This might be a dumb question but DRAC/ILO both have HTTP server interfaces.
If I were trolling IP’s port 80 on and I came across such a page I’d know it to be a high value target in the sense that if I can crack it, I can take control of the server to some extent (potentially installing another OS).
Other than changing the port, what are the best practices for securing DRAC/ILO on public Internet facing machines?
They both accept uploading your own SSL certificates, so that’s the first thing I would do. If you’ve got enough of these servers, chances are you have your own certificate server and you have its certificate installed as a trusted publisher.
Mind you, all that does is ensure that the ILO/iDrac you’re connecting to is yours and you’re not being redirected to a honeypot.
The other thing we do to protect them is to not have them facing the public internet. We have all our iDracs on a seperate vlan, which is accessible only after connecting to a VPN. This means a few things:
- The VPN goes down and you better have another method of getting onto the devices
- You’re not “wasting” a public IP address on the drac
- Nobody who is not on the VPN can access the device
That said, we do have one client who has put their iDrac on a public IP. If you’re going to go down that path:
- Restrict the IP addresses at the firewall infront of the iDrac/ILO if you can. Sometimes this is hard to do if you don’t know where you’re going to be, but if you know you’re never going to be in say, China, then that’s a good place to start. Whitelisting IPs that belong to the countries you’re going to be access it from can block a large amount of malicious traffic.
- Change the default password, for gods sake. Use something like KeePass or similar and generate a 64-character password. Have a look at this blog post if you want to know more about why this is important. It’s actually about hashing, but the point is the same. If you only take one thing away from it, it’s that if there’s a vulnerability in the device and they manage to grab a copy of the user database, an 8-character basic password can be cracked in 4 hours without even trying.