IPMI / BMC Support on LoadMaster
The Intelligent Platform Management Interface (IPMI) is an industry standard specification that allows for visibility and control of hardware operating conditions. IPMI allows you to interact with the hardware Baseboard Management Controller (BMC) present on the motherboard.
The BMC and associated IPMI interface is supported and enabled by default on the following LoadMaster and ECS Connection Manager hardware models:
LM-X25 LM-X25-NG LM-X40 LM-X25-NG LM-XHC55 LM-XHC55-NG LM-XHC75 LM-XHC75-NG LM-XHC100 LM-XHC100-NG |
ECS Connection Manager H2 ECS Connection Manager H2 NG ECS Connection Manager H3 ECS Connection Manager H3 NG ECS Connection Manager H4 55 ECS Connection Manager H4 55 NG ECS Connection Manager H4 75 ECS Connection Manager H4 75 NG ECS Connection Manager H4 100 ECS Connection Manager H4 100 NG |
Note that the IPMI / BMC interface is supported only for read-only use. An example of a supported use is reading hardware sensor information. Making any modifications to hardware settings other than those outlined in this document is not supported and doing so may invalidate the hardware warranty. |
Default Credentials
LoadMaster, like most systems that support IPMI, is delivered with default BMC login credentials, depending on model:
-
-
On older models (no -NG in the model name), the BMC and IPMI are enabled by default with a default username (admin) and a default password (admin). This is the same across all models equipped with a BMC.
- On newer models (-NG at the end of the model name) the default password is set to a unique value (the system's serial number).
-
Security Issue
The following IPMI security issue applies to any hardware from any vendor that implements IPMI.
CVE-2013-4786 | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
What this means is that a bad actor with access to the network on which IPMI commands are being sent to the host could intercept these commands, obtain the password hash, and spend as much time as necessary offline to crack it using whatever means necessary.
IPMI Best Practices
It's important that customers mitigate opportunities for leveraging the default IPMI configuration and the security issue outlined above by following industry-standard IPMI best practices when putting an IPMI-capable device on the network. These include:
- Protecting the BMC with the same level of secure local-only access that you would the system console. This usually means using a separate private management network that only trusted personnel can access.
- Updating the BMC password provided with the system to use a unique, strong password.
- Note that the BMC will attempt to get an IP address using DHCP; or, one may be manually assigned through the system BIOS.
- To update the default password, log in to the web-based user interface at the IP address assigned to the BMC using the default credentials.
Disabling IPMI Access
System management via IPMI can also be disabled by modifying the BMC login configuration using the ipmitool command (or similar IPMI tool). For example:
ipmitool -I lanplus -H hostname -U username -P password channel setaccess 1 userID privilege=15
In the above:
- Replace hostname with the hostname or IP address of the target system's BMC -- this is usually obtained via DHCP and is a different IP address from the unit's main administrative IP address
- Replace username and password with the administrative login name (admin) and password (see section above) for the IPMI interface.
- Replace userID with the user ID number -- be sure to perform this command on the userID associated with the username you are using to perform this task last.
- The -I lanplus option is usually required when using IPMI on a Windows or Linux workstation. See the Usage section of the ipmitool README for more information.
You can get a list of user IDs and names using the following command:
ipmitool -I lanplus -H hostname -U username -P password user list
Once you perform the "channel setaccess" command on all user IDs, all users will be locked out of communicating with the system via IPMI.
Re-enabling IPMI Access
Please note that after you disable IPMI access for all users, you will need to go into the system BIOS should you decide to re-enable it. Controls to reset BMC user privileges and set strong passwords are located on the Server Mgmt tab.
How Do I Get ipmitool?
The ipmitool command can be installed on any Linux system. On an Ubuntu system, for example, use this command:
sudo apt-get install ipmitool
On Windows, you would need to do the following to use ipmitool:
- Enable the Windows Subsystem for Linux.
- Install the ipmitool package as shown above.
See Also: