Dedicated Server IPMI and providers exposing them to the public network
I'm going to assume I'm not the only guy that when buys a server, especially from the budget providers around in this forum, they will get the the server delivered with exposed IPMI, even when you make a note in the order.
Usually one make the request for it to be placed in the private network, maybe get a cheap VPS in the same network to access it. But how do you deal with providers who's excuse is that one would have to buy the server at normal price and pay at least half a year for them to go ahead and move the IPMI to the private or at least give you the private network settings for you to configure?
IPMI should never be exposed to the public network. I don't understand how a provider would even consider delivering a server with such configuration.
Comments
+1 yet so many do unfortunately, and some even advertise it as a feature !
We do deliver access over a VPN, and if the Customer really wants to have it on public IP, we throughly explain all security risks that comes with it.
If someone does deliver it over a public network, one should run to avoid issues in the future.
I know that we've been working on how to tackle this issue best.
Whether it be operating an IP whitelisting system where clients can add their IP address via the client area, or through a VPN/Browser Plugin or other options.
We typically keep IPMI on our internal network and only make available on-demand.
Even on a provider that was not budget and had a very well managed network they still delivered it over a public unfiltered IP. I was a bit surprised.
I bought a new dedi and the provider has you download an openvpn profile from their panel and connect with that first and then you can login with the remote management for the server you have.
I prefer my ipmi outside public because I know how to harden and lock it down
Not a official cubedata comment but a personal comment
Nice joke sir. I appreciate your humor...
So the official cubedata stance is that IPMI should be on a public network?
Nope as I believe in security and this does make sense but as long as you don't use like super micro ipmi and use like hp ilo or dell drac you are at least better off since they are at least more harderend then most
But I have to say you do have to balance between security and convenience so would you rather have the added inconvenience of having to go through a vpn just to get to your ipmi in a emergency on the server or would it be easier in a emergency to lock down and harden the ipmi and leave it public
Out of interest, do you read your posts before clicking submit?
Yes but since I am on mobile currently auto correct doesn't usually work in my favor
Pf, I write on my S6 with autocorrect just fine (if there's any errors in my post, I tend to correct them before I post it.)
Still have a s4 mini on android 4.4.2 so my experience is different from yours
VPN in some occasion can create trouble, for example to people on mobile, with occasional devices, laptop etc. Why not just have a button in client area that enable/disable ipmi ip?
Is very easy:
Disable IPMI -> set ip route to Null0
Enable IPMI -> remove the route
This is necessary only when you use the console, if some kind of automatic deployment tools are avaiable, like noc-ps, you can just enable his ip to have enabled by default ipmi functions
@cubedata
If you're considering a phone upgrade, I suggest you try Xiaomi (I've heard their phones are pretty good).
Yeah... they're GREAT phones...
Erm, OpenVPN works on mobile. There's no excuse to expose a backdoor to your system. IPMI is significantly less secure due to less frequent and delayed updates to start with.
Huh? I've seen entire Datacentres going down, and they were not based on Supermicro.
Me too, but spanning tree was involved.
I not say that is wrong, but a button on the portal that enable bmc is easiest. We have trouble with some customer for vpn. Sometimes i'm shocked seeing what people ask
Easiest != secure.
In live enviroment you need to balance security and usability.
I mean why null routed ipmi ip should be less secure then vpn access?
I like Incero's solution.
All IPMI (colo or rented) is firewalled, no exception. When you login to their client area it auto whitelists your current IP address to access only your IPMI's for 72 hours. You can also set specific IPs that you want whitelisted (if you have a static IP).
You can also give someone a link, that when they visit it their IP will be whitelisted for 72 hours.
Example: https://www.evernote.com/l/AEBpX2yFthhMW5hqINkmGw6HVxI31Q9d8DM
For starters, because when the Customer uses it someone unauthorised can connect too, and because of yet additional convenience someone may decide to keep it open longer than needed.
VPN with popular client is not unreasonably disrupting usability. After all it only needs a few clicks to setup and even less to connect when needed. And you don't connect every day.
If someone has an urgent need and wasn't prepared your support can always lend a hand and carry out the operation for the Customer if needed while not risking this Client and potentially other Client's security.
@cubedata said:
That statement is akin to saying a Plastic gun cal 45 is better than a plastic gun cal 40. And btw, who - except marketing blah from dell and hp - tells you so?
IPMI is a security problem, period. Maybe it helps you to understand when I tell you what ugly things someone who has taken over a clients system can do with your infrastructure ...
The solution is dirt simple. Pretty every halfway decent firewall allows table/ list management. So, in the main fw one has a line that says "allow in [optional: to IP xyz] from any IP in table 1". Plus there are ways to easily manage the table.
That's easily scriptable plus it doesn't require you to fiddle with the main firewall script (which would be potentially risky)
yes and that would be the best way of doing it instead of actually requiring vpn access as you could mainly put a firewall in front of the ipmi and only allow whitelisted ip's to access it that balances the security and also helps with the convenience standpoint as well since it is likely that whitelisting the ip only takes a sec but trying to connect over vpn doesn't(at least not to my knowledge)
Open a ticket with your provider, asking them to "null route" the IP of your IPMI's public IP address. That's what I do. Simple enough. Open a ticket each time you need it back online. My provider is happy to do this, as most should be.
I agree with the huge security risk by leaving IPMI's running on public IPs. Very dangerous if left open.
I'm curious, who is the provider that has IPMIs running on a public IP? I don't think I've heard of that before![:\](https://lowendtalk.com/resources/emoji/confused.png ":\")
Virmach / ColoCrossing
Terrible solution from the providers point of view. If you need to (or should be) doing something multiple times per week it should be automated.
True. And I like my firewall approach better, too. But @Clouvider's VPN approach isn't bad either.
Each one has its plus and minus points. Clouvider's VPN approach, for instance, is easier on the provider in that he only needs to set it up once and to enter new customers (and delete ex-customers) only once. My fw approach has its advantages, too, for instance in not demanding any extra step from the customer (IPMI consoles are beasts and funneling them through a VPN doesn't make it nicer).
When I was an Incero customer, they firewall-blocked all access to their IPMI public IPs. When a customer logged in to the customer portal, the firewall would automatically whitelist their IP to access the IPMI network. It was a super easy and secure system, and I felt good knowing they maintained a secure/safe network. I hope all providers were this simple, but as a customer, knowing my IPMI is blocked and can be enabled via ticket is perfectly fine for my needs.
VPN network is a good idea, too, but I know low-budget providers don't like VPNs because they can be a pain to support. If anyone has staff/friends trying to use VPN software, you probably already know VPNs can be a pain to troubleshoot (usually a DNS issue, btw).
This is a good discussion. I wish more admins were aware their IPMIs are needlessly exposed to the 4 billion IP addresses on the Internet.
Note to providers. If you cannot do any of the above, run your IPMI's on alternate ports that would be difficult to guess. Don't run on ports 80/443. Lessens the security risk a little.