Securing ipmi over the internet

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
I made a breaking change somehow and now my kvm host won't boot. I won't know what it is complaining about until I make it home. Which sucks because when I have downtime at work I tinker with my setup at home often on behalf of other clients. So while I kick myself for the downtime I am causing myself I thought I'd ask if anyone had some thoughts on how best to expose impi over the internet.

I could go as far as a dedicated low power box that is on the network with a static IP that I can maybe ssh into and then forward over X the ipmiviewer. Maybe there's an easier way?
 
  • Like
Reactions: K D

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I would use SSH port forwarding or OpenVPN. That way you don't expose IPMI at all. Even a Raspberry Pi should be fast enough for basic IPMI stuff if you are trying to keep power/noise levels down.
 
  • Like
Reactions: gigatexal

cperalt1

Active Member
Feb 23, 2015
180
55
28
43
I second that, OPENVPN to your network and then you can have IPMI from there. If you have your IPMI on a separate vlan then you can probably do some Firewall rules to allow it to one client or something like that.
 
  • Like
Reactions: K D and gigatexal

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
I wouldn't recommend anyone ever expose ipmi over the internet. ipmi has so many security vulnerabilities that you are just inviting trouble...

IF you need to do this, I'd set up an OpenVPN server on my firewall with good security (client certificate authentication + IPSEC). Then you can VPN into your LAN and do whatever IPMI work you need. By using client certificates you limit users to those with the certificate on their device.

If you use PFsense as your router this is fairly easy to set up.

Even VPN has potential vulnerabilities...but ipmi is so full of holes you should just consider it a wide open door.
 
  • Like
Reactions: gigatexal

K D

Well-Known Member
Dec 24, 2016
1,439
320
83
30041
I use TeamViewer to connect to an always on VM or my workstation when I am outside and need to do something at home.
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
I setup an L2TP VPN on my Unifi Gear so I can VPN back home and connect to my SSH/IPMI/RDP clients using the native tools on my laptop.
 

Rhinox

Member
May 27, 2013
144
26
18
I have Mikrotik protecting ipmi-port (firewall, vpn, etc). The only complication was collocation center wanted to charge me double for housing two "servers" (wft?) so I got pissed and mounted that Mikrotik into my server and wired ipmi-ethernet port over it. It was not difficult, as those routerboards are small and can be powered by molex...
 

Blinky 42

Active Member
Aug 6, 2015
615
232
43
48
PA, USA
I have used the little EdgeRouter-X boxes for this as well since they are cheap, can pick up at microcenter in a pinch, and easy to stash in a rack or on a desk near your hardware. They have a few ports so you can direct-attach as well to more than one system or the IPMI and "internal" vlans easy as well as a public IP.
 

KioskAdmin

Active Member
Jan 20, 2015
156
32
28
53
I have Mikrotik protecting ipmi-port (firewall, vpn, etc). The only complication was collocation center wanted to charge me double for housing two "servers" (wft?) so I got pissed and mounted that Mikrotik into my server and wired ipmi-ethernet port over it. It was not difficult, as those routerboards are small and can be powered by molex...
WAIT WAIT WAIT

@Rhinox are you using something like this? https://www.amazon.com/4-Pin-Molex-Connector-2-1mm-5-5mm/dp/B01M1XQ7EU/

That'd save me like $100/ month.

Molex is off when system is off though right? So if you IPMI power cycle your VPN goes down?
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
The small Mikrotik or Edgerouter is likely low power enough that you could tap the 12v standby power off the 24 pin psu connector...then youd have power as long as AC is connected.

Sent from my VS996 using Tapatalk
 

MiniKnight

Well-Known Member
Mar 30, 2012
3,072
973
113
NYC
The small Mikrotik or Edgerouter is likely low power enough that you could tap the 12v standby power off the 24 pin psu connector...then youd have power as long as AC is connected.
OK now I'm feeling my eyebrows raise. Isn't that dangerous for a fire?
 

markarr

Active Member
Oct 31, 2013
421
122
43
Meh, when the devices are using the same wattage as the BMC there is nearly no chance of a fire provided you don't ground anything you shouldn't. No different than mounting extra ssd's in the chassis.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
OK now I'm feeling my eyebrows raise. Isn't that dangerous for a fire?
No, it doesn't. To do this safely you do have to understand a bit of how power and grounding works inside the chassis. But if you don't understand these same power and grounding principles you really shouldn't be opening the case to do any work, especially connecting devices to a Molex connector using an adapter cable you bought off eBay.

Don't mean for this to sound snotty - as I re-read it I can see that it may. But I don't know how to re-word it and still get the point across.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
One issue with the use of ATX Standby power though. Rechecked and ATX SB power is actually 5v, not 12v. While the power draw of the small Mikrotik board is well in spec for ATX Standby (6W on the 5 port RB260GS), the input power range is 6-30v. So no love on powering it from standby.