Hỗ trợ kỹ thuật

08.6292.0000 [Hỗ trợ sử dụng]

0945.82.82.79 [Than phiền chất lượng]

Tìm tên miền cực nhanh cho doanh nghiệp bạn (vd. ten-doanh-nghiep.com)

Lỗi bảo mật IPMI cho khách hàng trong môi trường data center

IPMI trên Server của Supermicro giúp người dùng có thể giám sát phần cứng, khắc phục sự cố, điều khiển server từ xa. Tuy nhiên nếu bạn sử dụng không đúng cách sẽ bị dính lỗi bảo mật. Dưới đây là 1 số khuyến nghị của các chuyên gia bảo mật.



Chịu khó đọc tiếng anh nhé, cho nó "bờ rồ".

Best Practices for managing servers with IPMI features enabled in Datacenters

Baseboard Management controllers (BMC) with IPMI is commonly used to manage servers. Most Supermicro server models support IPMI either through a dedicated management interface or through a shared LAN. All X7 and later generation products have IPMI 2.0 enabled that provides security through encryption algorithms. BMC provides powerful remote debugging capabilities in the datacenters but at the same time if not configured properly, causes unwarranted access to BMCs from Internet or within, the company and can compromise the security of your machines. Supermicro recommends the following steps that datacenters need to consider while using IPMI to manage your machines.

1. Network Configuration

a. Restrict inbound traffic over internet directly to BMCs. Logon to a secure management server in datacenter and manage all BMCs from the management server.
b. Reserve special IP address range (private subnets) to BMC management interfaces and management servers. Don’t use reserved IP subnets with LAN interfaces of the managed machines.
c. Configure the firewall to restrict outbound traffic from BMC including alerts within the reserved IP range.
d. Use dedicated management interfaces for managing BMCs. If dedicated management interfaces are absent and have to use shared LAN, then configure separate VLANs for
BMC traffic.

2. BMC Configuration

a. Customize service ports information on the BMC to your datacenter specifications. For example; you can configure http port to 57880 instead of 80.
b. Change the default password during installation and use strong passwords.
c. Create user policies and roles on BMC
d. Use the IP Access Policy to enable access rules to BMC from management servers.

3. Additional measures

a. Monitor for unusual traffic between BMC and other machines in the network
b. Pay attention to firmware release notes (especially related to security fixes) and plan upgrades of the firmware during maintenance cycles.

Theo Diễn đàn Thế giới máy chủ.

Tổng số điểm của bài viết là: 17 trong 6 đánh giá
Xếp hạng: 2.8 - 6 phiếu bầu Đánh giá bài viết: Click để đánh giá bài viết
  • Logo NukeViet
  • Logo VNNIC
  • Logo Icann
  • Logo Online Nic
  • Logo Direct Admin
  • Logo FPT
  • Logo Viettel IDC
  • Logo Global Sign
  • Logo Cpanel