ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Public IP for Server remote management

    IT Discussion
    8
    15
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • CCWTechC
      CCWTech
      last edited by

      I should have explained, I'm not trying to do it... I just had a conversation with an I.T. guy who does it that way and it made me thing about the insecurity of doing it and wanted a 'sounding board'.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @CCWTech
        last edited by

        @ccwtech said in Public IP for Server remote management:

        Would you ever put a public IP on remote server management (such as HP ILO, Dell DRAC, Lenovo Xclarity, etc.)

        What level of security risk is that?

        Huge security risk. I cannot imagine that those things are actually patched and current.

        CCWTechC scottalanmillerS 2 Replies Last reply Reply Quote 3
        • CCWTechC
          CCWTech @JaredBusch
          last edited by

          @jaredbusch said in Public IP for Server remote management:

          @ccwtech said in Public IP for Server remote management:

          Would you ever put a public IP on remote server management (such as HP ILO, Dell DRAC, Lenovo Xclarity, etc.)

          What level of security risk is that?

          Huge security risk. I cannot imagine that those things are actually patched and current.

          That's my take on it as well. I was so taken back that I wanted to make sure I wasn't up in the night.

          1 Reply Last reply Reply Quote 3
          • scottalanmillerS
            scottalanmiller @CCWTech
            last edited by

            @ccwtech said in Public IP for Server remote management:

            I should have explained, I'm not trying to do it... I just had a conversation with an I.T. guy who does it that way and it made me thing about the insecurity of doing it and wanted a 'sounding board'.

            Very big risk. Those systems are not just highly targetted, but almost impossible to secure and almost never patched or well maintained.

            If it was behind a proxy, and locked to a single IP address, maybe. But even then, it is pushing it.

            1 Reply Last reply Reply Quote 2
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @jaredbusch said in Public IP for Server remote management:

              @ccwtech said in Public IP for Server remote management:

              Would you ever put a public IP on remote server management (such as HP ILO, Dell DRAC, Lenovo Xclarity, etc.)

              What level of security risk is that?

              Huge security risk. I cannot imagine that those things are actually patched and current.

              Java client? Not current 🙂

              CCWTechC 1 Reply Last reply Reply Quote 1
              • CCWTechC
                CCWTech @scottalanmiller
                last edited by

                @scottalanmiller This one doesn't use java, but still an issue.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @CCWTech
                  last edited by

                  @ccwtech said in Public IP for Server remote management:

                  @scottalanmiller This one doesn't use java, but still an issue.

                  Yeah, SuperMicro IPMI is better than most, but still not okay to expose in that way (other than for a lab.)

                  1 Reply Last reply Reply Quote 1
                  • EddieJenningsE
                    EddieJennings
                    last edited by

                    I suppose a solution to this could be setup a VM as a jump box, put it behind reverse proxy and NAT, and lock it down as much as you can (SSH keys, etc.). From that jump box, access your servers. I do something similar with my colo lab server, except I just have Zero Tier on said VM, and connect to it via SSH over Zero Tier.

                    The above won't solve the problem of somehow having out-of-band management capability / console access, which you could have with IPMI.

                    CCWTechC 1 Reply Last reply Reply Quote 2
                    • CCWTechC
                      CCWTech @EddieJennings
                      last edited by

                      @eddiejennings said in Public IP for Server remote management:

                      I suppose a solution to this could be setup a VM as a jump box, put it behind reverse proxy and NAT, and lock it down as much as you can (SSH keys, etc.). From that jump box, access your servers. I do something similar with my colo lab server, except I just have Zero Tier on said VM, and connect to it via SSH over Zero Tier.

                      The above won't solve the problem of somehow having out-of-band management capability / console access, which you could have with IPMI.

                      Yes plenty of ways to do this the 'right way' but the I.T. company I was talking to doesn't get the risk of doing it the wrong way.

                      I was just running it by folks here to see if I was way off base by thinking they are nuts for making it public without any extra security.

                      EddieJenningsE 1 Reply Last reply Reply Quote 1
                      • EddieJenningsE
                        EddieJennings @CCWTech
                        last edited by

                        @ccwtech said in Public IP for Server remote management:

                        @eddiejennings said in Public IP for Server remote management:

                        I suppose a solution to this could be setup a VM as a jump box, put it behind reverse proxy and NAT, and lock it down as much as you can (SSH keys, etc.). From that jump box, access your servers. I do something similar with my colo lab server, except I just have Zero Tier on said VM, and connect to it via SSH over Zero Tier.

                        The above won't solve the problem of somehow having out-of-band management capability / console access, which you could have with IPMI.

                        Yes plenty of ways to do this the 'right way' but the I.T. company I was talking to doesn't get the risk of doing it the wrong way.

                        I was just running it by folks here to see if I was way off base by thinking they are nuts for making it public without any extra security.

                        😄 For my colo lab the thought of doing it the "wrong way" crossed my mind, but after a few moments of thinking it through (and trying to treat my colo lab server as much like a production system as I could), I came to the same conclusions as everyone else about it being a bad idea.

                        1 Reply Last reply Reply Quote 2
                        • 1
                          1337
                          last edited by 1337

                          HP used to say it was OK way back in the days because of authentication, encryption etc. What they say today I don't know.

                          But this is what the security researches says:
                          https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html

                          HP iLO is an administration tool, and as such should only be accessible from an isolated VLAN, different from the users' VLAN.
                          More specifically:

                          • Do not connect iLO to your network if the interface is not actually used;
                          • Do not expose any iLO interface to any untrusted network;
                          • Use strong, randomly generated passwords for each server instance.

                          As a reminder, HP iLO 4 also exposes the IPMI interface on port 623. The IPMI v2 authentication protocol is affected by a design weakness that allows an attacker to retrieve a hash of the password, provided only the username is known. The hash can later be brute-forced off-line. This can not be patched or mitigated, except by proper network isolation.

                          Finally, as for every service running on a corporate network, iLO event logs should be centralized and monitored to detect unauthorized connections.

                          This is how easy it is to hack the iLO 4 if the server is running version < 2.54.

                          https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/

                          Version 2.54 was released September 2017. How many keep their ILO firmware up to date?
                          iLO 4 runs on G8 and G9 servers.

                          1 Reply Last reply Reply Quote 2
                          • dbeatoD
                            dbeato
                            last edited by

                            I wouldn't place it on a Public IP, I would just manage it over Firewall Access Rules to locked down to few IP addresses or VPN.

                            A 1 Reply Last reply Reply Quote 2
                            • A
                              Alex Sage @dbeato
                              last edited by

                              @dbeato said in Public IP for Server remote management:

                              I wouldn't place it on a Public IP, I would just manage it over Firewall Access Rules to locked down to few IP addresses or VPN.

                              Agreed. This is how I handle was well.

                              1 Reply Last reply Reply Quote 1
                              • 1 / 1
                              • First post
                                Last post