Hetzner - DokuWiki

IPMI/en

Inhaltsverzeichnis

IPMI Configuration

General Information

IPMI (Intelligent Platform Management Interface) is an interface for the management and administration of servers. The is implemented by a BMC (Baseboard Management Controller) of a motherboard. This interface can be accessed via a command-line program (such as ipmitool) or a web interface, through which administration tasks can be performed. Such tasks include performing a reset, starting a KVM and reading the output of the motherboard sensors.

All models of the PX series have an active BMC module whose network configuration is disabled by default. After ordering an additional IP (for 1 Euro per month) remote maintenance functions can be used via IPMI, including serial over LAN.

A complete KVM functionality including Virtual Media support is found on the models PX90 and PX120 after activating the network. In the PX60 and PX70 models this feature can be enabled via a paid addon.

Activation of the Network Interface

By default the BMC is only accessible via local interfaces. To use the remote maintenance functions an additional fee-based IP address is needed, which can be ordered via the Hetzner Robot. The MAC address of the BMC must be specified. This can be read using ipmitool (see Network). After allocation of the IP address it can be statically configured or assigned via DHCP to the BMC.

Unlock the KVM functionality

To unlock the KVM option including virtual media support with the PX60 and PX70 models, the KVM add-on module  must be ordered via the Hetzner Robot. To install the add-on module, the server must be shut down. The downtime for it is only a few minutes.

Safety Instructions

If the BMC is made accessible by assigning a public IP to it, it can be attacked and under certain circumstances abused, leading to the server potentially becoming compromised. Therefore, measures should be taken to counteract the well-known attack scenarios. With the Metasploit penetration tool collection some attacks can be carried out (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi). The motherboard used in the models PX60 and PX70 is not vulnerable to the options described in the link, as some protection mechanisms are already installed by default. Generally the default passwords should be changed and already existing users disabled or renamed. Anonymous access is deactivated by default on all models. The other attack vectors and their prevention are described in the following points.

Current Threats

Cipher 0 Attacks

Cipher 0 means that no encryption is used and thus any authentication is bypassed. By default Cipher 0 is only activated on the motherboard for callback, meaning logging in is not possible, only the response of whether BMC is there or not can be gotten. To ensure that even with that no abuse can take place the Cipher 0 is disabled by default on delivery of the server and can therefore no longer be used.

Transmission of the password's hash

In the IPMI specification, the authentication of the user is only possible on the user side. Therefore, a hash of the password is transmitted to any requesting users. As it specifies exactly what this hash contains, there is the possibility of finding the password via brute-force attack. Due to this being part of the IPMI specification, this problem is found on all BMCs and can only be remedied by changing the specification. Therefore, the only note about this issue is to use a really long and strong password for the BMC to make it as difficult as possible for any attackers. If a short or easy to guess password is used for the BMC it can be compromised within hours or even minutes.

Here are some tips for a secure password:
Should the password be easy to remember, it makes sense to string together several words that have no connection to each other (http://correcthorsebatterystaple.net/). This is secure due to the length and yet still easy to remember.
If the password is stored in a database and does not need to be remembered, then you can use sufficiently random numbers and letters in a reasonable length (> 30 characters) to create a secure password.

Explanation of individual functions

Web Interface

The web interface can be used to read data from the BMC easily and securely. It displays all sensors, users can be added and changed, the network configuration can be set, and if you have a KVM, it can be started

System Information: On this page, you can find some information about your server (BIOS version, current status, CPU and RAM information) and you can see the users who are currently signed in.

Server Health: Here, you can see the output of individual sensors on the motherboard and in the CPU. If there are any thermal problems, you can detect them here. Furthermore, there is an event log. In the log, you can find system events, such as critical temperatures, reboots, and CPU throttling. This may help you diagnose a potential problem. The page "Power Statistics" does not work with this model because the power supply does not have the necessary PMBUS interface.

Configuration: Here you can configure many options of the BMC. The network settings do not usually need to be changed because the configuration for IPv4 is set automatically via DHCP. You can manually configure IPv6, but using the Hetzner default gateway fe80::1 will be possible with future firmware versions only. You can also add new users here, as well as change and delete existing ones. Additionally, the option "Alerts" allows you to have notifications sent via SNMP or email when certain events occur on the server. This can be useful for monitoring the server.

Remote Control: On this page, you can use the KVM functionality of the BMC. However, the option "Console Redirection" is only available if you activate an additional module. You can always use "Server Power Control". This allows sending a hardware and software reset to the server as well as shutting it down or starting it.

Configuration

In this section some basic configuration options are shown. In most cases the web interface of the BMC can be used. It is also recommended to install „ipmitool“, which can be installed via the package manager of all major distributions. This gives access to additional functions which can not be configured via the web interface.

Example for Debian:

Installation via the package manager:

apt-get install ipmitool

In order for ipmitool to function the following modules must be loaded via „modprobe“:

modprobe ipmi_devintf
modprobe ipmi_si

To check if everything important was correctly loaded and installed the following example command can be used, which will show the data from all available sensors:

ipmitool sensor list

Users

On the BMC several users can be created with different rights. After creating a new user with administrative rights via ipmitool, more users can be managed via the web interface. There are 4 different right/permission levels:

  • Callback (1): Can only initiate a callback
  • User (2): Can send read-only requests but cannot change any configuration files
  • Operator (3): Can change all configurations apart from deactivating the channel and changing rights
  • Administrator (4): Can change all configurations

Usually one or more users already exist. An overview of the existing user IDs and logins can be obtained via:

ipmitool user list 1

In the PX90/PX120 models an active user with administrative rights already exists:

ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
2   ADMIN            false   false      true       ADMINISTRATOR

In the PX60/PX70 models there are 5 standard inactive users, which can be changed with the exception of the first one.

ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      true       ADMINISTRATOR
2   root             false   true       true       ADMINISTRATOR
3   test1            true    false      true       ADMINISTRATOR
4   test2            true    false      true       ADMINISTRATOR
5   test3            true    false      true       ADMINISTRATOR

The root (or ADMIN) user ID should be deactivated and, if possible, renamed after creating a customer user and before activating the network configuration.

Changing the login name can be done via ipmitool:

ipmitool user set name 2 john-doe

To create a new user simply assign a previously unused ID a name. The procedure here is identical to changing the login of an ID. A deletion of IDs is possible only by resetting the BMC settings.

Create a new user:

ipmitool user set name 6 max+meier

After that a password should be set:

ipmitool user set password 6 Correct-Battery-Horse-Staple

Now the access for this user should be activated:

ipmitool channel setaccess 1 6 link=on ipmi=on callin=on privilege=4

The user itself should also be activated:

ipmitool user enable 6

To change the password of the user the following command suffices:

ipmitool user set password 6 Battery+Staple-Horse$Correct

Finally the default admin user is deactivated:

ipmitool user disable 2

Network

In order to make the BMC accessible via the internet, you need to order an additional (fee-based) IP for it via Robot. The IPv4 configuration of the BMC can be done either manually or via DHCP using ipmitool. You can make changes to this configuration using the web interface at "Configuration / IPv4 Network". Using IPv6 is currently not possible. The configuration will be possible later using the web interface.

The initial configuration can be set using ipmitool. To display the current configuration and the MAC address of the BMC, the following command is sufficient:

ipmitool lan print

To receive an IP via DHCP, use the following command:

ipmitool lan set 1 ipsrc dhcp

If you want to use the default static configuration, enter:

ipmitool lan set 1 ipsrc static

Setting an IP address:

ipmitool lan set 1 ipaddr <IP Address>

Setting a netmask:

ipmitool lan set 1 netmask <Netmask>

Setting a gateway IP:

ipmitool lan set 1 defgw ipaddr <Gateway IP Address>

Serial over LAN

In order to activate SOL (Serial over LAN), enter the following command:

ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate

Using cipher suite 3 is essential (if that is not the default) because communication via lanplus is not possible otherwise.

If the following error message appears, you need to activate SOL for the user:

$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate
Info: SOL payload disabled
$ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol payload enable <channel> <user-id>

After that, you can see the BIOS output. Accessing the boot loader and/or the booted system requires additional settings.

For GRUB2, simply change some lines to match the following in /etc/default/grub and re-generate the settings:

GRUB_CMDLINE_LINUX_DEFAULT="nomodeset console=tty0 console=ttyS0,115200n8"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

For GRUB1 (grub-legacy), add the following lines to /boot/grub/menu.lst or /boot/grub/grub.conf (CentOS):

serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
terminal --timeout=5 serial console

Add the following to the boot options of the kernel:

console=tty0 console=ttyS0,115200n8

This tells the kernel to output information on the first serial port. The change of GRUB_TERMINAL to serial means any input/output is redirected to the serial port. A local screen will not display a boot menu anymore and thus, selecting a boot entry via LARA or KVM is not possible anymore. After a reboot, the output will be sent both locally and to the serial port.

After that, you need to set up a terminal for the serial port in your system.

Note: On the Supermicro X9SRi-F mainboard, you need to use ttyS2 instead of ttyS0.

  • Debian

Add the following line to /etc/inittab:

T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100

After that, you can activate the terminal by entering 'init q'.

  • Ubuntu

Create the file /etc/init/ttyS0.conf with the following content:

# ttyS0 - getty
#
# This service maintains a getty on ttyS0 from the point the system is
# started until it is shut down again.

start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]

respawn
exec /sbin/getty -L ttyS0 115200 vt100

After that, you can activate the terminal by entering 'start ttyS0'.

  • CentOS

For CentOS, the configuration is similar to Ubuntu. First, create the file /etc/init/ttyS0.conf with the following content:

# ttyS0 - agetty
#
# This service maintains a agetty on ttyS0.

stop on runlevel [S016]
start on runlevel [23]

respawn
exec agetty -h -L -w /dev/ttyS0 115200 vt102

After that, you can activate the terminal by entering 'start ttyS0'. If you want to log in as root on this terminal, you need to allow root access first:

echo "ttyS0" >> /etc/securetty
  • OpenSuSE / Fedora

For OpenSuSE and other distributions such as Fedora which use systemd and GRUB2, just change /etc/default/grub accordingly and re-generate the configuration by entering grub2-mkconfig. At the next boot, systemd will automatically start using the serial port of GRUB2.

  • Serial terminal

Now, you will see a login prompt if you connect via ipmitool:

 $ ipmitool -C 3 -I lanplus -H <ipaddr> -U <user> -P <pass> sol activate
 [SOL Session operational.  Use ~? for help]

 Debian GNU/Linux 7 Debian-70-wheezy-64-minimal ttyS0

 Debian-70-wheezy-64-minimal login:


© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.