racadm config -g cfgRacTuning -o
cfgRacTuneIpRangeMask 255.255.255.252
The last byte of the range mask is set to 252, the decimal equivalent of
11111100b.
IP Filtering Guidelines
Use the following guidelines when enabling IP filtering:
•
Ensure that cfgRacTuneIpRangeMask is configured in the form of a
netmask, where all most significant bits are 1's (which defines the subnet
in the mask) with a transition to all 0's in the low-order bits.
•
Use the desired range's base address as the value of
cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should
have zeros in all the low-order bits where there are zeros in the mask.
Configuring IP Blocking
IP blocking dynamically determines when excessive login failures occur from
a particular IP address and blocks (or prevents) the address from logging in to
iDRAC6 for a preselected time span.
The IP blocking features include:
•
The number of allowed login failures (cfgRacTuneIpBlkFailcount)
•
The time frame in seconds during which these failures must occur
(cfgRacTuneIpBlkFailWindow)
•
The amount of time in seconds that the blocked IP address is prevented
from establishing a session after the allowed number of failures is exceeded
(cfgRacTuneIpBlkPenaltyTime)
As login failures accumulate from a specific IP address, they are registered by
an internal counter. When the user logs in successfully, the failure history is
cleared and the internal counter is reset.
NOTE:
When login attempts are refused from the client IP address, some SSH clients
may display the following message: ssh exchange identification:
Connection closed by remote host.
See "iDRAC6 Enterprise Property Database Group and Object Definitions"
for a complete list of cfgRacTune properties.
Using the RACADM Command Line Interface
259