Re: [Freeipmi-devel] ipmi configuration security best practices

[dan farmer]

(Albert - crushing a few of your replies into one bit; thanks for the feedback!)

On Feb 19, 2013, at 10:18 AM, Albert Chu <address@hidden> wrote:
>> 7. Don't use MD2 or RC4 for anything (they're usable in several
>> places in the specification and vendors still support them.) Written
>> in 1989 & 1987, they've been both demonstrated to be relatively insecure.
>> MD5 isn't great, but at least it's better than MD2.
> 
> As an alternate, I would say just disable these authentication
> mechanisms so they can't be used at all period (i.e. disable MD2,
> disable clear password, disable Cipher Suite 0).  In bmc-config, you can
> find the config of these in the sections Rmcpplus_Conf_Privilege and
> Lan_Conf_Auth.

Yes, disabling is far preferable, if it can be done, I should have used that
language but I was waffling because I didn't want to have to read that part
of the spec again ;)

>> 17. Disable all services that aren't used (this can usually be done
>> via the BMC's web interface, scripting interfaces, or the command
>> line interface.
> Not sure if you're aware, but many of these "disable extra services" are
> supported in ipmi-oem.  Of course, I have to support the specific
> motherboard/vendor.
[+ssh, telnet, etc.]

Of course - as a matter of fact nearly all of them, if memory serves, good
catch.  There are some near ubiquitous ones, but I shouldn't be sloppy.

> So here's 2 other security things I thought of
> 
> A)
> 
> In newer IPMI erratas there is support to configure how many attempts a
> person has to brute force a password before the BMC just locks up that
> user.  I don't know how many motherboards support this, but it's not
> many.  Here's the description from bmc-config as an FYI.
[…]
> SOL security can be tightened as well.  Such as (this is a cut & paste
> from bmc-config).

Both great catches, thanks!  I've gone to free*ipmi-config because it's so 
trivial to parse, so I'll make sure these are in.

dan