Introduction
IPMI (Intelligent Platform Management Interface) is a standardised interface that allows a server to be managed remotely, independently of the operating system’s functionality. We recommend using IPMI, for example, when you experience issues logging in to a server, or for restarting the server, configuring the BIOS, or monitoring hardware resources. This guide describes the available options for securing the remote management interface.
If you use a Dedicated Server or Server Housing service and would like to secure IPMI using any of the methods described below, please contact us at support@master.cz or create a ticket in the Customer Administration.
IPMI Vulnerabilities
IPMI may be exposed to the risk of unauthorised access to the system. Attackers commonly exploit weak passwords, protocol flaws, or known vulnerabilities to gain control of a server via IPMI.
IPMI from reputable vendors, such as Dell, HP and others, are generally more secure due to regular firmware updates and prompt patch management.
At MasterDC, Dell servers use the built-in iDRAC management interface as their IPMI solution.
In addition to continuous monitoring and regular updates, we secure iDRAC using sufficiently strong passwords, which can be strengthened further upon request. If repeated password-guessing attempts are detected, iDRAC blocks the offending IPs for 600 seconds. We also offer the option of disabling the SSH service, which is the most common target for password-guessing attempts against iDRAC.
Thanks to these measures, a successful iDRAC compromise at MasterDC is highly improbable. In practice, we have not encountered such an incident during decades of operating hundreds of servers. Nevertheless, if you use a Dedicated Server or Server Housing service, we can further secure access to your IPMI using the methods described below.
Securing IPMI
To enhance the security of IPMI, you can use:
- Static ACL for the public IP address of IPMI (access restriction)
- Moving the IPMI IP address to an internal network
- Restricting access to Dell iDRAC IPMI using an IP range
Static ACL for the Public IP Address of IPMI (Access Restriction)
An ACL (Access Control List) is a list containing specific IP addresses or network ranges that are permitted to access IPMI.
With this option, we define a list of up to 16 permitted IP addresses or network ranges for IPMI. These are stored in an Access Control List (ACL) as part of the switch port configuration.
Once applied, the switch filters all incoming IPMI traffic at the physical port level.
Moving the IPMI IP Address to an Internal Network
With this security method, we replace the public IP address of IPMI with an internal one, which is accessible only within the internal network. As a result, IPMI becomes inaccessible directly from the public Internet.
To provide this protection, the IPMI address is placed into a dedicated section of the network isolated via VRF (Virtual Routing and Forwarding) technology. This technology makes it possible to create an isolated network environment within a single physical network. A secure connection between an external device and this network segment is provided through an encrypted VPN based on OpenVPN technology. The OpenVPN Client software is used to connect to the internal network. Traffic destined for IPMI then passes through a central firewall for filtering.
If you would like to secure access to IPMI using any of the options described above, please contact us at support@master.cz or create a ticket in the Customer Administration.
Restricting Access to Dell iDRAC IPMI Using an IP Range
If you operate a Dell server with iDRAC version 9 or later, you can leverage built-in security features directly within the interface. This allows you to restrict access to the iDRAC to a specific IP address or network range.
The iDRAC configuration provides a total of five IP range slots. Four of these are reserved for MasterDC’s internal operations (ensuring continuous monitoring and remote management), leaving one slot available for your use. In this slot, you can define either a single IP address or a single IP range (subnet).
If you would like to secure your iDRAC access by restricting the permitted IP range, please contact us at support@master.cz or create a ticket in the Customer Administration, specifying the IP address or range you wish to whitelist. The configuration is fully managed by MasterDC; please reach out to us for any future changes as well.