[kwlug-disc] Supermicro board
unsolicited
unsolicited at swiz.ca
Thu Aug 7 15:41:37 EDT 2014
Actually, that assumes there's a tcp established rule in there ahead of
it already.
Otherwise perhaps add:
accept 192.168.0.42 49152 * * tcp established
or equivalent thereof.
This lets only specific things initiate (and thus establish) the
session, and lets the destination respond to anyone so allowed.
However, if there is any sort of 'call home upon error' functionality,
this may not suffice - it won't be able to initiate anything. OTOH, such
alerts probably won't source from 49152, or will at least be destined
for known ports, such as smtp.
On 14-08-07 03:33 PM, unsolicited wrote:
> At the next hop router / firewall.
>
> Something like:
>
> accept 192.168.0.1 * 192.168.0.42 49152
> reject * * 192.168.0.42 49152
>
> Or more likely, ignore it. Your main router won't pass directly to it,
> and you likely trust your local network getting to it.
>
> When you need it, ssh in to somewhere else on the net, perhaps with a
> redirect.
>
> Something like 'LocalForward 49152 192.168.0.42 49152' in the ssh_config.
>
>
> On 14-08-07 02:08 PM, William Park wrote:
>> On Thu, Aug 07, 2014 at 10:35:48AM -0400, L.D. Paniak wrote:
>>> If you have a network connection to a BMC, you have console access to
>>> that system. Just be sure to lock it down appropriately eg. :
>>> http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/
>>>
>>
>> The example in the link uses 'nc 49152' (netcat), from which I assume
>> BMC has its own commands. But,
>> - how do lock down port 49152 from OS, when it's under "BIOS"
>> control? And,
>> - how you tell OS not to use port 49152 (because it's used by
>> "BIOS")?
>>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
More information about the kwlug-disc
mailing list