IPMI security article

[Lloyd Kvam]

http://fish2.com/ipmi/

"""""""""""""""""
The BMC is an embedded computer found on most server motherboards made
in the last 10 or 15 years. Often running Linux, the BMC's CPU, memory,
storage, and network run independently. It runs Intel's IPMI out-of-band
systems management protocol alongside network services (web, telnet,
VNC, SMTP, etc.) to help manage, debug, monitor, reboot, and roll out
servers, virtual systems, and supercomputers. Vendors frequently add
features and rebrand OEM'd BMCs: Dell has iDRAC, Hewlett Packard iLO,
IBM calls theirs IMM2, etc. It is popular because it helps raise
efficiency and lower costs associated with availability, personnel,
scaling, power, cooling, and more.
...
...I found an undocumented way of gaining root shell access on a major
vendor's BMC and another giving out-of-the box root shell via SSH.
...
""""""""""""""""""""""

Since I use 'dinky' hardware, I know nothing about IPMI and the BMC.
The link to the article came from Bruce Schneier's monthly security
email.

Then I checked my Supermicro documentation and discovered that my server
isn't so dinky.  It has IPMI and the default jumper setting on the
motherboard is enabled.

In my case, the server is running Fedora 18 / XEN.  I have two virtual
hosts, my "current" server for email and web server testing, and the
"future" mail/testing server.  The router (openwrt) forwards to the
"current" host.

(Thanks for reading this far ;)
Should I simply disable IPMI or is it likely to be useful even in my
circumstances?  My laptop (Ubuntu  12.04) would be the
management/monitoring computer.  If IPMI is useful even in SOHO (small
office/home office) environments, it seems like a good LUG presentation
topic.


-- 
Lloyd Kvam
Venix Corp
DLSLUG/GNHLUG library
http://dlslug.org/library.html
http://www.librarything.com/catalog/dlslug
http://www.librarything.com/catalog/dlslug&sort=stamp
http://www.librarything.com/rss/recent/dlslug