Hetzner - DokuWiki
IPMI/en
(→Activation of the Network Interface) |
(→Vulnerabilities) |
||
(25 dazwischenliegende Versionen von 6 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
{{Languages|IPMI}} | {{Languages|IPMI}} | ||
− | = IPMI | + | == IPMI Information == |
− | + | IPMI (Intelligent Platform Management Interface) is an interface for the management and administration of servers. It is implemented with a BMC (Baseboard Management Controller) of a motherboard. You can access this interface via a command line program (such as IPMItool) or a web interface with which you can administer the server. You can perform a reset, start a KVM, and read the output of the motherboard sensors. | |
− | + | === Model Overview === | |
− | + | * PX60(-SSD)/PX70(-SSD) - BMC include IPMI (KVM-over-IP as an optional paid module) | |
− | + | * PX90(-SSD)/PX120(-SSD) - BMC include IPMI and KVM | |
− | + | * PX91(-SSD)/PX121(-SSD) - paid optional BMC module with IPMI/KVM | |
− | + | ||
=== Activation of the Network Interface === | === Activation of the Network Interface === | ||
− | + | Some PX servers have an integrated BMC, while with others, this can be added as a module. | |
− | To use the | + | With the integrated BMC, the network configuration is disabled by default. |
+ | To use the IPMI and Serial over LAN and/or KVM function, you will need to order an additional [[IP-Adressen/en|IP address]] (which has a small fee) via [[Robot/en|Robot]]. | ||
− | '''Important''': | + | '''Important''': You need to specify the MAC address of the BMC when you order the additional IP address. |
− | + | You can read the MAC address using IPMItool (see [[#Network|Network]]). After we allocate the IP address to you, you can statically configure or assign it to the BMC via DHCP. | |
− | === | + | === Adding a BMC module / Unlocking the KVM functionality === |
− | To | + | To add the BMC module (include IPMI and KVM) with the PX91 and PX121 models, or to activate the KVM option (including Virtual Media) with the PX60 and PX70 models, you must order the KVM add-on module via Hetzner Robot. To install the add-on module, you need to shut down the server. The downtime for this is only a few minutes. |
== Safety Instructions == | == Safety Instructions == | ||
If the BMC is made accessible by assigning a public IP to it, it can be attacked and under certain circumstances abused, leading to the server potentially becoming compromised. | If the BMC is made accessible by assigning a public IP to it, it can be attacked and under certain circumstances abused, leading to the server potentially becoming compromised. | ||
− | Therefore, | + | Therefore, you should take measures to counteract the most well-known attack scenarios. To learn more about these attacks, read about the Metasploit penetration tool collection (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi). |
− | The motherboard used in the models PX60 and PX70 is not vulnerable to the options described in the link, as some protection mechanisms are already installed by default. Generally the default passwords | + | |
+ | The motherboard used in the models PX60 and PX70 is not vulnerable to the options described in the link, as some protection mechanisms are already installed by default. Generally you should change the default passwords and disable or rename already existing users. Anonymous access is deactivated by default on all models. The other attack vectors and their prevention are described in the following points. | ||
=== Current Threats === | === Current Threats === | ||
+ | |||
+ | ==== Vulnerabilities ==== | ||
+ | |||
+ | Since the BMC that provides the IPMI functionality is simply software, there can be vulnerabilities in it. | ||
+ | |||
+ | ===== PX90/PX120 ===== | ||
+ | |||
+ | For the motherboard of the models ''PX90/120'' (Supermicro X9SRi-F), a vulnerability was discovered in the 2.14 firmware version, allowing usernames and passwords to be read in plain text. | ||
+ | If your server has this firmware, a firmware update is required before activating the network interface. | ||
+ | |||
+ | The firmware version can be read using impitool: | ||
+ | |||
+ | # ipmitool mc info | ||
+ | ... | ||
+ | Firmware Revision : 3.50 | ||
+ | |||
+ | If you have already activated the network of the IPMI, you can perform the update via the web interface. You can find the latest version on [http://download.hetzner.de/tools/Supermicro/tools/ download.hetzner.de]. | ||
+ | |||
+ | Alternatively, an update is also possible with Linux if the network of the IPMI has not been activated: | ||
+ | |||
+ | wget http://mirror.hetzner.de/tools/Supermicro/tools/SMT_X9_350.tgz | ||
+ | tar -xzf SMT_X9_350.tgz | ||
+ | cd SMT_X9_350 | ||
+ | ./lUpdate -f SMT_X9_350.bin | ||
+ | |||
+ | Please note that this update only applies to the PX90 and PX120. | ||
+ | |||
+ | ===== PX91/PX121 ===== | ||
+ | |||
+ | The additional KVM module for the PX91 and PX121 models (Asus Z10PA-U8) uses insecure SSL protocols and an obsolete SSL certificate in versions before 1.11. | ||
+ | |||
+ | Therefore, depending on the browser you use, there may not be any secure (HTTPS) connections available until after you have performed an update. | ||
+ | |||
+ | You can download the update via the web interface, and you can find the current firmware at [http://download.hetzner.de/tools/Asus/tools download.hetzner.de] | ||
==== Cipher 0 Attacks ==== | ==== Cipher 0 Attacks ==== | ||
− | Cipher 0 means that no encryption is used and thus any authentication is bypassed. By default Cipher 0 is only activated on the motherboard for callback, meaning logging in is not possible | + | Cipher 0 means that no encryption is used and thus any authentication is bypassed. By default Cipher 0 is only activated on the motherboard for callback, meaning logging in is not possible; you can only get a response of whether the BMC is there or not. Even with that, to ensure that no abuse can take place, the Cipher 0 is disabled by default upon delivery of the server and can therefore no longer be used. |
==== Transmission of the password's hash ==== | ==== Transmission of the password's hash ==== | ||
− | In the IPMI specification, the authentication of the user is only possible on the user side. Therefore, a hash of the password is transmitted to any requesting users. As it specifies exactly what this hash contains, | + | In the IPMI specification, the authentication of the user is only possible on the user's side. Therefore, a hash of the password is transmitted to any requesting users. As it specifies exactly what this hash contains, it is possible to find the password via a brute-force attack. Due to this being part of the IPMI specification, this problem is found on all BMCs and can only be remedied by changing the specification. Therefore, the only current recommendation about this issue is to use a really long and strong password for the BMC to make it as difficult as possible for any attackers. If a short or easy-to-guess password is used for the BMC, it can be compromised within hours or even minutes. |
− | Due to this being part of the IPMI specification, this problem is found on all BMCs and can only be remedied by changing the specification. Therefore, the only | + | |
Here are some tips for a secure password:<br> | Here are some tips for a secure password:<br> | ||
− | + | If you need to make the password easy to remember, it makes sense to string together several words that have no connection to each other (http://correcthorsebatterystaple.net/). This is secure due to the length and is yet still easy to remember.<br> | |
− | If the password | + | If you plan to store the password in a database and you do not need to remember it, then you can use sufficiently random numbers and letters in a reasonable length (> 30 characters) to create a secure password. |
+ | |||
+ | ==== SNMP Reflection ==== | ||
+ | |||
+ | A few IPMI modules (for example, ASMB8-iKVM in the PX91 and PX121 models) permit queries via SNMP. Therefore, a small query can cause the loss of a large amount of data if the query from the source address is misused in an attack. If you use SNMP, you need to be sure to use a strong password (which means using an SNMP Community String). If you do not use SNMP, you can use a firewall to block this port on the ASMB8-iKVM modules of the PX91 and PX121 models. You can use the web interface to perform both options. | ||
== Explanation of individual functions == | == Explanation of individual functions == | ||
Zeile 50: | Zeile 88: | ||
==== Web Interface ==== | ==== Web Interface ==== | ||
− | The web interface can be used to read data from the BMC easily and securely. It displays all sensors, users can be added and changed, the network configuration can be set, and if you have a KVM, it can be started | + | The web interface can be used to read data from the BMC easily and securely. It displays all sensors, users can be added and changed, the network configuration can be set, and if you have a KVM, it can be started. |
'''System Information:''' | '''System Information:''' | ||
Zeile 61: | Zeile 99: | ||
'''Configuration:''' | '''Configuration:''' | ||
− | Here you can configure many options of the BMC. The network settings do not usually need to be changed because the configuration for IPv4 is set automatically via DHCP. You can manually configure IPv6, but using the Hetzner default gateway fe80::1 will be possible with future firmware versions | + | Here you can configure many options of the BMC. The network settings do not usually need to be changed because the configuration for IPv4 is set automatically via DHCP. You can manually configure IPv6, but using the Hetzner default gateway fe80::1 will only be possible with future firmware versions. |
− | You can also add new users here | + | You can also add new users here and change and delete existing ones. |
Additionally, the option "Alerts" allows you to have notifications sent via SNMP or email when certain events occur on the server. This can be useful for monitoring the server. | Additionally, the option "Alerts" allows you to have notifications sent via SNMP or email when certain events occur on the server. This can be useful for monitoring the server. | ||
'''Remote Control:''' | '''Remote Control:''' | ||
On this page, you can use the KVM functionality of the BMC. However, the option "Console Redirection" is only available if you activate an additional module. | On this page, you can use the KVM functionality of the BMC. However, the option "Console Redirection" is only available if you activate an additional module. | ||
− | You can always use "Server Power Control". This allows | + | You can always use "Server Power Control". This allows you to send a hardware and software reset to the server; you can also shut it down or start it. |
== Configuration == | == Configuration == | ||
− | In this section some basic configuration options are shown. | + | In this section some basic configuration options are shown. You can usually use the web interface of the BMC. It is also recommended to install "ipmitool", which can be installed via the package manager of all major distributions. This gives you access to additional functions which cannot be configured via the web interface. |
Example for Debian: | Example for Debian: | ||
Zeile 79: | Zeile 117: | ||
apt-get install ipmitool | apt-get install ipmitool | ||
− | In order for ipmitool to function the following modules | + | In order for ipmitool to function, you should load the following modules via "modprobe": |
modprobe ipmi_devintf | modprobe ipmi_devintf | ||
modprobe ipmi_si | modprobe ipmi_si | ||
− | To check if everything important was correctly loaded and installed the following example command | + | To check if everything important was correctly loaded and installed, use the following example command, which will show you the data from all available sensors: |
ipmitool sensor list | ipmitool sensor list | ||
Zeile 90: | Zeile 128: | ||
=== Users === | === Users === | ||
− | + | Several users with different rights can be create on the BMC. After creating a new user with administrative rights via ipmitool, you can manage more users via the web interface. | |
− | There are 4 different | + | There are 4 different rights/permission levels: |
* '''Callback (1)''': Can only initiate a callback | * '''Callback (1)''': Can only initiate a callback | ||
Zeile 102: | Zeile 140: | ||
ipmitool user list 1 | ipmitool user list 1 | ||
− | In the PX90/PX120 models an active user with administrative rights already exists: | + | In the PX90/PX120 models, an active user with administrative rights already exists: |
ID Name Callin Link Auth IPMI Msg Channel Priv Limit | ID Name Callin Link Auth IPMI Msg Channel Priv Limit | ||
2 ADMIN false false true ADMINISTRATOR | 2 ADMIN false false true ADMINISTRATOR | ||
− | In the PX60/PX70 models there are 5 standard inactive users | + | In the BMC/KVM modules of the PX91/PX121 models, there are two active users with administrator rights: |
+ | |||
+ | ID Name Callin Link Auth IPMI Msg Channel Priv Limit | ||
+ | 1 false false true ADMINISTRATOR | ||
+ | 2 admin false false true ADMINISTRATOR | ||
+ | |||
+ | In the PX60/PX70 models, there are 5 standard inactive users. All of them can be changed except for the first one. | ||
ID Name Callin Link Auth IPMI Msg Channel Priv Limit | ID Name Callin Link Auth IPMI Msg Channel Priv Limit | ||
Zeile 118: | Zeile 162: | ||
The root (or ADMIN) user ID should be deactivated and, if possible, renamed after creating a customer user and before activating the network configuration. | The root (or ADMIN) user ID should be deactivated and, if possible, renamed after creating a customer user and before activating the network configuration. | ||
− | + | Change the login name via ipmitool: | |
ipmitool user set name 2 john-doe | ipmitool user set name 2 john-doe | ||
− | To create a new user simply assign a previously unused ID a name. The procedure here is identical to changing the login of an ID. | + | To create a new user, simply assign a previously unused ID a name. The procedure here is identical to changing the login of an ID. The deletion of IDs is possible only by altering the BMC settings. |
Create a new user: | Create a new user: | ||
Zeile 128: | Zeile 172: | ||
ipmitool user set name 6 max+meier | ipmitool user set name 6 max+meier | ||
− | After that a password should | + | After that, set a password should: |
ipmitool user set password 6 Correct-Battery-Horse-Staple | ipmitool user set password 6 Correct-Battery-Horse-Staple | ||
− | Now the access for this user | + | Now activate the access for this user: |
ipmitool channel setaccess 1 6 link=on ipmi=on callin=on privilege=4 | ipmitool channel setaccess 1 6 link=on ipmi=on callin=on privilege=4 | ||
− | + | Activate the user itself: | |
ipmitool user enable 6 | ipmitool user enable 6 | ||
− | To change the password of the user the following command | + | To change the password of the user, simply enter the following command: |
ipmitool user set password 6 Battery+Staple-Horse$Correct | ipmitool user set password 6 Battery+Staple-Horse$Correct | ||
− | Finally the default admin user | + | Finally, you can disable the default admin user: |
ipmitool user disable 2 | ipmitool user disable 2 | ||
Zeile 150: | Zeile 194: | ||
=== Network === | === Network === | ||
− | In order to make the BMC accessible via the internet, you need to order an additional (fee-based) IP for it via Robot. | + | In order to make the BMC accessible via the internet, you need to order an additional (fee-based) IP for it via Robot. You can do the IPv4 configuration of the BMC either manually or via DHCP using ipmitool. You can make changes to this configuration using the web interface by going to "Configuration / IPv4 Network". You cannot currently use IPv6. The configuration with IPv6 will become available later on the web interface. |
− | + | ||
− | + | You can set the initial configuration using ipmitool. The corresponding IPMI channel is dependent on the motherboard and which interface you would like to configure. | |
− | ipmitool lan print | + | Shared LAN port of the main IP |
+ | * PX60/70/90/120 and SX131/291: Channel 1 | ||
+ | * PX91/121: Channel 8 | ||
+ | |||
+ | To display the current configuration and the MAC address of the BMC, use the following command: | ||
+ | |||
+ | * PX60/70/90/120 and SX131/291: | ||
+ | ipmitool lan print 1 | ||
+ | * PX91/121: | ||
+ | ipmitool lan print 8 | ||
+ | |||
+ | As shown above, "set 8" is to be used, rather than "set 1", for this and all other commands for the PX91 and PX121 models. | ||
To receive an IP via DHCP, use the following command: | To receive an IP via DHCP, use the following command: | ||
Zeile 165: | Zeile 219: | ||
ipmitool lan set 1 ipsrc static | ipmitool lan set 1 ipsrc static | ||
− | + | To set an IP address, enter: | |
− | ipmitool lan set 1 ipaddr <IP | + | ipmitool lan set 1 ipaddr <IP address> |
− | + | To set a netmask, enter: | |
− | ipmitool lan set 1 netmask < | + | ipmitool lan set 1 netmask <netmask> |
− | + | To set a gateway IP, enter: | |
− | ipmitool lan set 1 defgw ipaddr < | + | ipmitool lan set 1 defgw ipaddr <gateway IP address> |
== Serial over LAN == | == Serial over LAN == | ||
Zeile 183: | Zeile 237: | ||
ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate | ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate | ||
− | Using cipher suite 3 is essential (if that is not the default) because communication via | + | Using cipher suite 3 is essential (if that is not the default) because communication via LANplus is not possible otherwise. |
If the following error message appears, you need to activate SOL for the user: | If the following error message appears, you need to activate SOL for the user: | ||
Zeile 194: | Zeile 248: | ||
After that, you can see the BIOS output. Accessing the boot loader and/or the booted system requires additional settings. | After that, you can see the BIOS output. Accessing the boot loader and/or the booted system requires additional settings. | ||
− | For GRUB2, simply change some lines to match the following in /etc/default/grub and re-generate the settings | + | === GRUB2 === |
+ | |||
+ | For GRUB2, simply change some lines to match the following in /etc/default/grub and re-generate the settings. | ||
+ | |||
+ | With the PX90/120 (Supermicro X9SRi-F), the serial console is on ttyS2/unit=2. With the PX91/121 (Asus Z10PA-U8), it is on ttyS1/unit=1. And with the PX60/70 (Intel S1200V3RPL), it is on ttyS0/unit=0. It should also be noted that the baud rate needs to be set at 57600 with the PX91/121, and 115200 with all others. | ||
+ | |||
+ | ==== PX60/70 ==== | ||
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS0,115200n8" | GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS0,115200n8" | ||
GRUB_TERMINAL=serial | GRUB_TERMINAL=serial | ||
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" | GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" | ||
+ | |||
+ | ==== PX90/120, SX131/291 ==== | ||
+ | |||
+ | GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS2,115200n8" | ||
+ | GRUB_TERMINAL=serial | ||
+ | GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=2 --word=8 --parity=no --stop=1" | ||
+ | |||
+ | ==== PX91/121 ==== | ||
+ | |||
+ | GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS1,57600n8" | ||
+ | GRUB_TERMINAL=serial | ||
+ | GRUB_SERIAL_COMMAND="serial --speed=57600 --unit=1 --word=8 --parity=no --stop=1" | ||
+ | |||
+ | === GRUB (grub-legacy) === | ||
For GRUB1 (grub-legacy), add the following lines to /boot/grub/menu.lst or /boot/grub/grub.conf (CentOS): | For GRUB1 (grub-legacy), add the following lines to /boot/grub/menu.lst or /boot/grub/grub.conf (CentOS): | ||
+ | |||
+ | ==== PX60/70 ==== | ||
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 | serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 | ||
terminal --timeout=5 serial console | terminal --timeout=5 serial console | ||
− | + | ==== PX90/120, SX131/291 ==== | |
+ | |||
+ | serial --unit=2 --speed=57600 --word=8 --parity=no --stop=1 | ||
+ | terminal --timeout=5 serial console | ||
+ | |||
+ | ==== PX91/121 ==== | ||
+ | |||
+ | serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 | ||
+ | terminal --timeout=5 serial console | ||
+ | |||
+ | At the same time, the same serial port needs to be added to the boot options of the kernel. That is ttyS0 with the PX60/70, ttyS1 with the PX91/121, and ttyS2 with the PX90/120. | ||
console=tty0 console=ttyS0,115200n8 | console=tty0 console=ttyS0,115200n8 | ||
− | This tells the kernel to output information on the first serial port. The change of GRUB_TERMINAL to serial means any input/output is redirected to the serial port. A local screen will not display a boot menu anymore and thus, selecting a boot entry via | + | This tells the kernel to output information on the first serial port. The change of GRUB_TERMINAL to serial means any input/output is redirected to the serial port. A local screen will not display a boot menu anymore and thus, selecting a boot entry via KVM Console or KVM is not possible anymore. After a reboot, the output will be sent in parallel to both the local screen and the serial port. |
After that, you need to set up a terminal for the serial port in your system. | After that, you need to set up a terminal for the serial port in your system. | ||
− | + | === Debian 7.x (wheezy) / Debian 8 with Sys-V Init === | |
− | + | The following line needs to be added to /etc/inittab. Here again, use ttyS0 and 115200 Baud with the PX60/70, ttyS2 and 115200 Baud with the PX90/120, and ttyS1 and 57600 Baud with the PX91/121: | |
− | + | ||
T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100 | T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100 | ||
Zeile 222: | Zeile 307: | ||
After that, you can activate the terminal by entering 'init q'. | After that, you can activate the terminal by entering 'init q'. | ||
− | + | === Ubuntu (up until 14.10 with Upstart) === | |
− | Create the file /etc/init/ttyS0.conf with the following content: | + | |
+ | Create the file /etc/init/ttyS0.conf with the following content (or alternatively, ttyS2.conf with ttyS2 and 115200 Baud with the PX90/PX120 models, or ttyS1.conf with ttyS1 and 57600 Baud with the PX91/PX121 models): | ||
<pre> | <pre> | ||
Zeile 240: | Zeile 326: | ||
After that, you can activate the terminal by entering 'start ttyS0'. | After that, you can activate the terminal by entering 'start ttyS0'. | ||
− | + | === CentOS === | |
− | + | ||
− | + | In CentOS 6.x, the configuration is similar to Ubuntu. However, /etc/init/serial.conf automatically starts a getty on the serial port, which adds the port /etc/securetty. So you just need to configure the serial console in grub.conf and attach the appropriate kernel option. | |
− | + | ||
− | + | ||
− | + | ||
− | + | === Debian 8 / OpenSuSE / Fedora === | |
− | + | ||
− | + | For Debian 8 (jessie), OpenSuSE and other distributions such as Fedora which use systemd and GRUB2, just change /etc/default/grub accordingly and renew the configuration using grub2-mkconfig. | |
− | + | At the next boot, systemd will automatically start using the serial port of GRUB2. | |
− | + | ||
− | + | === Serial Console === | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | Now, you will see a login quickly if you connect via ipmitool: | |
− | |||
<pre> | <pre> | ||
$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate | $ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate |
Aktuelle Version vom 9. Januar 2018, 07:59 Uhr
Inhaltsverzeichnis |
IPMI Information
IPMI (Intelligent Platform Management Interface) is an interface for the management and administration of servers. It is implemented with a BMC (Baseboard Management Controller) of a motherboard. You can access this interface via a command line program (such as IPMItool) or a web interface with which you can administer the server. You can perform a reset, start a KVM, and read the output of the motherboard sensors.
Model Overview
- PX60(-SSD)/PX70(-SSD) - BMC include IPMI (KVM-over-IP as an optional paid module)
- PX90(-SSD)/PX120(-SSD) - BMC include IPMI and KVM
- PX91(-SSD)/PX121(-SSD) - paid optional BMC module with IPMI/KVM
Activation of the Network Interface
Some PX servers have an integrated BMC, while with others, this can be added as a module. With the integrated BMC, the network configuration is disabled by default. To use the IPMI and Serial over LAN and/or KVM function, you will need to order an additional IP address (which has a small fee) via Robot.
Important: You need to specify the MAC address of the BMC when you order the additional IP address.
You can read the MAC address using IPMItool (see Network). After we allocate the IP address to you, you can statically configure or assign it to the BMC via DHCP.
Adding a BMC module / Unlocking the KVM functionality
To add the BMC module (include IPMI and KVM) with the PX91 and PX121 models, or to activate the KVM option (including Virtual Media) with the PX60 and PX70 models, you must order the KVM add-on module via Hetzner Robot. To install the add-on module, you need to shut down the server. The downtime for this is only a few minutes.
Safety Instructions
If the BMC is made accessible by assigning a public IP to it, it can be attacked and under certain circumstances abused, leading to the server potentially becoming compromised. Therefore, you should take measures to counteract the most well-known attack scenarios. To learn more about these attacks, read about the Metasploit penetration tool collection (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi).
The motherboard used in the models PX60 and PX70 is not vulnerable to the options described in the link, as some protection mechanisms are already installed by default. Generally you should change the default passwords and disable or rename already existing users. Anonymous access is deactivated by default on all models. The other attack vectors and their prevention are described in the following points.
Current Threats
Vulnerabilities
Since the BMC that provides the IPMI functionality is simply software, there can be vulnerabilities in it.
PX90/PX120
For the motherboard of the models PX90/120 (Supermicro X9SRi-F), a vulnerability was discovered in the 2.14 firmware version, allowing usernames and passwords to be read in plain text. If your server has this firmware, a firmware update is required before activating the network interface.
The firmware version can be read using impitool:
# ipmitool mc info ... Firmware Revision : 3.50
If you have already activated the network of the IPMI, you can perform the update via the web interface. You can find the latest version on download.hetzner.de.
Alternatively, an update is also possible with Linux if the network of the IPMI has not been activated:
wget http://mirror.hetzner.de/tools/Supermicro/tools/SMT_X9_350.tgz tar -xzf SMT_X9_350.tgz cd SMT_X9_350 ./lUpdate -f SMT_X9_350.bin
Please note that this update only applies to the PX90 and PX120.
PX91/PX121
The additional KVM module for the PX91 and PX121 models (Asus Z10PA-U8) uses insecure SSL protocols and an obsolete SSL certificate in versions before 1.11.
Therefore, depending on the browser you use, there may not be any secure (HTTPS) connections available until after you have performed an update.
You can download the update via the web interface, and you can find the current firmware at download.hetzner.de
Cipher 0 Attacks
Cipher 0 means that no encryption is used and thus any authentication is bypassed. By default Cipher 0 is only activated on the motherboard for callback, meaning logging in is not possible; you can only get a response of whether the BMC is there or not. Even with that, to ensure that no abuse can take place, the Cipher 0 is disabled by default upon delivery of the server and can therefore no longer be used.
Transmission of the password's hash
In the IPMI specification, the authentication of the user is only possible on the user's side. Therefore, a hash of the password is transmitted to any requesting users. As it specifies exactly what this hash contains, it is possible to find the password via a brute-force attack. Due to this being part of the IPMI specification, this problem is found on all BMCs and can only be remedied by changing the specification. Therefore, the only current recommendation about this issue is to use a really long and strong password for the BMC to make it as difficult as possible for any attackers. If a short or easy-to-guess password is used for the BMC, it can be compromised within hours or even minutes.
Here are some tips for a secure password:
If you need to make the password easy to remember, it makes sense to string together several words that have no connection to each other (http://correcthorsebatterystaple.net/). This is secure due to the length and is yet still easy to remember.
If you plan to store the password in a database and you do not need to remember it, then you can use sufficiently random numbers and letters in a reasonable length (> 30 characters) to create a secure password.
SNMP Reflection
A few IPMI modules (for example, ASMB8-iKVM in the PX91 and PX121 models) permit queries via SNMP. Therefore, a small query can cause the loss of a large amount of data if the query from the source address is misused in an attack. If you use SNMP, you need to be sure to use a strong password (which means using an SNMP Community String). If you do not use SNMP, you can use a firewall to block this port on the ASMB8-iKVM modules of the PX91 and PX121 models. You can use the web interface to perform both options.
Explanation of individual functions
Web Interface
The web interface can be used to read data from the BMC easily and securely. It displays all sensors, users can be added and changed, the network configuration can be set, and if you have a KVM, it can be started.
System Information: On this page, you can find some information about your server (BIOS version, current status, CPU and RAM information) and you can see the users who are currently signed in.
Server Health: Here, you can see the output of individual sensors on the motherboard and in the CPU. If there are any thermal problems, you can detect them here. Furthermore, there is an event log. In the log, you can find system events, such as critical temperatures, reboots, and CPU throttling. This may help you diagnose a potential problem. The page "Power Statistics" does not work with this model because the power supply does not have the necessary PMBUS interface.
Configuration: Here you can configure many options of the BMC. The network settings do not usually need to be changed because the configuration for IPv4 is set automatically via DHCP. You can manually configure IPv6, but using the Hetzner default gateway fe80::1 will only be possible with future firmware versions. You can also add new users here and change and delete existing ones. Additionally, the option "Alerts" allows you to have notifications sent via SNMP or email when certain events occur on the server. This can be useful for monitoring the server.
Remote Control: On this page, you can use the KVM functionality of the BMC. However, the option "Console Redirection" is only available if you activate an additional module. You can always use "Server Power Control". This allows you to send a hardware and software reset to the server; you can also shut it down or start it.
Configuration
In this section some basic configuration options are shown. You can usually use the web interface of the BMC. It is also recommended to install "ipmitool", which can be installed via the package manager of all major distributions. This gives you access to additional functions which cannot be configured via the web interface.
Example for Debian:
Installation via the package manager:
apt-get install ipmitool
In order for ipmitool to function, you should load the following modules via "modprobe":
modprobe ipmi_devintf modprobe ipmi_si
To check if everything important was correctly loaded and installed, use the following example command, which will show you the data from all available sensors:
ipmitool sensor list
Users
Several users with different rights can be create on the BMC. After creating a new user with administrative rights via ipmitool, you can manage more users via the web interface. There are 4 different rights/permission levels:
- Callback (1): Can only initiate a callback
- User (2): Can send read-only requests but cannot change any configuration files
- Operator (3): Can change all configurations apart from deactivating the channel and changing rights
- Administrator (4): Can change all configurations
Usually one or more users already exist. An overview of the existing user IDs and logins can be obtained via:
ipmitool user list 1
In the PX90/PX120 models, an active user with administrative rights already exists:
ID Name Callin Link Auth IPMI Msg Channel Priv Limit 2 ADMIN false false true ADMINISTRATOR
In the BMC/KVM modules of the PX91/PX121 models, there are two active users with administrator rights:
ID Name Callin Link Auth IPMI Msg Channel Priv Limit 1 false false true ADMINISTRATOR 2 admin false false true ADMINISTRATOR
In the PX60/PX70 models, there are 5 standard inactive users. All of them can be changed except for the first one.
ID Name Callin Link Auth IPMI Msg Channel Priv Limit 1 true false true ADMINISTRATOR 2 root false true true ADMINISTRATOR 3 test1 true false true ADMINISTRATOR 4 test2 true false true ADMINISTRATOR 5 test3 true false true ADMINISTRATOR
The root (or ADMIN) user ID should be deactivated and, if possible, renamed after creating a customer user and before activating the network configuration.
Change the login name via ipmitool:
ipmitool user set name 2 john-doe
To create a new user, simply assign a previously unused ID a name. The procedure here is identical to changing the login of an ID. The deletion of IDs is possible only by altering the BMC settings.
Create a new user:
ipmitool user set name 6 max+meier
After that, set a password should:
ipmitool user set password 6 Correct-Battery-Horse-Staple
Now activate the access for this user:
ipmitool channel setaccess 1 6 link=on ipmi=on callin=on privilege=4
Activate the user itself:
ipmitool user enable 6
To change the password of the user, simply enter the following command:
ipmitool user set password 6 Battery+Staple-Horse$Correct
Finally, you can disable the default admin user:
ipmitool user disable 2
Network
In order to make the BMC accessible via the internet, you need to order an additional (fee-based) IP for it via Robot. You can do the IPv4 configuration of the BMC either manually or via DHCP using ipmitool. You can make changes to this configuration using the web interface by going to "Configuration / IPv4 Network". You cannot currently use IPv6. The configuration with IPv6 will become available later on the web interface.
You can set the initial configuration using ipmitool. The corresponding IPMI channel is dependent on the motherboard and which interface you would like to configure.
Shared LAN port of the main IP
- PX60/70/90/120 and SX131/291: Channel 1
- PX91/121: Channel 8
To display the current configuration and the MAC address of the BMC, use the following command:
- PX60/70/90/120 and SX131/291:
ipmitool lan print 1
- PX91/121:
ipmitool lan print 8
As shown above, "set 8" is to be used, rather than "set 1", for this and all other commands for the PX91 and PX121 models.
To receive an IP via DHCP, use the following command:
ipmitool lan set 1 ipsrc dhcp
If you want to use the default static configuration, enter:
ipmitool lan set 1 ipsrc static
To set an IP address, enter:
ipmitool lan set 1 ipaddr <IP address>
To set a netmask, enter:
ipmitool lan set 1 netmask <netmask>
To set a gateway IP, enter:
ipmitool lan set 1 defgw ipaddr <gateway IP address>
Serial over LAN
In order to activate SOL (Serial over LAN), enter the following command:
ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate
Using cipher suite 3 is essential (if that is not the default) because communication via LANplus is not possible otherwise.
If the following error message appears, you need to activate SOL for the user:
$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate Info: SOL payload disabled
$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol payload enable <channel> <user-id>
After that, you can see the BIOS output. Accessing the boot loader and/or the booted system requires additional settings.
GRUB2
For GRUB2, simply change some lines to match the following in /etc/default/grub and re-generate the settings.
With the PX90/120 (Supermicro X9SRi-F), the serial console is on ttyS2/unit=2. With the PX91/121 (Asus Z10PA-U8), it is on ttyS1/unit=1. And with the PX60/70 (Intel S1200V3RPL), it is on ttyS0/unit=0. It should also be noted that the baud rate needs to be set at 57600 with the PX91/121, and 115200 with all others.
PX60/70
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS0,115200n8" GRUB_TERMINAL=serial GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
PX90/120, SX131/291
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS2,115200n8" GRUB_TERMINAL=serial GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=2 --word=8 --parity=no --stop=1"
PX91/121
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS1,57600n8" GRUB_TERMINAL=serial GRUB_SERIAL_COMMAND="serial --speed=57600 --unit=1 --word=8 --parity=no --stop=1"
GRUB (grub-legacy)
For GRUB1 (grub-legacy), add the following lines to /boot/grub/menu.lst or /boot/grub/grub.conf (CentOS):
PX60/70
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 terminal --timeout=5 serial console
PX90/120, SX131/291
serial --unit=2 --speed=57600 --word=8 --parity=no --stop=1 terminal --timeout=5 serial console
PX91/121
serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 terminal --timeout=5 serial console
At the same time, the same serial port needs to be added to the boot options of the kernel. That is ttyS0 with the PX60/70, ttyS1 with the PX91/121, and ttyS2 with the PX90/120.
console=tty0 console=ttyS0,115200n8
This tells the kernel to output information on the first serial port. The change of GRUB_TERMINAL to serial means any input/output is redirected to the serial port. A local screen will not display a boot menu anymore and thus, selecting a boot entry via KVM Console or KVM is not possible anymore. After a reboot, the output will be sent in parallel to both the local screen and the serial port.
After that, you need to set up a terminal for the serial port in your system.
Debian 7.x (wheezy) / Debian 8 with Sys-V Init
The following line needs to be added to /etc/inittab. Here again, use ttyS0 and 115200 Baud with the PX60/70, ttyS2 and 115200 Baud with the PX90/120, and ttyS1 and 57600 Baud with the PX91/121:
T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100
After that, you can activate the terminal by entering 'init q'.
Ubuntu (up until 14.10 with Upstart)
Create the file /etc/init/ttyS0.conf with the following content (or alternatively, ttyS2.conf with ttyS2 and 115200 Baud with the PX90/PX120 models, or ttyS1.conf with ttyS1 and 57600 Baud with the PX91/PX121 models):
# ttyS0 - getty # # This service maintains a getty on ttyS0 from the point the system is # started until it is shut down again. start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn exec /sbin/getty -L ttyS0 115200 vt100
After that, you can activate the terminal by entering 'start ttyS0'.
CentOS
In CentOS 6.x, the configuration is similar to Ubuntu. However, /etc/init/serial.conf automatically starts a getty on the serial port, which adds the port /etc/securetty. So you just need to configure the serial console in grub.conf and attach the appropriate kernel option.
Debian 8 / OpenSuSE / Fedora
For Debian 8 (jessie), OpenSuSE and other distributions such as Fedora which use systemd and GRUB2, just change /etc/default/grub accordingly and renew the configuration using grub2-mkconfig. At the next boot, systemd will automatically start using the serial port of GRUB2.
Serial Console
Now, you will see a login quickly if you connect via ipmitool:
$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate [SOL Session operational. Use ~? for help] Debian GNU/Linux 7 Debian-70-wheezy-64-minimal ttyS0 Debian-70-wheezy-64-minimal login: