Recording WiFi login attemps

I would like to know if it is possible to record the attempts to log into the access point WiFi, For example suppose my router have an access point called HomeForHome, this access point have a WPA passphrase abcdefgh, now I want my router to log all attempted passphrases even wrong ones of course, for example if I tip Aabcdefgh instead of abcdefgh, that passphrase should be recorded somewhere by the router into a log file so I can check it from time to time.

If that is possible, than please tell me how.

No, the way WPA is designed, even the router itself cannot know the password used by the client, only whether or not it is correct:


As @eduperez already pointed out, that's not possible. If it were, it would be a huge security issue. You could just open up an access point with the same SSID as another AP and grab passwords from clients trying to connect to your imposter AP instead.

1 Like

Is there a way to tell the number of unsuccessful negotiations, disregarding any password non-sense. If I was looking for data, I don't really care what passwords someone is using as much as the fact there is an uptick in unsuccessful connections Would it be possible to quantify those?

Yes, you can record an uptick in unsuccessful connection attempts if you have logging enabled in the wireless configuration (via uci set wireless.radio0.log_level='1' – if you have more than one radio, repeat this for each you have).

If I try to log in to my WPA2+WPA3 mixed mode network with an incorrect password, I can see messages like these in the logs:

daemon.notice hostapd: wlan1-2: AP-STA-POSSIBLE-PSK-MISMATCH e6:dd:2f:17:c7:f1

Now, as for the exact number of unsuccessful attempts, that is tricky. I tried to connect with the wrong password on my Android phone once, and ended up with 12 of these messages in the logs. The message appears 4 times in a row, then I see a deauthentication message and then everything again for two more times. I would guess that my phone retries the authentication up to a total of 3 times and that each wrong attempt triggers this message 4 times. But that's just a guess. And I would not expect this to be the same for every device and operating system.

So, I wouldn't trust the number of these messages in absolute terms, but you should easily be able to spot repeated or prolonged attempts to guess or brute-force your wireless passphrase.


Not trying to be cheeky, but: ... and then what? Walk around the neighborhood with a baseball bat?

There's not much you can do – that's true. But it might still be nice to know in three regards:

  1. You might take such an incident as a reason to reconsider your wireless security and see if there are ways to harden it. Speaking for myself, there's the option to switch to WPA3-only authentication, for example (there's just one device left that doesn't support WPA3 yet, but that's gonna change after the next OS upgrade). If I were "under attack", I might just do the transition to WPA3-only sooner than planned.
  2. You might take it as a reason to be more vigilant in general and look out for other possible attack scenarios such as rogue APs. Or watch ARP and NDP packets within your network, etc.
  3. Sometimes the baseball bat isn't actually necessary. About ten years ago, I noticed in my router logs that there are repeated attempts by the same MAC address to get into my wireless network. From the MAC address, I determined that the vendor of the wireless chip was Dell and when I later saw the neighbors' kid on the balcony with a Dell laptop, I just assumed it was him (this was long before MAC addresses were randomized by default, but I was also aware that they could be faked). I decided to take my chances and call him out in front of his mom, and, bingo, he was quite embarrassed and the issue was resolved. No violence needed :stuck_out_tongue: Of course, this approach only works in less densely populated environments with a limited number of possible "suspects" and it certainly won't help you with any serious attacker who actually knows what he's doing.

WPA2 with a good password then this is kind of small problem. If you want to loose sleep, the look at the WAN log of connection attempts.

You could set up a enterprise wifi network with RADIUS server, then you will probably get a log of all authentication attempts fail or pass.
But that login is actually less secure than wpa2.

But if we see it from the other way around. If someone gets in to the wpa2 network then they will be served by the DHCP server and that one writes to the log.

But I hope you then have the log in a safe place and not on the router because that is kind of useless for protection.


And on a sidenote: I use logwatch to go comb through my logs and get regular summaries of what's happening on pretty much all of my Linux systems. I very rarely see unauthorized wireless connection attempts. The last one must have been at least 2-3 years ago. So, it's not something I'm particularly worried about despite living in an apartment building in a smaller city with many neighbors around.

Or don't allow them at all :stuck_out_tongue:

Well that can easily be circumvented by manually configuring the IP addresses and gateway on the client. A bit more helpful are arpwatch and ndpmon and similar tools which you can configure to get alerted whenever a new client is found on your network by watching the ARP and NDP traffic.

You can’t really “not allow” them to not bang on the door. That is the whole idea of DoS and DDoS. To block them doesn’t mean they gone away, it just means you put your noise cancellation on. If that was so simple to get rid of we wouldn't have that problem in the first place.

What I meant was to not open any ports on your WAN interface or expose any services. Then you don't need to worry about any bruteforce attempts. If there's nothing to get into, they can't compromise anything and there is little value in logging these dropped packets in this case either.

As for DoS or DDoS attacks, yes, that may still be an issue. But it's also much less load on a system to simply drop packets rather than having to verify passphrases or keys.

There are other ways to get through the firewall than open/filtered ports. If you know any device internal IP address you can go inside with for example a slipstream attack.

But the most common way to get inside networks from WAN side is still the old reliable mail with malicious code.

And just closing the ports…with this forum as reference that doesn’t work since there are services that need open ports to work. For example all the VPN services.

It's not that simple. Slipstreaming requires ALGs or conntrack helpers, which are not available by default on OpenWrt, afaik.

Not everybody needs to host services on the internet.

True. And I think this is also a good point to stop this little digression here.

The original question was about wifi connection attempts. I think we covered the original question sufficiently and a more general discuisson about firewall safety and attack vectors should be continued elsewhere, if need be.

1 Like