Best Practices for managing servers with IPMI
Baseboard Management Controllers (BMC) with IPMI are commonly used to manage servers remotely. Almost 100% of Microway’s servers support IPMI either through a dedicated management port or a shared LAN port. As of 2012, all new products support IPMI 2.0 and encryption.
A BMC provides powerful remote debugging capabilities for datacenter and HPC administrators, but may allow unauthorized access from the Internet or from within an organization. If not configured properly, an IPMI BMC may compromise the security of your machines. We recommend the following steps when using IPMI to manage your machines:
- Block/Restrict inbound traffic from the Internet directly to BMCs. Log on to a secure management server in your datacenter and manage all BMCs from there.
- Reserve special IP address ranges (private subnets) for BMC management interfaces and management servers. Don’t share IP subnets – use separate subnets for LAN, WAN and IPMI.
- Configure the firewall to block/restrict outbound traffic from BMC, including alerts within the reserved IP range.
- Use the dedicated management interface for each BMC. This provides physical separation of networks. If this is not possible, then your server traffic and IPMI traffic will both be using a shared LAN port – configure your network to use a separate VLAN for IPMI traffic.
- Configure your BMCs to use custom port numbers. For example; you can set the HTTP port of the BMC to 57880 instead of 80.
- Change the default password during installation and use strong passwords.
- Create user policies and roles on the BMCs.
- Use the IP Access Policy to enable access rules to BMC from management servers.
- Monitor for unusual traffic between your BMCs and other machines on the network.
- Pay attention to firmware release notes (especially related to security fixes) and plan upgrades of the firmware during your maintenance cycles.
Adapted from Supermicro IPMI Best-Practices Guide