138. How do I configure IPMI for remote management?
It is generally recommended to not expose the management interface for servers to the Internet. Not only does some computers come pre-configured with a default login and password, but the embedded software may have vulnerabilities that are not patched as fast as normal operating systems or in some cases are not patched at all.
Most servers with IPMI can change the IPMI out-of-band communication to go via a dedicated network. This is usually done in BIOS. Use a dedicated network or dedicated VLAN for this. In order to not let the servers expose them selves to each other use the Private VLAN (protected ports) feature in the switches. Read about Private VLAN in Wikipedia.
This is how to get the current settings in Linux:
ipmitool lan print
Change to using DHCP instead of Static:
ipmitool lan set 1 ipsrc dhcp
Setting the LAN MAC Address:
ipmitool lan set 1 macaddr 00:25:90:12:34:56
Supermicro
Some Supermicro servers come pre-configured with failover IPMI meaning that the out-of-band communication for IPMI will share the same network connection as the server is normally using.
This is quite unsafe and will expose IPMI with default login and password via the normal network. This can be changed when running with these commands in Linux:
- Dedicated:
ipmitool raw 0x30 0x70 0x0c 0x01 0x00
- Shared with LAN1:
ipmitool raw 0x30 0x70 0x0c 0x01 0x01
- Failover:
ipmitool raw 0x30 0x70 0x0c 0x01 0x02