Questions[bmc](server)

TL;DR: Is there any option to disable OS (in-band) access to Aspeed AST 2500 BMC on a SuperMicro board or at least limit it somehow (e.g. via specific password or via setting the permission level to read-only access)?

Long version:

Last year we bought a few SuperMicro servers containing an Aspeed AST2500 BMC. Up to now we were not using the BMCs but now are in the process of setting them up, reachable via a separate out-of-band management network. While researching options to reset BMC passwords I found multiple posts (e.g. this one) which indicate as soon as I've got root privileges on the host I can also access the BMC and change the admin password without any additional security measures.

I really don't like the idea of being able to change BMC parameters from within the host OS, especially because BMCs are often badly patched and are a very interesting target for rootkits (by the way, exactly such a rootkit was discovered the other day; at least, as far as I know, it could not get onto the BMC via in-band interface)

Is there any option to limit host-to-BMC communication?

EDIT: The server board used in our servers is "ASRock ROMED8-2T".

Any idea how to get list of supported BMCs for OpenBMC https://github.com/openbmc/openbmc ?

For example I have a motherboard (X8SIL-F) with Nuvoton WPCM450 BMC.

I have updated config of my dhcp server, so that server should get a new ipmi address. But the server stay at its old address for some time. If I do not want to wait, I want to go to the server and force it to ask for the dhcp address. Is there a special command for that?

I know I can make

ipmitool bmc reset cold

and it works, but just wondering if it is possible without rebooting ipmi.

Is there a way to force my Dell BMCs and iDrac cards to only use the lanplus interface and not use the insecure "lan" interface. I understand that there are some "firewall" features in the IPMI spec. to restrict certain functions between chassis and such, but I don't know if it can be used in this manner.

Update: All out my boxes are in a switched environment. There is no NAT going on between my servers or my work desktop. I'm using ipmitool -I lanplus -H myhost -u root -p password -K sol activate" to talk to the serial console over IPMI.

update2: While I'm in a switched environment, I have no control of the switches. If I can't do it on the host or the idrac itself, then it's a non-starter.

I'm trying to secure the iDRAC's and BMC's on some of my Dell servers (R210, R410, R510). I want to restrict access to IPMI commands to only a few IP addresses. I've successfully restricted access to the iDrac using the instructions from http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc2d.htm#wp1181529 , but the IP restrictions do not affect IPMI. A separate management network is not practical at this time because of lack or ports and some Dell BMC's don't offer a separate port. I'm told by my networking group that our switches don't support trunking, so using the vlan tagging is not an option either.

Is there a way restrict the IPMI access to a list of allowed addresses?

FYI, for various reasons, I have a mix of Dell servers with BMC's, iDrac Express and iDrac enterprise management features.

Update: All out my boxes are in a switched environment. There is no NAT going on between my servers or my work desktop. I'm using ipmitool -I lanplus -H myhost -u root -p password -K sol activate" to talk to the serial console over IPMI.

Update2: While I'm in a switched environment, I don't have access to change the network switches, which are managed by a different department. The networking department doesn't like setting ACL's on routers and can't/won't use vlan tagging on our ports.