HackerOne report have flagged this security vulnerability on our cacti deployment:
“No Rate Limit in Admins login form could led to Admins ATO”
How to quickly fix this?
Tech Junction Answered question July 18, 2024
On your cacti admin portal:
- Click “Console”
- Go to “Configuration”
- Click on “Settings”
- Select “Authentication” tab in the settings page
- In the bottom section is “Account Locking” Select “Lock Accounts: number of attempts” e.g if you choose “5 Attempts”, it means the user account will be locked after 5 failed login attempts.
- Select the “Auto Unlock” settings, e.g. “30 minutes” means the account will be auto unlocked after 30 minutes.
Doing this prevents Admin’s Account Takeover (ATO) attack via a “dictionary attack” using automated BOTs. Because the account will be locked after (y) number of failed attempts and the attacker has to wait some time before they can attempt another password. This makes it practically impossible for such brute-force attacks which require 1000s of password combinations to succeed. This combine with strong password makes your system more security hardened.
Tech Junction Answered question July 18, 2024