UBUNTU 802.1x authentication spamming (Brute force attack levels)

Hello everyone

I am currently at University living in collage (Australia). Recently I have been accused of performing a DDOS on the university network, specifically the switch which my computer is connected to by sending hundreds of login attempts.

I know for a fact I have not intentionally performed any such action. I run network sharing through the network manager to connect a few devices (chromecast, phones, smart TV, printers) to the internet through the computer in question, it runs xubuntu 18.04.1. I have ran this for over 1 year in the same place on the same port without any issues.

Recently the university has been experiencing login problems for students connecting to their internet (both wireless and Ethernet) and I believe this is the cause of the problem, however am not sure. I would like to know if anyone has any idea why the computer would perform so many login attempts. I do not have logs, as by default syslog is only kept for seven days (to my understanding).

I have a theory if the issue is related to the internet sharing:

I think the clients on my side of the network have dropped internet access and have pinged the Ubuntu computer for a connection, as there are about 20 devices in total this has caused the computer sharing the internet to constantly attempt to authenticate.

It may just be with how 802.1x authentication is handled on ubuntu, does it have a timeout period between logins? I have tried to look around for these answers but am not getting anywhere.

To let everyone know, it is common for students in my collage to run a shared connection using connectify to connect their gaming consoles to the internet and I have messages from the student leaders informing other students on how do this.

Any direction on the theory behind 802.1x authentication or if anyone has experiencing a high volume of login attempts from ubuntu would be greatly appreciated.

Thank you

Disclaimer: I am not a networking guy, just making some guesses.

Tell me if I understand correctly: The xubuntu machine uses whatever authentication mechanism to get access to the network and you have configured it to share the wired network connection with your other devices (i.e. via a wireless card)?

How exactly have you set up the network sharing? Via the GUI with “share to other computers” and an Ad-Hoc network?

I guess you do not have to authenticate with every individual device right? -> in that case it should not matter how many devices are connected, the network “sees” only one device (your xubuntu machine). (your devices “share” the IP address of your pc)

Do you have an intermittent network connection from your xubuntu machine? If that is the case I think the problem is the pc itself drops and reconnects from the network and causes this (i.e. faulty cable or network adapter).

What kind of authentication system does your university use?

Thank you for your response

The xubuntu machine uses 802.1x authentication over an Ethernet interface to connect to the university internet. There is a second Ethernet adapter which is set as “shared” in the nm-connection-editor ipv4 and ipv6 settings. This is plugged into a wifi router with wpa2 authentication set in bridge mode.

The internet connection appears to be stable. You are right that the nextwork only sees one device connected. I think the traffic is routed using the masquerade option in ip tables under the hood.

No you don’t have to authenticate each client, the sharing option assigns addresses using a local DHCP server in the range.

I don’t know why doing this would cause so many authentication attempts against the network using my login, for some reason the password was not accepted "it has not changed and was stored in /etc/NetworkManage/system-connections/NETWORK_NAME under the [802.1x] section

In short, it shouldn’t.

Did this behaviour start with the update to a certain xubuntu version? I vaguely remember a similar problem with one of the Ubuntu 16 releases. Maybe I can find something.

I guess in the meantime we have to wait for one of the networking guys to chime in.

Edit: Has the admin mentioned if the login attempts did indeed come from the IP address of the xubuntu machine? Maybe you have logged in with a different device and it trys to connect and causes failed logins?

Yes the logins have been confirmed to be from the machine

Out of interest who else can use this (if anybody)

Are you using a certificate ?
What troubleshooting methods have you done on your end ? What trouble shooting methods have they done on their end.

The authentication does not validate the certificate on any platform (this is specified in their docs), when connecting through the gui the No CA certificate is required is checked.

There are a handful of people I have given the password to, I monitor the network using Ntopng and the ubiquiti web gui (I have a wireless AC PRO as the access point) and have seen no new clients connect.

I have no idea what they have done on their end. They have accused me of performing a brute force attack on their network via hundreds of login attempts, this is all I know. I know this is the first time this has happened since I set this up (over a year) because they would have contacted me in the past.

Is it normal for the ubuntu 802.1x authentication to spam login attempts when the authentication server stops working? I know they have experienced problems with authentication recently and its possible I’m one of the only students running a Ubuntu desktop.

Thank you everyone for your help. It turns out I am an idiot, by pure chance I found a syslog for the day (thank you time shift).

I have confirmed the login attempts are for a network switch. I was looking through the logs and it appears the machine itself has tried hundreds of times to login to the switch on port 161.

I had installed observium to see how it worked. Would this try to login to the switch automatically hundreds of times?

Maybe @digital_zero can answer that. Also, maybe @Phantom , @wolfleben or one of the other moderators can add a helpdesk tag to this thread?

added helpdesk tag

thanks :grin:

Just so you are aware, we can not offer any help if what you are asking about is in violation of your campus terms of service.

OP is asking why his ubuntu box is spamming his campus network so he can remediate the issue.

If I were in the situation since he stated it only recently started happening, to reimage the box.

I’m not sure why it would do that. I’d do a packet capture and look into it from there. It honestly could be any number of things. Also if the router has logging turned on that would be useful as well.

1 Like

Hey dude. Rule of thumb is that when you’re spinning up any *nix based machine it would behoove you to install fail2ban so that if someone is trying to get into your box with a scanner fail2ban will blacklist it.

OP mentioned that they are allowed to share connections and what he is doing is okay apart from the unintentional failed login attempts.

Thanks for coming by, we definitely need more info from OP, it’s just that I don’t know enough to be of much further help.