* Disconnect clients that attempt to login with banned usernames for Telnet as well

* Slow disconnects to thwart brute force attacks - these names won't exist anyway, but we want the attacking client to not DoS us
2018-12-25 00:18:04 -07:00
parent 06a1925288
commit ee93035bb8
4 changed files with 38 additions and 21 deletions
--- a/core/user_login.js
+++ b/core/user_login.js
@@ -27,7 +27,11 @@ function userLogin(client, username, password, cb) {

    if(config.users.badUserNames.includes(username.toLowerCase())) {
        client.log.info( { username : username }, 'Attempt to login with banned username');
-        return cb(Errors.BadLogin(ErrorReasons.NotAllowed));
+
+        //  slow down a bit to thwart brute force attacks
+        return setTimeout( () => {
+            return cb(Errors.BadLogin('Disallowed username', ErrorReasons.NotAllowed));
+        }, 2000);
    }

    client.user.authenticate(username, password, err => {