nanog mailing list archives
Re: ipmi access
From: Jeroen Massar <jeroen () massar ch>
Date: Mon, 02 Jun 2014 14:24:21 +0200
On 2014-06-02 14:10, Randy Bush wrote:
so how to folk protect yet access ipmi? it is pretty vulnerable, so 99% of the time i want it blocked off. but that other 1%, i want kvm console, remote media, and dim sum. currently, i just block the ip address chunk into which i put ipmi at the border of the rack. when i want access, i reconfig the acl. bit of a pita.
Depends on how many boxes you have at the same location. If you only have one, that is likely the way to go, if you have a few more, use one or multiple (backup :) VMs on the boxes as management access, properly ACL that away, put OpenVPN on it, route the IPMI network on that presto. Of course, the IPMI boxes should always live in their own VLAN where possible, and those VLAN addresses should never be routed publicly or NATted to anything public. With the OpenVPN trick or whatever your VPN tool of choice is, you don't have to NAT mind you. Do note that if you have multiple mgmt/access boxes you should have a floating gateway IP and/or bridge that network onto your VPN. Bridging is typically easier also as it avoids having to configure a default gateway which again avoids all kinds of accidental typos. Do note that the above does not allow you access if the datacenter's switching or routing is borked too heavily, hence a GSM/4G backup USB stick in the management box to allow 'dial in'[*] can be useful too ;) That is of course if there is signal in the datacenter... Greets, Jeroen [*] Cheap variant: get a 4G USB stick with a pre-paid number, set it up so that you can SMS to it, and that based on the SMS (src-number verify etc) it connects to the network and contacts a remote OpenVPN, configures that VPN and voila, you are in. [*] If you don't want extra services like OpenVPN, keep in mind that ACLs keeps baddies out and that one can alternatively do tunneling in a similar method with sshd (and key restrictions to not allow them anything else ;)
Current thread:
- Re: ipmi access, (continued)
- Re: ipmi access Brian Rak (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Andrew Latham (Jun 02)
- Re: ipmi access coy . hile (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Chris Adams (Jun 02)
- Re: ipmi access Jimmy Hess (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Peter Kristolaitis (Jun 02)
- Re: ipmi access charles (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Blake Hudson (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access Nikolay Shopik (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access Jeroen Massar (Jun 02)
- Re: ipmi access Nikolay Shopik (Jun 02)