Hi!
I am running LEDE 17.01.4 on my beloved TP-Link 1043nd v.1
I want to disable all AMT/ME ports because i use a Vpro platform for personal usage and never will be at the risk of being spy'd on me.
I am using a VPN provider(desktop app), but as far as I know AMT/ME bypasses that as some sort of low level network interface (https://www.scivision.co/intel-amt-vpro-kvm-port-forwarding-necessary/). So I need to block the ports on my router to be safe.
The ports I found so far:
9971 By default, Intel SCS (a component of the OOB site server) listens on port 9971. Intel AMT devices send their Hello packets to this port.
16992 IntelĀ® AMT HTTP
16993 IntelĀ® AMT HTTPS Used for WS-Management messages to and from Intel AMT when TLS is enabled. See Transport Layer Security.
16994 IntelĀ® AMT Redirection/TCP
16995 IntelĀ® AMT Redirection/TLS
623 ASF Remote Management and Control Protocol (ASF-RMCP)
664 DMTF out-of-band secure web services management protocol
ASF Secure Remote Management and Control Protocol (ASF-RMCP)
5900 VNC (Virtual Network Computing) - remote control program
Can someone create a set of firewall rules that drop all traffic on these ports? As well as local ports and WAN traffic. So we can stay all safe with the publication of various Intel ME/AMT vulnerabilities.
config redirect
option src 'lan'
option dst 'wan'
# you didn't specify TCP or UDP, so I used both below
option proto 'tcpudp'
option src_port '<PORT_NUMBER>'
option target 'DROP'
There are many wild vulnerabilities in the computing world, I'm not sure it's necessary to post block rules for every one. The manual specifies how to make firewall rules.
While blocking the ports on the OpenWRT router is not a bad idea, if this concerns you, remember that the VPN traffic is "opaque" to the router. This is really a desktop-hardening question as the VPN provides an "open pipe" to its remote portal.
I'd look to see if you can disable AMT/ME, especially if it bypasses the OS and interacts with the network directly. An internet search reveals several possible references on this, such as
Thanx for your advises. The only way to disable the ME chip is to flash a custom firmware using me_cleaner. But there is no guarantee your device will ever boot again, so i don't do that.
For now i prefer to block all ports used by AMT as stated above. I used the script as provided by lleachii as i am no IT professional and don't fully understand the manual. I still want to block the WAN>LAN ports for the peace of mind. Are the rules between the asterix right? Are there no spaces too much/left?
Verification by a specialist would be very helpful.