(Albert - crushing a few of your replies into one bit; thanks for the feedback!)
On Feb 19, 2013, at 10:18 AM, Albert Chu <[email protected]> wrote: >> 7. Don't use MD2 or RC4 for anything (they're usable in several >> places in the specification and vendors still support them.) Written >> in 1989 & 1987, they've been both demonstrated to be relatively insecure. >> MD5 isn't great, but at least it's better than MD2. > > As an alternate, I would say just disable these authentication > mechanisms so they can't be used at all period (i.e. disable MD2, > disable clear password, disable Cipher Suite 0). In bmc-config, you can > find the config of these in the sections Rmcpplus_Conf_Privilege and > Lan_Conf_Auth. Yes, disabling is far preferable, if it can be done, I should have used that language but I was waffling because I didn't want to have to read that part of the spec again ;) >> 17. Disable all services that aren't used (this can usually be done >> via the BMC's web interface, scripting interfaces, or the command >> line interface. > Not sure if you're aware, but many of these "disable extra services" are > supported in ipmi-oem. Of course, I have to support the specific > motherboard/vendor. [+ssh, telnet, etc.] Of course - as a matter of fact nearly all of them, if memory serves, good catch. There are some near ubiquitous ones, but I shouldn't be sloppy. > So here's 2 other security things I thought of > > A) > > In newer IPMI erratas there is support to configure how many attempts a > person has to brute force a password before the BMC just locks up that > user. I don't know how many motherboards support this, but it's not > many. Here's the description from bmc-config as an FYI. […] > SOL security can be tightened as well. Such as (this is a cut & paste > from bmc-config). Both great catches, thanks! I've gone to free*ipmi-config because it's so trivial to parse, so I'll make sure these are in. dan _______________________________________________ Freeipmi-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/freeipmi-devel
