Steps To Disable network access to SuperMicro Computer (SMC) BMC
The BMC allows for console like access to the system remotely. This is done in conjunction with the IP Intelligent Management (IPMI) interface. The IPMI interface has various interfaces network portal, serial console, and direct in-band management via the software driver.
Securing the Network Interface to IPMI
SMC has published security guidelines for IPMI. They can be found here: https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf
The guidelines cover the following basic practices:
- Restrict inbound network to BMCs over the internet. In other words, do not allow the IPMI interface to be connected or accessible via the internet.
- Separate the IPMI network from other networks.
- Use firewalls to restrict outbound traffic from the BMCs
- Use dedicated network interfaces for managing BMCs
- Change port numbers used for IPMI
- Change default credentials
- Enable IP address access filtering
- Monitor for unusual incoming and outgoing traffic
- Upgrade firmware
Arxys is recommending that all end users verify or configure their BMCs to only utilize dedicated ports and to disable the use of shared network ports that are connected to other networks or the internet.
Verfiying IPMI LAN port via WebGUI
- In order to verify the IPMI LAN port via the WebGUI the SMC IPMI module must be configured and the IP address of the IPMI address known.
- Connect to the systems IPMI web Interface by entering the IPMI address in the address bar of a web browser.
- Log in using the IPMI credentials set. The defaults are ADMIN:ADMIN. If the system still has the default credentials, it is highly recommended that they be changed now as well. This can be done in Configuration -> Users
- Got to Configuration -> Network
- Physically locate the IPMI dedicate LAN port on the system. The dedicated LAN port is the port on the left of the motherboard IO ports. See figures 3 and 4.
- Remove the network cable from this port.
- The BMC will no longer be accessible via the IPMI over the network.