Disabling IPMI

DescriptionIn view of the increasing number of reported exploits on the IPMI over LAN protocol (used by iLO-enabled dedicated servers), we want to stress the importance of having precautionary measures in place to guard your dedicated servers against unauthorized access. To resolve the security issues associated with the iLO interfaces, disable the "IPMI over LAN" function.

Based on the server and iLO type, please take appropriate actions by following the instructions placed below.


Contents

LO100 (Lights Out 100)

Server models using this type of integrated Lights Out are as follows:

  • DL120 G5
  • DL120 G6
  • DL180 G5
  • DL180 G6

Disabling IPMI over LAN

The web interface for LO100 does not allow for IPMI over LAN to be turned off. However, there is command line tool that allows you to disable IPMI over LAN.

Based on your operating system, please follow the instructions placed below:

 Debian & Ubuntu (Linux)

Installing

For Debian and Ubuntu, first start the installation of the IPMI tool. You can do so by issuing the following commands:

apt-get install ipmitool
modprobe ipmi_devintf
modprobe ipmi_si

Disable IPMI over LAN

After the correct modules have been enabled and the ipmitool has been installed, you can disable the IPMI over LAN feature:

ipmitool lan set 2 access off

You have now successfully disabled the IPMI over LAN protocol which should mitigate the security issues.


 CentOS

Installing

For CentOS, first start the installation of the IPMI tool. You can do so by issuing the following commands:

yum install ipmitool
modprobe ipmi_devintf
modprobe ipmi_si

Disable IPMI over LAN

After the correct modules have been enabled and the ipmitool has been installed, you can disable the IPMI over LAN feature:

ipmitool lan set 2 access off

You have now successfully disabled the IPMI over LAN protocol which should mitigate the security issues.


 ESXi

Compiling

It is possible to run ipmitool on ESXi. ESXi does not support ipmitool natively. We can go about this in two ways, the first is to compile your own binaries, and the other is to use pre-compiled binaries:

 Use the pre-compiled binary

You first need to download the pre-compiled binary. To do this, you will have to have the SSH server for ESXi enabled. If you are unsure how to do this, this article explains it in detail.

Once the shell is enabled, you can log in to the ESXi shell and download the pre-compiled binary by issuing the following command:

wget https://kb.leaseweb.com/download/attachments/11469105/ipmitool
chmod +x ipmitool

(Binary file MD5: 559fd0587bdbba3386a91fbfdaa33617)


 Compile your own binaries

You need to compile the binary on a Linux system, and then move the compiled binary to the ESXi machine.

Files and packages needed on the Linux machine:

  •  ipmitool-1.8.11.tar.gz, the source
  • A Linux operating system
  • Packages:
    • build-essentials
    • gcc-multilib
    • libc6-i386
    • libc6-dev-i386

Steps used to compile the binary:

  1. Download the sources.

     wget http://sourceforge.net/projects/ipmitool/files/ipmitool/1.8.15/ipmitool-1.8.15.tar.gz/download
  2. Unpack the sources. 

    tar zxvf ipmitool-1.8.11.tar.gz
     cd ipmitool-1.8.11/
  3. Configure the sources, and compile

    ./configure CFLAGS=-m32 LDFLAGS=-static
    make

Moving the binary file

Now that you have compiled the static binary file, we need to move it to the ESXi server. To do this, you need to have the SSH server for ESXi enabled. If you are unsure how to do this, this article explains it in detail.

Now we can move the file to the ESXi Server:

scp ./src/ipmitool root@IPADDRESS:/scratch/

You can later log into the ESXi shell with Putty or your preferred SSH client.

Once the binary is in place, you can simply disable IPMI over LAN by issuing the following command:

ipmitool lan set 2 access off

You have now successfully disabled the IPMI over LAN protocol.


 Windows

Unfortunately, Windows does not have a supported command line tool to make the required adjustments. Therefore our only option is to reboot the Windows machine in rescue mode. Rescue mode can be launched by logging in to the LeaseWeb Customer Portal.

Please check this page which explains how to boot into rescue mode.

Please select the rescue mode: Rescue 2.1 (amd64)

Once the rescue mode is booted, you will have to connect to it using SSH. This is remote command line tool. This article explains how to connect to the rescue mode using SSH.

Once you are logged in, you can issue the following commands:

modprobe ipmi_devintf
modprobe ipmi_si
ipmitool lan set 2 access off

You have now successfully turned off IPMI over LAN.

Disabling the Operator user account

In case you've reset your LO100 at some point after delivery of your server, please keep in mind that another security issue is that the Operator user account is enabled by default with a default password. The Operator user account can be disabled using the web interface. Please find the screenshots for the LO100 placed below:

  1. Log into your LO100 web interface.
  2. Select the "User Administration" item in the menu to the left.
  3. Disable the Operator user account by clearing the "Enabled" checkbox. 
  4. Click the "Set" button.

iLO3 and iLO4 (integrated Lights Out 3/4)

Server models using this type of integrated Lights Out are as follows:

  • DL120 G7
  • DL380e G8
  • DL380p G8

Disabling IPMI over LAN

Disabling IPMI over LAN for iLO3 and iLO4 is fairly straight forward. This can be disabled using the web interface. Please find screenshots for both iLO versions placed below:

  1. Log into your iLO3/4 web interface.
  2. Select Administration > Access Settings on the left menu.
  3. Disable IPMI over LAN by clearing the checkbox.
  4. Click the "Apply" button.

iDRAC

Server models using this type of remote management are as follows:

  • R210
  • R620
  • R720xd
  • R730xd

Disabling IPMI over LAN

To disable IPMI for the iDRAC you can follow these steps:

  1. Log into your iDRAC web interface
  2. Select iDRAC settings in the left menu and Network/Security on the top of the page.
  3. Disable IPMI over LAN by clearing the "Enable IPMI over LAN" checkbox.
  4. Click the "Apply" button.