On 2014-06-02 14:10, Randy Bush wrote:
so how to folk protect yet access ipmi? it is pretty vulnerable, so 99% of the time i want it blocked off. but that other 1%, i want kvm console, remote media, and dim sum.
currently, i just block the ip address chunk into which i put ipmi at the border of the rack. when i want access, i reconfig the acl. bit of a pita.
Depends on how many boxes you have at the same location. If you only have one, that is likely the way to go, if you have a few more, use one or multiple (backup :) VMs on the boxes as management access, properly ACL that away, put OpenVPN on it, route the IPMI network on that presto. Of course, the IPMI boxes should always live in their own VLAN where possible, and those VLAN addresses should never be routed publicly or NATted to anything public. With the OpenVPN trick or whatever your VPN tool of choice is, you don't have to NAT mind you. Do note that if you have multiple mgmt/access boxes you should have a floating gateway IP and/or bridge that network onto your VPN. Bridging is typically easier also as it avoids having to configure a default gateway which again avoids all kinds of accidental typos. Do note that the above does not allow you access if the datacenter's switching or routing is borked too heavily, hence a GSM/4G backup USB stick in the management box to allow 'dial in'[*] can be useful too ;) That is of course if there is signal in the datacenter... Greets, Jeroen [*] Cheap variant: get a 4G USB stick with a pre-paid number, set it up so that you can SMS to it, and that based on the SMS (src-number verify etc) it connects to the network and contacts a remote OpenVPN, configures that VPN and voila, you are in. [*] If you don't want extra services like OpenVPN, keep in mind that ACLs keeps baddies out and that one can alternatively do tunneling in a similar method with sshd (and key restrictions to not allow them anything else ;)