Supermicro IPMI security

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
BLinux

BLinux

cat lover server enthusiast
Jul 7, 2016
2,672
1,081
113
artofserver.com
First time putting a Supermicro machine on a production network. The network vulnerability scanner picked up the IPMI port on this machine and reported two problems:

1) default passwords are in use
2) "null" user can access the system

However, i have:

1) latest IPMI firmware from Supermicro's website
2) changed password of "ADMIN" account
3) "Anonymous" account has no privileges

I've also tried to login as "Anonymous" account with ssh -l "" and via the webui and cannot gain any access. So, why are the security scanners picking up a problem?

Can the "Anonymous" account (IPMI account id =1 ) be deleted safely without causing problems?
 
J

j_h_o

Active Member
Apr 21, 2015
644
180
43
California, US
Don't bother.

Put it on an isolated VLAN with (only) VPN access. Don't expose it anywhere, except for you to get in, in case of emergency/maintenance.
 
BLinux

BLinux

cat lover server enthusiast
Jul 7, 2016
2,672
1,081
113
artofserver.com
j_h_o said:
Don't bother.

Put it on an isolated VLAN with (only) VPN access. Don't expose it anywhere, except for you to get in, in case of emergency/maintenance.
Click to expand...
that's not really going to make a difference. the security scans happen on every segment; another scanner will pickup the same problem.
 
P

PigLover

Moderator
Jan 26, 2011
3,186
1,545
113
You can safely delete the anon account. If for some unexpected reason you discover that to be a problem a "factory reset" of IPMI should put it back.

I'd still isolate it onto a dedicated LAN with its own perimeter security (firewall). While I love its functionality, IPMI is a leaky bucket for security.
 
BLinux

BLinux

cat lover server enthusiast
Jul 7, 2016
2,672
1,081
113
artofserver.com
PigLover said:
You can safely delete the anon account.

I'd still isolate it onto a dedicated LAN with its own perimeter security (firewall). While I love its functionality, IPMI is a leaky bucket for security.
Click to expand...
thanks. it already is on a ops admin subnet that's only accessible via a bastion host w/ MFA.

i just don't understand the report i got. i was not expecting it to report default password or "null" account to be a problem. or, is there a different default password it could be reporting on other than the ADMIN/ADMIN one? and i'm assuming "null" account is the anonymous account, but not sure... the report doesn't actually describe the testing methodology, just a link to a webpage that talks about the anonymous account, so that's why I was assuming that's the problem but I can't verify it.
 
You must log in or register to reply here.
Top Bottom