1. Home
  2. Wireless Networking
  3. Any idea what this "wpa-supplicant" message means in a Ubiquiti AirOS log file?

Any idea what this "wpa-supplicant" message means in a Ubiquiti AirOS log file?

Any idea what this "wpa-supplicant" message means in a Ubiquiti AirOS log file? wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP]

I get this in between brute force attacks by foreign IP addresses:

----- [ many connection attempts of the following type, ending with this one below] Dec 3 15:03:06 dropbear[44343]: Child connection from ::ffff:46.22.129.47:42348 Dec 3 15:03:09 dropbear[44343]: login attempt for nonexistent user from ::ffff:112.4.172.208:42348 Dec 3 15:03:10 dropbear[44343]: exit before auth: Disconnect received

------ Dec 3 15:03:25 wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP] Dec 3 15:03:25 wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP] Dec 3 15:03:25 wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP] Dec 3 15:03:25 wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP] Dec 3 15:03:25 wpa-supplicant: WPA: Group rekeying completed with de:ad:be:ef:ca:fe [GTK=CCMP]

----- Dec 3 15:08:32 dropbear[48564]: Child connection from ::ffff:61.142.106.34:42933 Dec 3 15:08:36 dropbear[48564]: login attempt for nonexistent user from ::ffff:61.142.106.26:42933 Dec 3 15:08:39 dropbear[48564]: exit before auth: Disconnect received [ many connection attempts of the following type, starting with this one above]

-----

I'm using WPA2-PSK to connect to the SSID of the WISP provider, and in the AirOS log file, I noticed what appeared to be hundreds of brute force attacks to the "dropbear" process (i.e., SSH) on various ports.

Then, in between two different sets of attacks, I see this "wpa-supplicant" message. I don't use WPA (I'm using WPA2-PSK to connect to my WISP SSID).

Do you know what these "wpa-supplicant" messages indicate?

Reply to
William Don**ly
Loading thread data ...

Reply to
GlowingBlueMist

Ah. That's doubly-good information! The Ubiquiti AirOS messages are cryptic at best - so it's helpful to have this secret decoder ring explanation of why it mentions WPA.

Interesting. What got my goat was the fact the key switching happened in the middle of two different attacks. Literally. So, I had thought it was something the brute force attackers accomplished.

This explanation makes the key switch seem much more routine than that.

It's interesting that this credit-card computer that plugs into your TV & keyboard (apparently) has the same OS as the AirOS of my Ubiquiti radio & router.

It's interesting that this "wpa-supplicant" daemon on my Ubiquiti radio controls the wireless connection.

So my tentative conclusion is that this is a 'normal' procedure, and not one induced by the brute-force attackers. I'll add more data when/if I see something different in the radio log files.

thanks!

Reply to
William Don**ly

Did it ever occur to you to look it up on Google?

Reply to
Warren Oates

You're joking, right?

Have you ever looked at the Ubiquiti AirOS log file of your WiFi radio?

There is no known "secret decoder ring" that explains what the messages mean. You just have to know (magically) what they mean.

Here are a few typical samples in my current log file: Dec 10 1:40:04 ac-agent: Pinging 'http://10.0.0.2:9080/heartbeat/'...Dec 10 1:40:04 ac-agent: done. Dec 10 1:40:58 dropbear[44321]: Child connection from ::ffff:82.223.175.3:42015 Dec 10 1:41:00 dropbear[44321]: login attempt for nonexistent user from ::ffff:82.223.175.2:42015 Dec 10 1:41:01 dropbear[44321]: exit before auth: Disconnect received Dec 10 1:49:50 dnsmasq[25748]: exiting on receipt of SIGTERM Dec 10 1:49:50 wpa-supplicant: CTRL-EVENT-TERMINATING - signal 15 received Dec 10 1:49:50 wireless: ath0 Sending disassoc to dc:9f:db:a7:f1:bc. Reason: Station has left the basic service area and is disassociated (8). Dec 10 1:49:50 wireless: ath0 New Access Point/Cell address:Not-Associated Dec 10 2:22:32 dropbear[26072]: Child connection from ::ffff:10.0.0.2:63476 Dec 10 2:22:33 dropbear[26072]: pubkey auth succeeded for 'mcuser' with key md5 c6:aa:77:cd:a3:6a:d4:27:83:87:2a:f1:cb:b5:73:33 from ::ffff:10.0.0.2:63476 Dec 10 2:22:34 dropbear[26078]: Child connection from ::ffff:10.0.0.2:63477 Dec 10 2:22:34 dropbear[26078]: exit before auth: Exited normally Dec 10 2:22:37 dropbear[26072]: exit after auth (mcuser): Exited normally

Reply to
William Don**ly

No. Look it up on Google. You will find out exactly what it is.

Reply to
Warren Oates

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.