Score:0

Disabling local host ipmitool access

in flag

On servers from most/many vendors, I am able to see potentially sensitive information using commands like:

ipmitool user list 1

or

ipmitool lan print 1

Or set new administrator users, all of which does not require authentication.

This is not necessarily something you would want if you give other users bare metal access. Is there a way to prevent a local host user from accessing/modifying the BMC settings?

FRALEWHALE avatar
cn flag
By "local user" do you mean a local user on the OS that is installed on the machine with the IPMI?
Score:0
cn flag

As @John pointed out. Disabling OS level or "local" IPMI access is a good start. Doing so depends on the vendor of the IPMI device. Also ensuring that IPMItools is not installed on the OS running on the machine with IPMI is also a good option.

Here is a similar thread for securing IPMI.

SuperMicro also has some decent documentation on the topic as well. It mostly boils down to:

  • Restrict inbound traffic
  • Use dedicated management interfaces for utilizing IPMI/BMCs.
  • Change defaults on the IPMI.
  • Monitor traffic between IPMIs/BMCs from other portions of your network.
Score:0
cn flag

Disable OS level or "local" IMPI access, via the vendor-specific procedure for your BMC.

ipmitool and the devices it uses are generally restricted to privilaged OS users. root can get around kernel module blocking or install missing ipmi software.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.