Oracle ILOM IPMI Security Guidelines
To increase IPMI security, system administrators should consider the following IPMI security configuration guidelines:
-
As firmware version 3.2.8 and later, system administrators should use the Oracle IPMI TLS (
orcltls
) interface and only enable the use of the IPMI v2.0 (lanplus
) interface for legacy compatibility.Note:
The RAKP protocol support in the IPMI 2.0 specification requires sending a password hash to the client, which makes it easier for remote attackers to obtain access via a brute-force attack. For additional details about this vulnerability, see the published vulnerability summaries for CVE 2013-4037 and CVE 2013-4786 on the National Vulnerability Database web site.Note:
As of firmware version 5.0.0, the IPMI v1.5 Sessions property has been removed and the IPMI v2.0 Sessions property is disabled by default. -
Change your IPMI password on a regular basis. Ensure the lifecyle of Oracle ILOM user accounts are managed appropriately.
For further details, see Securing Oracle ILOM User Access.
-
Restrict network access from the outside world. Use the dedicated Ethernet management channel to communicate with Oracle ILOM.
For further details, see Securing the Physical Management Connection.
-
Work with your IT Security Officer to build a set of best practices and policies around server management and IPMI security.