IPMI best practices
Learn about the best practices when using the IPMI.
For more information, see United States Computer Emergency Readiness Team Alert (TA13-207A).
Restrict IPMI to trusted internal networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI must be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.
Cipher suite
The cipher suites for network IPMI with encryption enabled are cipher suite 3 and cipher suite 17. Cipher suite 3 is the default option on the IPMItool. If cipher suite 17 is enabled, use cipher suite 17.
- Cipher suite 3 (authentication – RAKP-HMAC-SHA1; integrity – HMAC-SHA1-96; confidentiality – AES-CBC-128).
- Cipher suite 17 (authentication – RAKP-HMAC-SHA256; integrity – HMAC-SHA256-128; confidentiality – AES-CBC-128).
Cipher 0 is an option that is enabled by default on many IPMI-enabled devices that allows authentication to be bypassed. Disable cipher 0 to prevent attackers from bypassing authentication and sending arbitrary IPMI commands. Anonymous logins must be disabled. Create IPMI accounts with a user name. Nameless account must be disabled.
Use strong passwords
The default password on a shipped system must be changed to utilize stronger passwords. Devices that run IPMI must have strong, unique passwords set for the IPMI service. For more information on password security, see US-CERT Security Tip ST04-002 and Password Security, Protection, and Management.