Community discussions

MikroTik App
 
Cloudrunner
just joined
Topic Author
Posts: 9
Joined: Wed Mar 10, 2021 8:18 pm

Monitor pattern of failed attempts to join with Mikrotik Access Point

Tue Apr 27, 2021 6:42 pm

Monitor pattern of failed attempts to join with Mikrotik Access Point

I'm attempting to see if it is even possible to identify if there is a persistent pattern of failed access attempts.
I set up a logging rule/action for wireless debug according to https://wiki.mikrotik.com/wiki/Manual:W ... Debug_Logs and attempted an access with a bad password (PSK) using a smartphone.
The most I can see is "disconnected, unicast key exchange timeout" (see log extract). However, I can't be sure that all potential "attacks" will yield the same format message or even be visible to the access point.
Has anyone explored this ?

16:49:26 wireless,debug DEBUG:: wlan1-1: 90:18:7C:D5:AC:BE attempts to associate 
16:49:26 wireless,debug DEBUG:: wlan1-1: 90:18:7C:D5:AC:BE not in local ACL, by default accept 
16:49:26 wireless,info 90:18:7C:D5:AC:BE@wlan1-1: connected, signal strength -46 
16:49:26 wireless,info action1:: 90:18:7C:D5:AC:BE@wlan1-1: connected, signal strength -46 
16:49:26 wireless,info DEBUG:: 90:18:7C:D5:AC:BE@wlan1-1: connected, signal strength -46 
16:49:31 wireless,info 90:18:7C:D5:AC:BE@wlan1-1: disconnected, unicast key exchange timeout 
16:49:31 wireless,info action1:: 90:18:7C:D5:AC:BE@wlan1-1: disconnected, unicast key exchange timeout 
16:49:31 wireless,info DEBUG:: 90:18:7C:D5:AC:BE@wlan1-1: disconnected, unicast key exchange timeout 
16:49:35 firewall,info DROP: input: in:ether1 out:(unknown 0), src-mac 90:18:7c:d5:ac:be, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 343 
16:49:35 firewall,info action1:: DROP: input: in:ether1 out:(unknown 0), src-mac 90:18:7c:d5:ac:be, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 343 
16:49:53 dhcp,info BASE_DHCP deassigned 192.168.0.12 from 90:18:7C:D5:AC:BE 
I'm using this: hAP ac router running MikroTik RouterOS 6.48.1. The wireless authentication type configured is WPA2 PSK
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Monitor pattern of failed attempts to join with Mikrotik Access Point

Wed Apr 28, 2021 11:41 am

(It's like you overlog, 3 times the same log on "" / action1 / debug)

90:18:7C:D5:AC:BE attempts to associate
90:18:7C:D5:AC:BE not in local ACL, by default accept
90:18:7C:D5:AC:BE connected
90:18:7C:D5:AC:BE disconnected, unicast key exchange timeout
 
Cloudrunner
just joined
Topic Author
Posts: 9
Joined: Wed Mar 10, 2021 8:18 pm

Re: Monitor pattern of failed attempts to join with Mikrotik Access Point

Wed Apr 28, 2021 3:55 pm

I agree the logging it not pretty sight.
That is the default log buffer in memory. I added a reduced rule/action for logging to disk for long term log storage. That also creates, as a side effect, unwanted duplicate entries in the default log buffer. In an attempt to get more explicit wireless debug information, I enabled yet another rule/action (as recommended in that link I supplied) but this yielded nothing more related to a failed login attempt.
But, anyway, thank you for the summary of the relevant log information.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Monitor pattern of failed attempts to join with Mikrotik Access Point  [SOLVED]

Wed Apr 28, 2021 3:58 pm

I agree the logging it not pretty sight.
That is the default log buffer in memory. I added a reduced rule/action for logging to disk for long term log storage. That also creates, as a side effect, unwanted duplicate entries in the default log buffer. In an attempt to get more explicit wireless debug information, I enabled yet another rule/action (as recommended in that link I supplied) but this yielded nothing more related to a failed login attempt.
But, anyway, thank you for the summary of the relevant log information.

do not expect any "login failed" log, because the wpa2 do not ask for "login" but it expect, on short, the data cripted with the right key,
when this wait times out, it simply drops the connection (disconnected, unicast key exchange timeout)

warning: "disconnected, unicast key exchange timeout" appear also when wifi connection drop for interferencies or other non-malicious activity
 
Cloudrunner
just joined
Topic Author
Posts: 9
Joined: Wed Mar 10, 2021 8:18 pm

Re: Monitor pattern of failed attempts to join with Mikrotik Access Point

Thu Apr 29, 2021 12:32 am

OK. Thanks. It did cross my mind that such attacks might not even be visible to the access point because of the the nature of the authentication process.

Who is online

Users browsing this forum: No registered users and 57 guests