zlacker

Well those ports should never face the internet anyway. Most servers will have a dedicated (physical) port you use for IPMI or whatever -- vlan that and only allow access from your VPN. If you're extra secure you can full on disable the switchport until you need it.

>>parlia+(OP)
Make sure in the BIOS to disable fallback to one of the other ethernet ports. Quite a few IPMIs will listen on eth0 if it looses the dedicated IPMI port link by default.

>>parlia+(OP)
This fail-open "should" is bad besides for the obvious reasons, also because it'll be extra ops complexity compared to a secure kvm widget that you don't have to handle with kid gloves.

(And thirdly because of the sibling comment noted footgun.. or silent foot-boobytrap more properly)

>>fulafe+Vi
The problem is BMC has an astounding array of features[1] that are worth the operational complexity. This isn't just KVM like in OP's post... being able to remote mount images is a godsend when you're provisioning a server or diagnosing hardware issues or doing a BIOS update on the other side of the globe (with your other alternative being shipping a flash drive[2], then paying $200/hr for DC remote hands to plug it in for you).

[1] https://www.supermicro.com/en/solutions/management-software/...

[2] don't even try to talk about PXE booting if you've never tried to get DHCP+BOOTP to work over a WAN

>>parlia+LJ
The Pi is capable of remote mounting images.[0] I haven't implemented support for it in TinyPilot yet, but it should be possible.

[0] http://www.isticktoit.net/?p=1383

>>parlia+LJ
I think you can do all those with iPXE, works well over wan. As a bonus you can get your images over https and not insecure tftp.