[HOWTO][Tutorial] increasing the iRMC security

PRIMERGY, SPARC Enterprise Server, PRIMEFLEX, PRIMEPower, BS2000

Moderator: ModTeam

DrBMC
Posts: 32
Joined: Fri Feb 29, 2008 23:48
Product(s): PRIMERGY, iRMC, eLCM, MMB, SV OM, SV UM, SV IM

[HOWTO][Tutorial] increasing the iRMC security

Postby DrBMC » Sat Nov 07, 2015 23:20

During the use of Fujitsu's Baseboard Management Controller(BMC) - iRMC, I found some important points to make the iRMC more secure:

  1. never ever connect an iRMC direct to the internet, isolate the iRMC and Management Network from the Internet. Use a VPN for accessing iRMC from outside.
  2. Severely restrict any network access to iRMC, also inside your cooperate network.
  3. delete default-user "admin" (factory setting) and
  4. create a new user with a completely different name. No "admin", "admente", "administrator", etc.
  5. close all incoming open port, like e.g. IPMI Port, Telnet port, HTTP-port and SMNP. That could be done in the iRMC Web-I/F under the Network page.
  6. the only necessary and open incoming ports to connect to the iRMC, should be HTTPS (Port 443) and SSH (Port 22).
  7. change the HTTPS Fujitsu default certificate to your own certificate
  8. Security by Obscurity: change the ports 443 (HTTPS) and 22 (SSH) to other different ports
  9. change the users password latest every two weeks (best practice will follow)
  10. for alerting use eMailalerts or remote syslog

More details could be found in: White Paper - Secure PRIMERGY Server Management

Information about IPMI Security in HEISE Newticker (german language): Hunderttausende Server über Fernwartungsprotokolle angreifbar.

If you are more familiar with all the network stuff and with IPMI, the following page could be interesting for you: Dan Farmer - IPMI and Security Dan describes very detailed the problems IPMI and IPMI security.
(V1.1)

That's my personal best practice for a good security on BMCs/iRMCs. Please let me know if you have further recommendations.

CU & have nice weekend
___
ServerNerver is still alive
https://youtu.be/6yr0aQc_2AU

Return to “Server Products”

Who is online

Users browsing this forum: No registered users and 1 guest

cron