Is there a consensus on whether it's ok to port forward from the firewall to port 22 (SSH) on the BMC, with a strong admin password? I guess this should be safer than exposing the web interface.
You never want these interfaces on public internet. All my iDRAC ports are on an isolated management vlan that is only routed to from certain internal networks.
1. You don't want the device even considering requests from anyone but the sole person(s) responsible for accessing the mgmt interface. Someone might not be able to get in, but they could enumerate your hardware characteristics, or perform a denial of service.
2. Don't confuse SSH with secure. You don't know what version/brand/make/model of SSH is running on the embedded device. It might be ancient. It might not even be OpenSSH.
3. If an exploit becomes known for your management interfaces on your machines, you are screwed. First because someone might have already exploited you. Second because now you need to patch your boxes, and that might require a hard reboot of the entire machine. If a patch even exists.
Really, it isn't worth the trouble. There are too many risks.
