Configuration file with default username/password combination (admin/monit)

Issue #881 new
Hanno Böck created an issue

The default monitrc configuration file of monit enables the HTTP web interface with a default username/password combination (admin/monit).

Default passwords are generally extremely bad for security, as it can be expected that some users won’t change them. I would therefore consider this a security bug. (I have done some scans and unsurprisingly I found plenty of active installations with the default credentials.)

I would recommend changing the code in a way that a user is forced to set an individual password. One possibility would be to just show a warning if a user logs in with the default credentials.

Comments (3)

  1. Señor Rolando

    Especially as this default also seems to be used when it is removed from the monitrc file. In this example here, admin/monit is still accepted as valid login credentials:

    root> grep allow monitrc
    #     selfsigned : allow   # allow self signed SSL certificates (reject by default)
        allow localhost        # allow localhost to connect to the server and
        allow me:monit42

  2. Señor Rolando

    Well, of course. (And you need to make sure that you only have one monit process running. This err was on my side. But I still second the initial point about the default username/passwd as raised by Hanno.)

  3. Log in to comment