermicro IPMI behind a Proxy

Related Topic