Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

BMCs are slightly different I think (more powerful!) but at my previous workplace we once had a server provided to us by our hosting provider that had its BMC exposed on the internet with default credentials. They never told us the machine even had one (most of our servers from them didn’t). We only figured it out once we found a Monero miner on the machine.

People on here love promoting dedicated servers over cloud VMs, but it’s so much easier for this sort of thing to go wrong with dedicated hosting.



Integrated Lights-Out (iLO) is the HP flavor of baseboard management controller (BMC) platform. Dell calls theirs Dell Remote Access Controller (DRAC), other vendors have their own branding. They all do more or less the same thing.


BMC is the hardware, iLO is the interface. you can also have other types of interfaces but in the end it’s still a BMC.

a chip that sits on the southbridge of the server and has management capabilities (power operations and access to the underlying os being the 2 big ones).


The latest generations of servers ship with randomized BMC passwords. This was indeed a problem in the past when they shipped with credientials such as ADMIN / ADMIN or no password at all.


"Latest generation" = last 2 years. Three years ago I was buying SMC servers which were the first round configured with randomized passwords to comply with CA law (some batches had ADMIN/ADMIN) and gigabyte servers still were out of compliance.


I bought my last batch of Dell machines in 2017 (so, 5 years? wow), and they had randomised passwords.

But yes, some providers put the BMC on the internet because it's easier, a provider I used once did this and I was quite displeased as iDRAC's are quite weak and suffer under the weight of bot-spam. -- even if there were no security issues.


For whatever reason you can still today choose the legacy "root:calvin" password when you order new Dell servers, probably does more harm than good: https://www.dell.com/en-us/work/lp/hmc-idrac-password-14g


Probably to work with auto provisioning automation.

It’s nice to slide in a server, watch as the arps/dhcp requests go out and see the machine spring to life without human intervention.

Easier if there’s a known username/password.


It is possible not every gets this option from Dell but one can get a text file that has all the MAC addresses and programmed passwords for the dracs from them. Ask your rep how to get this. One can potentially use this information in their automation. The list has serial numbers, eth macs, ilo mac, password, model, etc...


HP Microserver Gen8 with iLO from 2014 also had generated admin password.


HP DL 380 G6 and G7 had back in 2010, maybe before I think. At least the ones I worked with.

It was printed on a slide out tag.

Some earlier generations had paper/cardboard tags tied to them I think but I cannot remember if passwords were there.


As far as I can remember, HP has always randomized the default iLO password. ProLiants used to come with a "toe tag" (little card attached to rack mount server by string) that had the iLO MAC, iLO hostname, default username and default password. Newer ProLiants put it on a sticker on the server itself or on a pull-out tab.


Bit of a red herring, no?

Or did Azure not have endless issues, similar in size and scope.


> People on here love promoting dedicated servers over cloud VMs, but it’s so much easier for this sort of thing to go wrong with dedicated hosting.

Well yeah, different tradeoffs; many people believe that dedicated has more advantages than disadvantages. That doesn't mean zero disadvantages.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: