How to disable IPMI on X9SCM-F Mobo?

[kurtkurtosis]

I am getting bi-weekly warnings from ATT as my internet provider as IPMI seems to be vulnerable to security breaches. I only use the SuperMicro build to back up data every two weeks for a few hours using FreeNAS. So the SM X9 server system is powered down 99% of the time. I don't use IPMI, but I understand that the X9 can be powered on remotely if the right port/password are known.

I get the following email message from ATT:
"AT&T has received information indicating that one or more devices using your Internet connection may have Intelligent Platform Management Interface (IPMI) capabilities exposed to the Internet. The IP address xx.xxx.xxx.xxx was observed responding to port 623/udp on March 17, 2015 at 9:18 PM EDT. Our records indicate that this IP address was assigned to you at this time. "

I looked through the BIOS but was not able to find a way to disable IPMI.

Any advice on how to best proceed would be appreciated.

 

[Biren78]

That is scary!

Here's what you need to do: take the LAN cable connected to the IPMI port. Unplug it if you have no intention to use!

If you do want to use, just put it on the internal network. It should never get an external IP address... ever.

 

[PigLover]

Why in the world do you have ANY ports open to the Internet that you don't need to do what it is you do? If they can get to port 623 they can probably get to lots of other stuff useful for being nasty...

I don't think you need to worry about the IPMI...more like you need to get a firewall

 

[PigLover]

That is scary!

Here's what you need to do: take the LAN cable connected to the IPMI port. Unplug it if you have no intention to use!

On most Supermicro motherboards that won't help. If there is nothing plugged into the IPMI they just 'share' the normal LAN port to expose IPMI to the network.

You can disable it in the BIOS. If no 'disable' option exists just set it to use a non-routable IP address like 169.254 1.1.

 

[Entz]

There is a jumper on the board that will let you disable the BMC.

Failover I thought only worked with one of the LAN ports not both. Another option would be to run a cable from the dedicated port to an internal switch and disable failover (still get remove management that way). the goal is to keep the BMC from getting an internet route-able IP address from your ISP.

 

[Patrick]

All good points. Do you have a router/ firewall? Getting IPMI to a non-routable IP address is a must-do. If it is getting an IP address through DHCP unintentionally, you likely have a lot you can do for security on your network.

 

[kurtkurtosis]

Appreciate all the comments.

I deleted the port 623 forward to IPMI 192.168.0.2 on my Netgear WNDR3700 router. I hope this will solve my ATT problem.

Thanks again.

 

[PigLover]

Wow. The real question I'd be asking right now is who or what installed that very unusual, very non-standard port forward in the first place!

 

[kurtkurtosis]

I experimented with IPMI several years ago as this represented a totally new experience for me, e.g to boot & access a PC remotely seemed pretty wild to me.

I believe, the port 623 forward in the setup on my WDR3700 is necessary so I could remotely boot and access the SM server. I can't remember the details here since it has been too long, but it all worked all at one time.

However, I just got another ATT warning today 3/24. So deleting the port 623 forward did not solve my problem as I had hoped. I am disconnecting the network cable to the SM server all together as ATT is now sending out warnings every two days. Note, that the IPMI port is not connected to my router, but that does seem to be necessary in order to access IMPI anyway if I remember correctly.

 

[TType85]

IIRC there is a setting in the BIOS to only use the dedicated IPMI nic and not fail over to the onboard nics.

 

[kurtkurtosis]

Thank you so much for your idea to allow only the dedicated IPMI port to work as I don't really want to plug/unplug the network cable to my SM server box every time I want to use it.

I'll let you know if this solves my problem. Thanks again.

 

[Evan]

To revive a sort of old thread, if you use the jumper to disable the IPMI on a SM systems does it really power it off and save power if you don't really need it.
(Assume the server is then totally headless as well)