On 6/2/2014 1:42 PM, Brian Rak wrote:
They do publish it. The problem is, it's not documented, and it takes
a bunch of work to get into a usable state.See
ftp://ftp.supermicro.com/GPL/SMT/SDK_SMT_X9_317.tar.gz
Plus, the firmware environment is pretty hostile. If you flash some
bad firm
On Mon, Jun 2, 2014 at 7:42 PM, Jimmy Hess wrote:
> On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson wrote:
> [snip]
>> So, kinda the same idea - just put IPMI on another network and use ssh
>> forwards to it. You can have multiple boxes connected in this fashion
>> but the point is to keep it simp
On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson wrote: [snip]
> So, kinda the same idea - just put IPMI on another network and use ssh
> forwards to it. You can have multiple boxes connected in this fashion
> but the point is to keep it simple and as secure as possible (and IPMI
> security doesn't r
On 2014-06-02 21:54, Brian Rak wrote:
>
> On 6/2/2014 3:47 PM, shawn wilson wrote:
>> On Mon, Jun 2, 2014 at 3:19 PM, Nikolay Shopik wrote:
>>
>>> Java only used for mouting images. KVM is transfered via VNC protocol
>>> iirc.
>> They're not re-inventing the wheel, but I think KVM is generally so
On 6/2/2014 3:47 PM, shawn wilson wrote:
On Mon, Jun 2, 2014 at 3:19 PM, Nikolay Shopik wrote:
Java only used for mouting images. KVM is transfered via VNC protocol iirc.
They're not re-inventing the wheel, but I think KVM is generally some
VNC stream embedded in http(s) which VNC clients ca
Once upon a time, Nikolay Shopik said:
> I believe most people need from IPMI is KVM (sometimes serial), and
> (rarely?) need to mount remote ISO images.
>
> Java only used for mouting images. KVM is transfered via VNC protocol iirc.
In my experience, KVM requires their "special" client (Java),
On Mon, Jun 2, 2014 at 3:19 PM, Nikolay Shopik wrote:
> Java only used for mouting images. KVM is transfered via VNC protocol iirc.
hahaha! not on a Dell/drac ;( where it's some goofy key'd (xor'd I
think?) vnc bastardization :(
On Mon, Jun 2, 2014 at 3:19 PM, Nikolay Shopik wrote:
>
> Java only used for mouting images. KVM is transfered via VNC protocol iirc.
They're not re-inventing the wheel, but I think KVM is generally some
VNC stream embedded in http(s) which VNC clients can't seem to
understand (at least, at a gl
On 02.06.2014 21:52, shawn wilson wrote:
> Really, it would be nice to have an open card that
> does this. Even if the card were limited to what you could do with DMA
> and some serial (i2c and whatnot) cables. I'd use that instead of
> something else (in this case, mainly because I'd replace the
On 02.06.2014 21:39, Jeroen Massar wrote:
>
> Source won't help too much, as upgrading the kernel will require a lot
> more magic than just that.
>
> Also, do you have time to support all the different IPMI boxes out there
> while your vendor should be doing that work?
Agree, but most IPMI cards
iLo is a value add to HP. DRAC sucks (so I'd replace it and then Dell
would have hardware under support with some unknown IPMI). Supermicro,
Tyan, etc - idk. Really, it would be nice to have an open card that
does this. Even if the card were limited to what you could do with DMA
and some serial (i2
They do publish it. The problem is, it's not documented, and it takes a
bunch of work to get into a usable state.See
ftp://ftp.supermicro.com/GPL/SMT/SDK_SMT_X9_317.tar.gz
Plus, the firmware environment is pretty hostile. If you flash some bad
firmware, your only option is to desolder th
On 2014-06-02 19:32, Nikolay Shopik wrote:
>
> On 02/06/14 20:56, Christopher Morrow wrote:
>> so... as per usual:
>>1) embedded devices suck rocks
>>2) no updates or sanity expected anytime soon in same
>>3) protect yourself, or suffer the consequences
>>
>> seems normal.
>
> So I wo
On Mon, Jun 2, 2014 at 1:32 PM, Nikolay Shopik wrote:
>
> On 02/06/14 20:56, Christopher Morrow wrote:
>>
>> so... as per usual:
>>1) embedded devices suck rocks
>>2) no updates or sanity expected anytime soon in same
>>3) protect yourself, or suffer the consequences
>>
>> seems normal
On 02/06/14 20:56, Christopher Morrow wrote:
so... as per usual:
1) embedded devices suck rocks
2) no updates or sanity expected anytime soon in same
3) protect yourself, or suffer the consequences
seems normal.
So I wonder why vendors don't publish source code of these ipmi firmware
Here's one useful method, which depends on having appropriate subnet and
VLAN capabilities.
Have all hosts at a given site, have their main interface do dot1q (switch
config trunked port).
The ipmi interfaces will be on one VLAN (put those ports in that VLAN).
The first VLAN is the public routed s
On Mon, Jun 2, 2014 at 12:14 PM, Blake Hudson wrote:
> We just reported a bug to Dell regarding their last 2 generations of remote
> access controllers where the firewall rules only apply to TCP and not to
> ICMP or UDP. Their first response was to replace the motherboard. Second
> response was th
shawn wilson wrote the following on 6/2/2014 11:06 AM:
On Mon, Jun 2, 2014 at 10:14 AM, Jared Mauch wrote:
My IPMI (super micro) you can put v6 and v4 filters into for protecting the ip
space from trusted sources. Has my home static ip ranges and a few intermediary
ranges that I also have ac
On Mon, Jun 2, 2014 at 10:14 AM, Jared Mauch wrote:
> My IPMI (super micro) you can put v6 and v4 filters into for protecting the
> ip space from trusted sources. Has my home static ip ranges and a few
> intermediary ranges that I also have access to.
>
Mmmm, and an ip has never been spoofed an
On 2014-06-02 07:19, Andrew Latham wrote:
I use OpenVPN to access an Admin/sandboxed network with insecure
portals,
wiki, and ipmi.
Same here. My entire in band management plane (DRAC
(disk/cpu/temperature etc telemetry to my OpenManage/Zenoss server),
OpenSSH and 80/443 for backend stuffs
On Mon, Jun 2, 2014 at 11:11 AM, Randy Bush wrote:
>> My IPMI (super micro) you can put v6 and v4 filters into for
>> protecting the ip space from trusted sources.
>
> cool. can i put in "star alliance?" :)
restfulwhois look up for gogoinflight ... done.
> My IPMI (super micro) you can put v6 and v4 filters into for
> protecting the ip space from trusted sources.
cool. can i put in "star alliance?" :)
randy
The kernel is the least of your worries here.
This is what you can expect from the Supermicro controllers:
Linux Kernel 2.6.17.13
Lighttpd 1.4.32
pcre 8.31
pcre 8.33
msmtp 1.4.16
tree 1.5.2.2
flex 2.5.35
readline 5.2
termcap 1.3.1
BIND 9.8.1-P1
busybox 1.12.0
ntp 4.2.4p4
openssl 0.9.8h
openlldp
I keep 2 vpn servers. ACL's at router to ipmi vlan, plus whatever
additional security ipmi happens to have.
I'm of the belief that vpn servers should be redundant. Kinda silly to
lose one and not have access to your network. :)
Jack
On 6/2/2014 7:10 AM, Randy Bush wrote:
so how to folk prot
My IPMI (super micro) you can put v6 and v4 filters into for protecting the ip
space from trusted sources. Has my home static ip ranges and a few intermediary
ranges that I also have access to.
> On Jun 2, 2014, at 5:10 AM, Randy Bush wrote:
>
> so how to folk protect yet access ipmi? it is p
On 06/02/2014 08:26 AM, Randy Bush wrote:
I use OpenVPN to access an Admin/sandboxed network with insecure portals,
wiki, and ipmi.
h. 'cept when it is the openvpn server's ipmi. but good hack. i
may use it, as i already do openvpn. thanks.
randy
What you can also do if you want to remo
Once upon a time, shawn wilson said:
> So, kinda the same idea - just put IPMI on another network and use ssh
> forwards to it. You can have multiple boxes connected in this fashion
> but the point is to keep it simple and as secure as possible (and IPMI
> security doesn't really count here :) ).
On Mon, Jun 2, 2014 at 8:26 AM, Randy Bush wrote:
>> I use OpenVPN to access an Admin/sandboxed network with insecure portals,
>> wiki, and ipmi.
>
> h. 'cept when it is the openvpn server's ipmi. but good hack. i
> may use it, as i already do openvpn. thanks.
>
So, kinda the same idea -
True, excellent point as well.
Multiple openvpn/ipsec entry points on a internal network is probably
the best way to go.
On 6/2/2014 午後 09:33, Jeroen Massar wrote:
On 2014-06-02 14:23, Paul S. wrote:
[..]
On most ATEN chip based BMC boards from Supermicro, it includes a UI to
iptables that w
Multiple points of entry into the VPN mesh? When you need to muck with
concentratorA's ipmi, use b, c, or d.
Sent from my iPhone
On Jun 2, 2014, at 8:26, Randy Bush wrote:
>> I use OpenVPN to access an Admin/sandboxed network with insecure portals,
>> wiki, and ipmi.
>
> h. 'cept when it
On 2014-06-02 14:23, Paul S. wrote:
[..]
> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
> iptables that works in the same way.
>
> You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
>
> But unless you have servers with those, I think the best way to
In addition I will suggest multiple paths (oobm) to the network. IE VPN via
second provider network.
On Jun 2, 2014 7:26 AM, "Randy Bush" wrote:
> > I use OpenVPN to access an Admin/sandboxed network with insecure portals,
> > wiki, and ipmi.
>
> h. 'cept when it is the openvpn server's ipmi
> I use OpenVPN to access an Admin/sandboxed network with insecure portals,
> wiki, and ipmi.
h. 'cept when it is the openvpn server's ipmi. but good hack. i
may use it, as i already do openvpn. thanks.
randy
On 2014-06-02 14:10, Randy Bush wrote:
> so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
> of the time i want it blocked off. but that other 1%, i want kvm
> console, remote media, and dim sum.
>
> currently, i just block the ip address chunk into which i put ipmi at
> th
On 6/2/2014 午後 09:19, Andrew Latham wrote:
I use OpenVPN to access an Admin/sandboxed network with insecure portals,
wiki, and ipmi.
On Jun 2, 2014 7:13 AM, "Randy Bush" wrote:
so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
of the time i want it blocked off. but that
I use OpenVPN to access an Admin/sandboxed network with insecure portals,
wiki, and ipmi.
On Jun 2, 2014 7:13 AM, "Randy Bush" wrote:
> so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
> of the time i want it blocked off. but that other 1%, i want kvm
> console, remote me
so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
of the time i want it blocked off. but that other 1%, i want kvm
console, remote media, and dim sum.
currently, i just block the ip address chunk into which i put ipmi at
the border of the rack. when i want access, i reconf
37 matches
Mail list logo
