Security weakness

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Moderators, Developers

Post Reply
Author
Message
Ferish
Posts: 9
Joined: Thu Dec 17, 2015 2:45 am

Security weakness

#1 Post by Ferish » Fri Feb 01, 2019 2:29 am

Hello,

I have a question about how I can securely publish cacti. My cacti host is in DMZ and url can be accessed by any internet user.
There are several cacti URL's causing security weakness. So I'm trying to find a solution.

https://example.net.tr/log/snmp.log - Lists my all bbn devices's snmp strings.
https://example.net.tr/scripts/linux_poller_time.pl - Lists my Cacti Db user & db
https://example.net.tr/log/wget.txt - Lists my ftp password

Btw, cacti version is 0.8.8a

Is there anyway to fix that? Any help would be appreciated.

Thanks.

tertius
Cacti User
Posts: 71
Joined: Wed Mar 01, 2017 2:34 pm

Re: Security weakness

#2 Post by tertius » Fri Feb 01, 2019 9:52 am

I would never put any ancient 0.x version accessible to the internet. You never know which unknown security leaks are still present. The user management is also not very sophisticated.

I once made this for a 1.1.x installation, with this scenario:
- some web server is running in a DMZ
- Cacti is running on an internal host

On the web server machine, I added a reverse proxy configuration to the cacti machine:

Code: Select all

RedirectMatch permanent ^/cacti(/(index.php)?)?$ /cacti/graph_view.php

ProxyPassMatch ^/cacti/((graph|images|include).*)$ http://internal-machine.internal.example.org/cacti/$1
ProxyPassReverse /cacti/ http://internal-machine.internal.example.org/cacti/
In addition, I allowed http (port 80) connections from the web server to the internal cacti host within the firewall to make the reverse proxy rules work.

Due to the *Match keywords, only specific pages can be accessed - the pages that actually display the graphs. Even if someone tries to guess other pages, it's not possible to access. I also didn't allow the login page with this, so no login is possible - only anonymous access.

User avatar
Osiris
Cacti Pro User
Posts: 835
Joined: Mon Jan 05, 2015 10:10 am

Re: Security weakness

#3 Post by Osiris » Sat Feb 02, 2019 9:50 pm

Cacti 088a is full of holes. It's good, but they are well doumented. 1.2 is pretty bullet proof from what I can see.
Before history, there was a paradise, now dust.

Post Reply