Hi,

We have had over 500 attemted login attempts from what seems to be one person in the last two days on our hotspot. We assume they are using an automated login system as they are using common names for the login attempts.

This has all been logged by our Windows IAS Radius server logging, but it does not include the MAC address of the person trying to login, or any other usable information.

Is there any way to check what local IP that we assigned to them is trying to login, or mac address?

If not, can we block a user from logging in after a certain amount of connection attempts??

Any help is appreciated.

Studying digital forensics at the college level, I could easily ramble on all day on things to try, however here are a few:

- setup a linux box on the same network as your hotspot, and use a free IDS software such as snort

- fork the traffic from the mikrotik sniffer to a pc running ethereal, tcpdump, etc ....
(its in /tool sniffer)

mikdump script (same command line arguments as tcpdump http://www.rt.com/man/tcpdump.1.html)
get trafr from http://www.mikrotik.com/download/trafr.tgz and put it and mikdump script in /usr/sbin

- turn on connection tracking in mikrotik and once you get his local ip, cross reference it with your arp table, then get some friends, a few gps units, setup kismet, wardrive his location, knock on his door.... (and ill leave the rest to your imagination).

- finally, being a poor broke student, for a small fee I do security troubleshooting..... if your interested, reply here.

You might be able to see these attempts from the firewall logs. Try turning on logging on the hotspot-temp chain for the reject all rule or the hotspot servlet requests on the input chain.