Secure IPMI access

Problem

How disappointing it is to discover at the most inopportune moment that IPMI is unavailable. And lately this happens quite often, especially on older servers. The thing is that automated brute force attacks are constantly happening on the internet. IPMI runs on a separate chip, whose power is sufficient to ensure the web interface works, but it can be easily disabled by password guessing via SSH or a large number of connections.

Solution

Now IPMI of all servers is available only within our network, where it is much safer than on the internet. We have developed a special application that works as a gateway. Thus, IPMI is available via SSH and RMCP protocols only within the network, and the web interface is available on the internet through a gateway on a non-standard port. Access is via domain name through a secure HTTPS connection with a modern SSL certificate even for those servers where IPMI is only available via HTTP. In addition to the web interface, the gateway also serves console (iKVM) and Virtual Media.

Modern security requirements

Due to the discovery of vulnerabilities, as well as performance growth, some encryption protocols became obsolete quite quickly. Thus, relatively modern HP 7th generation servers, which have iLO version 3, can no longer be opened in any current browser version. Thanks to our solution, both iLO2 and iLO3 web interfaces became available. In addition, for iLO2 we implemented the ability to connect ISO images and Java web console.