Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- Remote Management Module (RMM) security
- STIG and FIPS conformance
- Appendix A. Security release content
Recommended IPMI settings
This section lists the recommended IPMI settings to ensure a secure IPMI configuration.
Use the following recommendations when creating IPMI users:
Do not create accounts with null user names or passwords.
Limit the number of administrative users to one.
Disable any anonymous users.
To mitigate the CVE-2013-4786 vulnerability:
Use strong passwords to help prevent offline dictionary attacks and brute force attacks. The recommended password length is 16-20 characters.
Change the default user password (
sysadmin
) as soon as possible.Use Access Control Lists (ACLs) or isolated networks to limit access to the IPMI interface.
Keep the IPMI protocol port (623) turned off when not in use to mitigate security risks associated with the IPMI protocol (CVE-2013-4786). For more information, see https://nvd.nist.gov/vuln/detail/CVE-2013-4786.
Use the following recommendations when applying login settings for IPMI users:
Table: Login security settings
Settings | Recommended values |
---|---|
Failed login attempts | 3 |
User Lockout time (min) | 60 seconds |
Force HTTPS | Yes Enable Force HTTPS to ensure that the IPMI connection always takes place over HTTPS. |
Web Session Timeout | 1800 |
Veritas recommends that you enable LDAP authentication.
Veritas recommends that you import a new or a custom SSL certificate.
Table: Remote session security settings
Settings | Recommended value |
---|---|
KVM Encryption | AES-256 |
Media Encryption | Enable |
To help prevent IPMI user actions or activity with no authentication, specific ciphers should be disabled. For further assistance, contact Technical Support and inform the representative to reference article number 000127964.
Use a dedicated Ethernet connection for IPMI and avoid sharing the physical server connection.
Use a static IP.
Avoid using DHCP.