Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Sat Feb 23, 2019 12:08 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Security weakness
PostPosted: Fri Feb 01, 2019 2:29 am 
Offline

Joined: Thu Dec 17, 2015 2:45 am
Posts: 9
Hello,

I have a question about how I can securely publish cacti. My cacti host is in DMZ and url can be accessed by any internet user.
There are several cacti URL's causing security weakness. So I'm trying to find a solution.

https://example.net.tr/log/snmp.log - Lists my all bbn devices's snmp strings.
https://example.net.tr/scripts/linux_poller_time.pl - Lists my Cacti Db user & db
https://example.net.tr/log/wget.txt - Lists my ftp password

Btw, cacti version is 0.8.8a

Is there anyway to fix that? Any help would be appreciated.

Thanks.


Top
 Profile  
 
 Post subject: Re: Security weakness
PostPosted: Fri Feb 01, 2019 9:52 am 
Offline
Cacti User

Joined: Wed Mar 01, 2017 2:34 pm
Posts: 63
I would never put any ancient 0.x version accessible to the internet. You never know which unknown security leaks are still present. The user management is also not very sophisticated.

I once made this for a 1.1.x installation, with this scenario:
- some web server is running in a DMZ
- Cacti is running on an internal host

On the web server machine, I added a reverse proxy configuration to the cacti machine:
Code:
RedirectMatch permanent ^/cacti(/(index.php)?)?$ /cacti/graph_view.php

ProxyPassMatch ^/cacti/((graph|images|include).*)$ http://internal-machine.internal.example.org/cacti/$1
ProxyPassReverse /cacti/ http://internal-machine.internal.example.org/cacti/

In addition, I allowed http (port 80) connections from the web server to the internal cacti host within the firewall to make the reverse proxy rules work.

Due to the *Match keywords, only specific pages can be accessed - the pages that actually display the graphs. Even if someone tries to guess other pages, it's not possible to access. I also didn't allow the login page with this, so no login is possible - only anonymous access.


Top
 Profile  
 
 Post subject: Re: Security weakness
PostPosted: Sat Feb 02, 2019 9:50 pm 
Offline
Cacti Pro User
User avatar

Joined: Mon Jan 05, 2015 10:10 am
Posts: 744
Cacti 088a is full of holes. It's good, but they are well doumented. 1.2 is pretty bullet proof from what I can see.

_________________
Before history, there was a paradise, now dust.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot] and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group