I am currently at University living in collage (Australia). Recently I have been accused of performing a DDOS on the university network, specifically the switch which my computer is connected to by sending hundreds of login attempts.
I know for a fact I have not intentionally performed any such action. I run network sharing through the network manager to connect a few devices (chromecast, phones, smart TV, printers) to the internet through the computer in question, it runs xubuntu 18.04.1. I have ran this for over 1 year in the same place on the same port without any issues.
Recently the university has been experiencing login problems for students connecting to their internet (both wireless and Ethernet) and I believe this is the cause of the problem, however am not sure. I would like to know if anyone has any idea why the computer would perform so many login attempts. I do not have logs, as by default syslog is only kept for seven days (to my understanding).
I have a theory if the issue is related to the internet sharing:
I think the clients on my side of the network have dropped internet access and have pinged the Ubuntu computer for a connection, as there are about 20 devices in total this has caused the computer sharing the internet to constantly attempt to authenticate.
It may just be with how 802.1x authentication is handled on ubuntu, does it have a timeout period between logins? I have tried to look around for these answers but am not getting anywhere.
To let everyone know, it is common for students in my collage to run a shared connection using connectify to connect their gaming consoles to the internet and I have messages from the student leaders informing other students on how do this.
Any direction on the theory behind 802.1x authentication or if anyone has experiencing a high volume of login attempts from ubuntu would be greatly appreciated.
Disclaimer: I am not a networking guy, just making some guesses.
Tell me if I understand correctly: The xubuntu machine uses whatever authentication mechanism to get access to the network and you have configured it to share the wired network connection with your other devices (i.e. via a wireless card)?
How exactly have you set up the network sharing? Via the GUI with “share to other computers” and an Ad-Hoc network?
I guess you do not have to authenticate with every individual device right? -> in that case it should not matter how many devices are connected, the network “sees” only one device (your xubuntu machine). (your devices “share” the IP address of your pc)
Do you have an intermittent network connection from your xubuntu machine? If that is the case I think the problem is the pc itself drops and reconnects from the network and causes this (i.e. faulty cable or network adapter).
What kind of authentication system does your university use?
The xubuntu machine uses 802.1x authentication over an Ethernet interface to connect to the university internet. There is a second Ethernet adapter which is set as “shared” in the nm-connection-editor ipv4 and ipv6 settings. This is plugged into a wifi router with wpa2 authentication set in bridge mode.
The internet connection appears to be stable. You are right that the nextwork only sees one device connected. I think the traffic is routed using the masquerade option in ip tables under the hood.
No you don’t have to authenticate each client, the sharing option assigns addresses using a local DHCP server in the 10.42.0.0 range.
I don’t know why doing this would cause so many authentication attempts against the network using my login, for some reason the password was not accepted "it has not changed and was stored in /etc/NetworkManage/system-connections/NETWORK_NAME under the [802.1x] section
Did this behaviour start with the update to a certain xubuntu version? I vaguely remember a similar problem with one of the Ubuntu 16 releases. Maybe I can find something.
I guess in the meantime we have to wait for one of the networking guys to chime in.
Edit: Has the admin mentioned if the login attempts did indeed come from the IP address of the xubuntu machine? Maybe you have logged in with a different device and it trys to connect and causes failed logins?
The authentication does not validate the certificate on any platform (this is specified in their docs), when connecting through the gui the No CA certificate is required is checked.
There are a handful of people I have given the password to, I monitor the network using Ntopng and the ubiquiti web gui (I have a wireless AC PRO as the access point) and have seen no new clients connect.
I have no idea what they have done on their end. They have accused me of performing a brute force attack on their network via hundreds of login attempts, this is all I know. I know this is the first time this has happened since I set this up (over a year) because they would have contacted me in the past.
Is it normal for the ubuntu 802.1x authentication to spam login attempts when the authentication server stops working? I know they have experienced problems with authentication recently and its possible I’m one of the only students running a Ubuntu desktop.
Thank you everyone for your help. It turns out I am an idiot, by pure chance I found a syslog for the day (thank you time shift).
I have confirmed the login attempts are for a network switch. I was looking through the logs and it appears the machine itself has tried hundreds of times to login to the switch on port 161.
I had installed observium to see how it worked. Would this try to login to the switch automatically hundreds of times?
I’m not sure why it would do that. I’d do a packet capture and look into it from there. It honestly could be any number of things. Also if the router has logging turned on that would be useful as well.
Hey dude. Rule of thumb is that when you’re spinning up any *nix based machine it would behoove you to install fail2ban so that if someone is trying to get into your box with a scanner fail2ban will blacklist it.