Securing a SuperMicro IPMI BMC
Solution 1:
Ideally, your management network would be a different network to your other network, or at least a different vlan with limited routed access.
These systems aren't really running that many services though:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
555/tcp open dsf
5120/tcp open unknown
5900/tcp open vnc
5988/tcp open unknown
MAC Address: 00:30:48:D9:3A:71 (Supermicro Computer)
(and UDP/623 for IPMI itself)
Most of these are needed if you want to do any kind of remote management. If you don't want to do remote management, then you should consider not enabling the IPMI controller at all, or buying an X9DTU board instead ( the -F denotes "built-in BMC")
If you want to do full remote management, can't run your IPMI controllers on a different network, and still want to disable some access, then you can always get the IPMI controller to execute iptables commands. You could script an ssh login to execute the commands, or ask Supermicro for the devkit for the BMC and build a new image with a custom iptables script.
UPDATE
I had another look at our systems here, and the /conf filesystem is mounted rw. None of the init scripts called anything directly in /conf (that I could see), but there is a crontab file. So, I guess you could copy in an iptables script, and edit /conf/crontab to call it at some suitable interval. You'd want it to be run ASAP on BMC init, but you don't neccesarily want it running every minute. Or maybe you don't care.
Solution 2:
Using /conf/crontab
, as dlawson pointed out, sounds like an excellent idea to me. This allows me to run a script once a minute that ensures everything but http and ssh is
shut down:
/etc/init.d/cdserver stop
/etc/init.d/fdserver stop
/etc/init.d/cim_sfcb stop
/etc/init.d/webgo stop
That still leaves me with a web server with password-based access control (I can see no way to have it validate client certificates) and who knows what remote vulnerabilities. Turning it off when I'm not using it (which is most of the time) seems like a reasonable solution; adding a crontab entry to shut it down every five or ten minutes would catch those cases where someone forgets to shut it down when he's done.
The ssh daemon is a version of dropbear that appears to be fairly heavily modified. It reads usernames and plaintext passwords from /conf/PMConfig.dat
(which is also used by the web server), logs in any valid name and password as the root user, and ignores the ~/.ssh/authorized_keys
file. This last problem is annoying; it forces you to allow password logins and opens the possibility of backdoors depending on from where-all it gets its names and passwords.
So that's the dilemma you face: how much do you really trust this modified ssh daemon installed on a system that was fairly obviously designed by security-naïve developers? Not much at all, given the number of broken bits of cruft I've seen in their shell scripts. There are unusual naming conventions (/etc/rc?.d/sshd is a symlink to /etc/init.d/ssh), huge amount of code that appear to be unused, and features in just the ssh startup script, such as the /conf/portcfg_ssh
file and even the restart
command are entirely broken. (Don't try using these; sshd won't restart and you'll be screwed unless you have an existing login. We rebooted the BMC and ended up having to reflash it.)
The best option I can think of, if one's going to use the thing at all, is to start ssh on an alternate port using a cron job, so at least it's less likely to appear in a portscan.
The final component is the IPMI network management ports; I can't see how to turn these off.
Solution 3:
One thing to consider when securing a Supermicro IPMI is the ssh server. Older versions of the X8SIL-F IPMI code accepted ssh connections no matter what password was given. The software would then check the password and reject or accept the connection, but there was a brief window to create ssh port forwards. People were getting spam/abuse complaints for their IPMI IPs because of this. For the X8SIL-F motherboard, The 2.60 IPMI firmware version fixed the problem (it might have been fixed earlier, 2.54's changelog entry looks like it might be it).
A second problem is an anonymous user with a default password. The anonymous user seems to be fixed in firmware version 2.22.
Solution 4:
There is a little trick to enable HTTPS for web-interface of IPMI.
If your IPMI firmware supports that (my 2.04 firmware for X8DTH-iF supports), you could, at first, enable HTTPS access by going to Configuration -> SSL, uploading two PEM files (certificate and private key) and, at second, manually reboot your IPMI module.
Finally, you could access IPMI's web-interface by https://bmc-ip-or-hostname/. I can't say that HTTPS works slower than HTTP.