I was recently in a client engagement where we had to rebuild / redeploy some ESXi 4.x servers as ESXi 5.1. This was a simple task, and quickly done (thanks VMware!), but before we were finished I realized that we had missed a critical part - the remote managent port on the servers. These were iLO ports in this case, as the servers are HP's, but they could just as easily have been DRAC / iDRAC (Dell), IMM or AMM (IBM) or BMC (Cisco, anything with a Tyan motherboard or lots of other vendors). These "remote management ports are in fact all embedded systems - Linux servers on a card, booting from flash and usually running a web application. This means that once you update them (via a flash process) they are "frozen in time" as far as Linux versions and patches go. In this case, these iLO cards hadn't been touched in 3 years.
How can you mitigate a situation like this? The obvious answer is to patch as updates come out. For many server vendors however, this means booting the server from a CD or DVD. This is often a tough sell to management, as it's not only an outage for a production server, but if the firmware update fails or causes some new problem, that could cause another (unplanned) outage later, or in the best case a planned outage to back out the update. Plus you need to convince them every time the topic comes up that you need remote management at all, which eventually starts to sound like too much work. But *not* updating critical server components is a ticking time-bomb.
Oh, one more thing - please change the passwords on all of these! All the patching in the world won't help you if you're attacker can google for the administrative credentials. I can't tell you how many SANs, Bladecenters or FC Switches I've seen with the default administrative credentials still in play. If your admin password is still "password", it's time to change it!
=============== |
Rob VandenBrink 578 Posts ISC Handler Feb 26th 2013 |
Thread locked Subscribe |
Feb 26th 2013 9 years ago |
I run a small network, and its management is my responsibility, but not my primary responsibility. I travel a lot as a consultant to client companies, so I needd remote management over the internet. I run all my machines thru a bank of KVM switches, then the console end of that chain has an iPEPS (KVM over IP using RealVNC) on it that is internet visable (assuming the gateway did not fail). I also use DSataprobe's iBoot and iBootBar devices as power switches that are remotely controllable over the internet. I have updated the Dataprobe devices' firmware several times now, but never the iPEPS. I've had all these devices for several years.
![]() |
Anonymous |
Quote |
Feb 26th 2013 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!