[HN Gopher] DIY out of band management: remote console server
___________________________________________________________________
DIY out of band management: remote console server
Author : secure
Score : 38 points
Date : 2022-08-27 12:49 UTC (10 hours ago)
(HTM) web link (michael.stapelberg.ch)
(TXT) w3m dump (michael.stapelberg.ch)
| illuminerdy wrote:
| I bought an old HP server for $150. It came with remote
| management built-in. Coupled with a cheap FQD and you can access
| it from anywhere.
| gerdesj wrote:
| I've been doing IT for 25 years but FQD has passed me by! What
| is it and please tell me it involves a VPN somewhere along the
| line.
| the_third_wave wrote:
| Fully Qualified Domain I'd say, e.g. 'hack-me-
| please.example.org' or something along those lines. Usually
| the term _FQDN_ (FQD Name) is used.
| the_third_wave wrote:
| The problem is that many others are also able to access your
| server - running an old version of iLO - from anywhere [1].
| While I have iLO enabled on my DL380G7 I do limit access to it
| to a VPN so as to avoid these problems.
|
| [1] https://www.servethehome.com/tens-of-thousands-of-
| outdated-h...
| orev wrote:
| The idea that anyone would make these accessible from the
| Internet is preposterous, and the fact that so many _are_
| exposes an underlying problem in IT. Maybe it's lack of
| knowledge, low skilled people, or the intense focus on cloud
| has eroded basic IT skills to such a point that things like
| this could be putting everyone at risk.
| milkshakes wrote:
| a lot of times this can happen unintentionally-- these
| systems can coopt the primary ethernet port when the
| dedicated one is unplugged and many default to this
| behavior
| gerdesj wrote:
| Yes but they should have a different IP to the one that
| is forwarded to because shared devices will have
| differing MAC addresses and default setup.
|
| For example a lower end Dell without a separate iDRAC
| port will share with the first NIC with a IP that is
| either DHCP assigned or a built in default - both of
| which are unlikely to be forwarded by accident.
|
| Older Dells had a standard root password of "calvin"
| which was an appalling idea. Newer ones do as HPE and
| have a default autogenerated monstrosity printed on a
| pull out slide. Also you can set jumpers on the mainboard
| to reset it. Look at the manual or the inside of the
| cover.
| gerdesj wrote:
| Here's a recent discussion about these beasts:
| https://securityledger.com/2014/06/ipmis-inconvenient-
| truth-...
|
| IPMI is one of the foundations of what iLO/iDRAC n that do
| for a living.
|
| They are really useful - I've used them countless times to
| do updates and so on from afar. It's a bloody long drive
| from say South Somerset to say Hull in Yorkshire to pick up
| the pieces from breaking a boot loader. Instead I can mount
| a boot .ISO locally and after a while a remote box is
| running an installer or repair image.
|
| However, ideally put them on their own VLAN to protect your
| stuff from them and do only allow access from the outside
| via a VPN. Never port forward to one directly or IPv6 allow
| direct inward access.
| mordechai9000 wrote:
| This is not an erosion of skills. Since I started in IT
| around 2008, it has been rare for most people to care about
| security. Even now, it's hard to get any traction. "We're
| not a target." I've heard it in more or less words, so many
| times. I'm burned out on fighting this fight.
|
| The senior staff at that time were often the worst. They
| didn't want anything to make their job harder, and they
| didn't see a threat. So if you pushed security hard, you
| were the enemy.
|
| It's a little better now, but not much.
| goodpoint wrote:
| You can build a wifi smart plug with an ESP8266 for 2 euro from
| aliexpress. A GSM module costs 2 euro.
|
| A serial console over SSH with an old raspberry 1.
|
| And the whole ensemble would take much less space.
| gerdesj wrote:
| Great job and has a VPN built in. All the components used lend
| themselves to monitoring too - Linux with monitoring-plugins,
| MQTT (doddle to watch from afar) and so on.
|
| This also lends itself to remote monitoring and control of quite
| a few really big and expensive things that have serial ports.
|
| I like the look of this ... pulls wires out of a discarded Pi
| experiment ...
| mmastrac wrote:
| My solution was buying an old Avocent serial server. It's
| basically a giant raspberry Pi running a MIPS CPU. I should blog
| about this.
___________________________________________________________________
(page generated 2022-08-27 23:01 UTC)