Disable Default Admin or Setup 2FA

DualOSWinWiz

is there is any way of either activate 2FA on default Admin user or could disable it?

nebulon

I am not sure ctfreak has any 2FA for internal users. Also it does require an admin account pre-setup. I guess the only way to secure this is to set a strong unique password for it at the moment.

girish

Maybe @jypelle (ctfreak's author) knows

jypelle

Hello,

Indeed, there must be at least one local admin account, with the purpose of ensuring access is still possible even if the OIDC server becomes unavailable.

If the goal is to secure access, @nebulon 's suggestion (a strong unique password) is the right one.

DualOSWinWiz

@jypelle is their is autoblock account option exist after certain number of wrong password attempt??

jypelle

No, but there is at least a one-second delay between each attempt.

Let's imagine a bot attempting to log in with a different password every second. In 5 years, it would have time to test 5x365x24x3600 = 1.5x10^8 combinations.

Now, if you choose a password of only 10 characters from [a-zA-Z0-9], that gives 8.4x10^17 combinations.

Before the bot finds your password, you have at least a few million years ahead of you...

DualOSWinWiz

Lollzz thanks

jypelle

@DualOSWinWiz With release 1.17.0, there is now a 5-second delay between failed login attempts.