New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Is this serious, oh my god ._.
Lmao
Should make a list of providers who do public IPMI.. cc @yoursunny
How many is all your dedi?
Please don't
Does everyone have the same issue? There are 700 ports open at FiberState on 623. Is it a smaller set?
Sort of scary because I just purchase a Utah vps from their host client
If anyone here on LET, sells VPS with an IPMI public again, after this, they should get banned for gross negligence.
I have a dedi with fiberstate and the IPMI is public. Waiting to see whether my chicken will turn into scrambled egg.
I was just slapped with GC IPMI ransom and bought from Fiber reseller the last 24 hours.
Terrible luck
... There should be shame list of hosts who use IPMI public in this year. Especially to blame the user when the master setup things in a haphazard fashion.
Is there an IPMI vulnerability? Or just just weak passwords?
If there is a vulnerability, I would expect a LOT more affected systems...
IPMIs are known to have holes like swiss cheese.
Likely not a problem. If you have any concerns, please open a support ticket and we'll verify. Issue this thread is about was due to a third user account that was setup, we assisted the user with ensuring everything was reset and secured.
This is the correct stance, full stop
Password or not, they should not be public IPs. The server engineer is the last to know about IPMI vulnerability until it's too late for help, scripts find them first -_-
This is design fault on side of vendor due to poor design and no segregation.
Maybe, but that doesn't answer the question.
Public IP or not is no excuse for bad passwords.
Yes, IPMIs with public IPs should be avoided but this isn't always realistic in the real world.
If the particular IPMI doesn't have any vulnerabilities, there is no issue unless weak passwords are used.
In this particular instance it was not a specific software vulnerability, but was caused by a third user account enabled on the IPMI. We make sure all deployed passwords are very secure, complex and locked down.
Was this rogue account added by the ASUS TEK preloaded, or
did third account show up in a mysterious fashion?
If unknown, it likely is an exploit, but I am just on the wrong end of this misfortune every time...
Not sure about ASUS TEK. In this particular case, the user account was not injected maliciously.
i have a dedi, how to check ipmi enabled or not? and how to check its password?
noob to topic....
Hi,
tools like ipmitool or ipmicfg will show you the configuration and let you configure it.
https://www.supermicro.com/en/solutions/management-software/ipmi-utilities
If you have a public IP, then you should ask your provider to secure it by either firewall or by giving you private IPs you can reach via VPN.
No matter how strong the passwords are, its just a matter of time until its hacked.
thanks for the response but still its g(r)eek to me.
pubic ip means the usual ipv4 to access server?
or public ip for ipmi?
Correct it would be any IP you can publicly access from the internet without needing to be on a VPN.
Hi,
hrhr, sorry....
This ransom stuff attacks your IPMI. So the topic is IPMI ( only ). It has nothing to do with your regular services that you run on your server with your public IP.
IPMI is a seperate system, independent from your server OS ( and what ever is installed on it ).
It has independent IP, user, pass allowing you to access your server independent of your OS for maintenance.
And the question is, what kind of IP is used for this IPMI... a public routed one ( alias Internet IP ) or is it a private IP ( 192.168, 10......, that you will usually see on your lan at home on your DSL / Cable / what ever private router ).
Aaand i suggest you to work yourself a bit more into this kind of admin topic's if you run a server that is available in public ;-)
Only ASRock IPMI is getting affected for now.
You have to remove all users including administrator from your IPMI as this is how the attacker is getting in.
Keep admin user only. Better ask @fiberstate to pull off your IPMI Ethernet cable for now.
From their reference screen snap https://www.asrockrack.com/support/IPMI.pdf it shows 'admin' which is likely default user.
Is there any notice or intent as to how this nefarious actor added 'administrator', or was it weak password?
Also thank you @fiberstate for not being opaque about the issue. Just worried where my backups go now... besides my unconnected USB.
It's all IPMI, however SM and asrock and a few other brands are more likely to be exploited easier.
To be more specific and clear, we've only seen this user issue impact Asrock Rack B650D4U-2L2T/BCM AM5 boards.
All instances that may have been impacted with this IPMI user vulnerability, that we are aware of, have been fully updated to resolve the issue.
We are not aware of any other server types or issues facing this problem, this is specifically custom deploy Asrock Rack B650D4U based R9 systems. All instant deploy, R7 5700G, R9 9950X, E3s, Xeon Golds, E5's, etc.. are not impacted.
If you are unsure and are a customer of ours, please open a support ticket and we'll be glad to double check.
I never worked with IPMI, can you explain please:
1) If it is public IP, what can I do apart from changing password?
As I can understand there are no firewall mgmt for that public IPMI-IP.
2) If it is private ip then hosting provider should give you some login/password from his VPN server? And it's common thing?
Ask your provider if a private IP and access only through a VPN is possible.
Typically, if you have a static IP you can use, ask your provider if they can only allow your list of IPs to access it.
Yes, more common now than it has been in the past. Not everywhere but many providers can offer this.
Most have a firewall feature you can use to lock down access.
Typically its a VPN login that has private network access to the internal network with IPMI access.
It can also be as in our case with some of our server packages a private IPMI network with DCIM control for OS install, reboot, KVM, etc..
No problem.. if you need assistance with a backup solution, we can help. Please open a support ticket.