The security department has recently seen some cases where Active Directory accounts have been locked out due to excessive failed login attempts when a Mac that is synced to Active Directory is also listening for inbound SSH connections. The reason for this is actually pretty simple - every time someone tries to log in via SSH, the machine tries to authenticate against Active Directory. So, in the case of a malicious external machine running an SSH brute force scan against one of Purdue's subnets, once it hits a machine listening for SSH connections those 3 failed log in attempts get eaten up pretty quickly.
It should also be stressed that this issue is by no means limited to Macs; any machine that is synced to Active Directory and accepts inbound SSH connections is just as vulnerable. The ease with which SSH access can be enabled on Macs and the number of them on campus that are synced to Active Directory has simply caused the issue to be amplified on these machines.
The moral of the story here is this: if you are allowing remote SSH connections to your machine, be sure to lock it down extremely well. Make sure that only a select few accounts have SSH enabled and SSH connection attempts should only be allowed from a very select range of IP addresses. It is also imperative that strong passwords be used on any accounts which allow remote logins.
Posted by Brett Davis on March 30, 2009, in Handlers Log.