Tell who is trying to log into my network?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by wackymacky, Nov 5, 2008.

  1. wackymacky macrumors 65832


    Likely to a simple answer.

    I have a simple wireless home network set up.

    A Time capsule using the default network settings, WPA security, as the router (and connected to to the ADSL modem).

    An iMac with OS X 10.5 which I used to set up the network via airport utility, and an iBook (and an iPhone) all that connect to the network to print and access the internet wirelessly (no connections via Ethernet cables).

    Obviously I have an administrator account for the computers and know the network and router (Time capsule) password.

    Is there a way to see a log of attempts to log into the network form other devices. (ie my neighbour’s son?)
  2. Cinematographer macrumors 6502a


    Sep 12, 2005
    far away
    That's something I really would like to know as well. Any hints are welcome.
  3. corbywan macrumors regular

    Feb 4, 2008
    Forest Grove, OR
    I don't know that this is the best or easiest way to do this, but you could try this. Write down (or otherwise record) the MAC addresses of your devices. Do this by:

    Logging into your AEBS
    On the Summary tab (which is where you are by default) you will see "Wireless Clients:" with a number indicating how many wireless devices are currently logged in.
    Click on the words "Wireless Clients" and you will be taken to a screen listing then all. The funky number in the "Clients" column is the MAC address of each device.

    Once you have a record of your devices it may be possible to go into the Logs of the AEBS and look for devices that aren't yours. The AEBS tracks all connections. Just click on the "Logs" tab on the screen you are currently on. You could also export the logs and sort through them that way.

    Like I said, might not be the easiest way, I'm sure it isn't the only way, but it is a way to do it off the top of my head.
  4. ChrisA macrumors G4

    Jan 5, 2006
    Redondo Beach, California
    Airport utility will display the log file from the airport router. Logins are logged there.

    You can set up access based on MAC address so that no computers other then those you know about can connect.
  5. foshizzle macrumors regular

    Oct 17, 2007
    If you are worried about your neighbor logging on, either filter connection by MAC address so the the router only allows your devices to connect, OR make the SSID hidden, bump up to WPA2 security. That second option would be if you still would like to be able to give your friends access if they come over without having to go into the router, getting the MAC address of their machine, adding it, rebooting the router, etc.

    You also can lower the power of the router, so that it only covers the area of your house (assuming your router is in the center of the home). This would take some playing with though to get it just right.
  6. wackymacky thread starter macrumors 65832


    Since I got the TC a week ago I set it to WPA.

    My old router only was WEP (that I was being cheap and not relpacing despite it's age).

    My neighbor 13 year old son hacked my old network and was downloading torrent DVDs on my DSL connection.

    I wanted to see if her was TRYING to hack my new network.

    I guess though if I renamed it and made the SSID hidden rather than just altering the security level and password it would solve the issue.
  7. RGunner macrumors 6502a


    Jul 3, 2002
    Midnight Sun
    hiding an SSID doesnt do squat

    sounds like WPA / WPA2 will be your only defence here.

    there are easily available sniffers for hidden SSID's and WEP is about useless.

    MAC filter and WPA2, that would solve him from getting in.
  8. cdcastillo macrumors 6502a


    Dec 22, 2007
    The cesspit of civilization
    Question not answered...

    He/She asked how to SEE if someone was ATTEMPTING to get into his/her network, not how to avoid it.

    And the only reason I'm pointing this is because I'm also interested on the answer... Does TC (or any other router) keep a log of login attempts to the network?
  9. dampfdruck macrumors member

    Oct 20, 2008
    With enterprise-grade access points it's no problem. These typically support syslog and/or SNMP (traps). Of course, you would also need an NMS to collect and process that data. SOHO equipment typically doesn't have such features which will make it very difficult to monitor activity on the network.
  10. Le Big Mac macrumors 68020

    Le Big Mac

    Jan 7, 2003
    Washington, DC
    Yes, the TC has a log that logs log in attempts. It's in the Airport Utility under advanced.
  11. cdcastillo macrumors 6502a


    Dec 22, 2007
    The cesspit of civilization
    Thank you very much.
  12. iMouse macrumors regular

    Jul 23, 2002
    Boardman, Ohio

    It is important that the WPA passphrase be kept to family members only or saved on each system instead of needing to be typed in each time you connect to the network. You may even want to regularly change the WPA/WPA2 key to keep from the key being sniffed out through "social hacking". :)

    The reason I say this is because it is your only defense against the network getting hacked.

    Like RGunner said, hidden SSIDs can easily be sniffed. This can occur when a client attempts to associate or re-associate with the access point. During association, the access point reveals the SSID and a scanner (such as KisMAC/Kismet) can grab this info.

    MAC address filtering while powerful for security, is crap if they have gotten past weak WEP encryption or no encryption at all. MAC addresses associated or attempting to associate with the access point can be collected by passive scanners again, like KisMAC/Kismet. Spoofing the MAC address of an approved client on any network and on any operating system is trivial.

  13. Detlev macrumors 6502a

    Sep 16, 2003
    Continuing on with this discussion: How does one prevent scanners from finding the network i.e. AirPort Extreme? Apparently they can ping the network and gather info that can be used to mimic denial of service or just use the network. Wouldn't we have to block access to specific ports? See this article:
  14. iMouse macrumors regular

    Jul 23, 2002
    Boardman, Ohio
    What do you mean by "finding the network"? All wireless access points broadcast an SSID whether it be hidden or not. This is how your clients determine which radio to communicate with (there's a whole other explanation of how it communicates, but that's for another discussion). You cannot completely hide a wireless access point's broadcasts. If you could, your clients would be unable to connect.

    You can only ping a network that you can successfully connect to. From the outside (through the Internet), it may be possible to ping the IP address given to your base station or DSL/cable modem if the option to return ping traffic is enabled. Ping is the last thing you need to worry about as it is basically a means of letting the Internet know you're there. There are exceptions such as ping floods where traffic inbound exceeds what the connection allows, but are rare in the case of private connections to ISPs. Most of these attacks are at businesses with static IP addresses or host names.

    If you wanted to stop someone from seeing your wireless network, you would either have to turn down the radio's power level to only broadcast within the house or basically, turn your house into one large faraday cage with chicken wire and some other goodies. Neither are good options as the first option can lead to signal problems in parts of the house further away from the access point and the second option is just plain silly.

    The link you provided appears to be some kind of "feature" that kinda went wrong. It appears that this article was posted in 2005, which the vulnerability was likely patched since then. Even so, it doesn't appear to do much than potentially make your Internet connection unstable should you be using PPPoE on a DSL provider that is not performing PPPoE on their DSL modem and instead passing the responsibility to the AirPort Base Station. This setup is typically called a bridge.
  15. bmb012 macrumors 6502

    Jul 25, 2006
    Make it a closed network (wireless -> wireless options) and set up a MAC filter (access).

    Was looking for an easier way to see who was accessing the network, hadn't thought of clicking on 'wireless clients,' great info, thanks guys.

Share This Page