On Sun, September 18, 2016 19:08, Keith Keller wrote:

Make sure you do not allow the IPMI's IP to be accessible on a public network. Either keep the IP on a private network (better), keep the IP firewalled to only certain IPs, or change the admin password from the default.

In order of importance:

1. ALWAYS change the administrative account credentials from their defaults to something reasonably difficult to infer. Supermicro allows one to select the user name of the administrative account in addition to setting the password. Change both.

2. Always restrict access to IPMI from specific source addresses. If you need to obtain access from from a different point of origin then set up one or more of the hosts having a permitted IP as an sshd/vpn service in advance and relay to the IPMI port from there.

3. Firewall any IPMI IP addresses at the gateway for all protocols and prevent any direct access to it whatsoever from the internet.

4. Where feasible place all IPMI IP addresses on their own private IP network ([192.168.X.0/24] or similar) and set up the gateway router internal interface to suit.