AMT 9: "Authentication failed x times. The system may be under attack."

AMT 9: "Authentication failed x times. The system may be under attack."

mcbsys's picture

Hi,

I recently deployed a Lenovo M93p desktop that has AMT 9.0.2-build 1345. I set up vPro from MEBx, changing the password as required when I first went in to MEBx. That's the password I'm still using to access the web UI.

The web UI event log is reporting thousands of authentication failures (see screen shot).Since the vPro ports are only open inside the LAN and across a private VPN, it's unlikely that it's a real attack.

I found a 2009 reference on this:

https://communities.intel.com/docs/DOC-1247#Password_issue_causes_WebUI_...

but I don't quite understand what it means. Is it "normal" to see thousands of failures when no one is connecting? Where are these failures coming from?

Also:  is it normal for AMT to use GMT time rather than local time?

Thanks,

Mark Berry
MCB Systems

AttachmentSize
Download AMT attack.png77.23 KB
13 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.
Gael Hofemeier (Intel)'s picture

I have seen this before - what management console/softare are you using?  (Meshcentral?)

Yes, the ME uses UTC time..

 

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

Hi Gael,

Thanks for your reply. The screen shot is from the web UI (http://machine:16992). I see similar errors when I view the event log from the vPro Platform Solution Manager.

Mark Berry

Gael Hofemeier (Intel)'s picture

According to that article, it is operating correctly, but it seems odd to me that we would want that error to be happening constantly (otherwise when do you know to take it serioulsly?)

Did you change the password from the Web UI to be something other than what you set it to on the ME?  We have AMT users (admins) and we have the ME.  When you change the password in the MEBx menus, you are changing the ME password and it sync's to the AMT Admin account.  BUT if you go into the Web UI and change the password to something else, you are changing your AMT Admin password only and they are no longer synced.  I will see if I can find out more information on this issue.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

I'm 99% sure I didn't change the password after first setting it up in MEBx. The only user is "admin".

Looks like it's logging 16,000+ attacks per day. I wonder if that isn't using some processing power.

Would be nice if there was more info:  where do the attacks originate, what exactly is incorrect.

This machine was created a bit oddly:  I restored a Windows Image backup from the machine it replaced, which was an older Dell Optiplex 755. That had an older version of Intel AMT software on it, and I then over-installed the Lenovo versions. I don't really understand what the AMT software does, nor do I know if I need it, since all I care about is out-of-band access when the desktop is otherwise unreachable. But I wonder if the Windows software could cause this?

Gael Hofemeier (Intel)'s picture

First:  If you want out of band access, then you need AMT to be enabled and configured correctly (along with a management console.)

Now that I know that you restored an AMT 9 system from an image off an older device, that may explain a lot.

Here is what I would do: Take a look at the "Start Here Guide:" http://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9

Look at section 6 - Intel AMT Drivers and Services. In order for AMT to function correctly, it requires some drivers/services.  Specifically, the MEI driver (Interface between the OS and the ME)  and the LMS service (Local Messaging Service). If you clobbered the MEI 9 driver with a driver that was written for an earlier version of AMT, I would bet that you would run into issues.  You will need to find the correct versions of your AMT/ME drivers/software and install them.  Your system should have come with a disk that has them or they should be downloadable from the support site for your OEM (they are generally OEM specific.)

Please let me know if installing the correct version of the drivers/software solves this problem.

 

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

Before AMT 9, the only out-of-band thing I have ever done is turn on the machine from the web interface. That did not seem to require Windows software? Now, with AMT 9, I'd like to have remote access to the BIOS thru KVM, as we have been discussing in another thread.

As I mentioned, I overinstalled the latest Lenovo drivers after restoring the image. However, as I look at the Add/Remove Programs, it looks like that may not have uninstalled the previous versions. There are two versions in there with no version number but dated 2010 (see screen shot). I'll uninstall those and see what happens.

Attachments: 

AttachmentSize
Download amt-old-and-new.png23.21 KB
Gael Hofemeier (Intel)'s picture
Best Reply

I would definitely get rid of those 2010 versions.  You don't need a management console if the WEB UI suites your needs.  But you are right about doing KVM - you will need either the vPro Platform Solution Manager or the DTK.  I would bet that your problem is that you have old and incompatible drivers on your system.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

Yup, that seemed to have fixed it! I uninstalled those 2010 versions about 4pm PST yesterday. The last "Authentication failed" message was 9:40pm GMT or 1:40pm PST.

I think we can call this closed. Thanks for your help!

Mark Berry

Gael Hofemeier (Intel)'s picture

Great!  Did this help resolve your other issue with being able to connect to the DTK?

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

No, DTK v0.1.26 still can't connect. When I start it, it tells me that 0.1.27 is available, but when I click on the Update button, nothing happens. The latest version at the site http://opentools.homeip.net/open-manageability is 1.26.

Gael Hofemeier (Intel)'s picture

This was a great question, so thank you, Mark, for posting and sticking with it.  I think we may see this come up with other AMT users so I put it into a blog:  http://software.intel.com/en-us/blogs/2013/11/19/intelr-amt-event-log-authentication-failed-x-times-the-system-may-be-under-attack

 

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
mcbsys's picture

Good idea--that will probably help others

Mark Berry

Login to leave a comment.