I am using a Linksys WRT1900ACSv2. I have installed OpenWrt 18.06.0 and I’m using this as a home router set up with basic settings. I observed in my system log some concerning entries.
I’m getting:
daemon.notice hostapd: Station xx:xx:xx:xx:xx:xx not allowed to authenticate
This message repeats many times per minute but does not seem to be effecting performance.
I’m not familiar with “station”. What type of connection would this be?
The MAC addresses showing up here appear to be smart home type devices which I do not own.
My question is this: How do I dertermine where these attempts are coming from? I am concerned of potential botnet activity or something similar. Thanks in advance for any help anyone could provide.
A "Station" is hostapd lingo for a wireless clients that attempts to connect. Many mobile phones use mac address randomization while scanning for nearby networks nowadays in order to complicate device tracking.
These random MACs will not match your MAC address filter whitelist and thus trigger the warnings you see.
To be very clear, this generally isn't "penetration scanning" but is the 802.11 standard-specified way that clients (such as phones, iPads, computers, printers, ...) find out what "names" to put in their "Connect to?" list. There may be hundreds of these per hour in a city or other busy environment.