Configuration file with default username/password combination (admin/monit)
The default monitrc configuration file of monit enables the HTTP web interface with a default username/password combination (admin/monit).
Default passwords are generally extremely bad for security, as it can be expected that some users won’t change them. I would therefore consider this a security bug. (I have done some scans and unsurprisingly I found plenty of active installations with the default credentials.)
I would recommend changing the code in a way that a user is forced to set an individual password. One possibility would be to just show a warning if a user logs in with the default credentials.
Comments (3)
-
-
repo owner You have to restart Monit for the password to take effect.
-
Well, of course. (And you need to make sure that you only have one monit process running. This err was on my side. But I still second the initial point about the default username/passwd as raised by Hanno.)
- Log in to comment
Especially as this default also seems to be used when it is removed from the monitrc file. In this example here, admin/monit is still accepted as valid login credentials: