On Sun, September 18, 2016 19:08, Keith Keller wrote: > > Make sure you do not allow the IPMI's IP to be accessible > on a public network. Either keep the IP on a private network > (better), keep the IP firewalled to only certain IPs, > or change the admin password from the default. In order of importance: 1. ALWAYS change the administrative account credentials from their defaults to something reasonably difficult to infer. Supermicro allows one to select the user name of the administrative account in addition to setting the password. Change both. 2. Always restrict access to IPMI from specific source addresses. If you need to obtain access from from a different point of origin then set up one or more of the hosts having a permitted IP as an sshd/vpn service in advance and relay to the IPMI port from there. 3. Firewall any IPMI IP addresses at the gateway for all protocols and prevent any direct access to it whatsoever from the internet. 4. Where feasible place all IPMI IP addresses on their own private IP network ([192.168.X.0/24] or similar) and set up the gateway router internal interface to suit. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3