Recently, there have been a rash of abuse on AllStarLink by malicious actors leveraging unchanged default credentials in the Allmon3 package. It appears that AllStarLink users are exposing Allmon3 to the Internet without changing the default password. As such, to protect the AllStarLink system, changes to Allmon3 have been released with v1.5.0. Please see below for important information based on your consumption type of Allmon3.
Using ASL3 Packaging (Appliance or Debian Packages)
The new release of Allmon3 v1.5.0-2 packages contains logic that does the following:
- New installations of 1.5.0-2 or later will no longer have a default username/password.
- The Allmon3 user database will be forcibly scrubbed of any user that was using the now-obsolete default password. This is, generally, 'allmon3' but may include other users if the line was copy-pasted to another user.
- Any account with the default password will be set to a locally-generated random string. The new random string is stored in the file
/etc/allmon3/random-password.txt. It is strongly recommended to delete the file after making note of the password within or changing the allmon3 user to a different password of your choosing.
Using Allmon3 as Manual Install
- New installations of 1.5.0 or later will no longer have a default username/password.
- Users with public-facing Allmon3 installations should make sure that the
allmon3user is deleted or the password has been changed. This is done with eitherallmon3-passwd allmon3(to change the password) orallmon3-passwd --delete allmon3(to delete it).