I came in this morning to find my “public” dashboards offline. After checking the git patch notes, I found:
commit 7c006e96251ae1d32e1a015b361a7bfbb815c028
Date: Tue Nov 7 16:25:28 2023 -0600
Disable GET login by default (#15558)
* Disable GET login by default
GET login allows users to put username and password in the url, this is helpful for displays where you cannot login interactively.
Unfortunately, the plaintext password will be in the access logs.
GET login also allows brute force attacks against your install.
I think this is a good change, and I’m not asking to revert it. That said, is there a recommended alternative method for logging into keyboardless dashboards available due to this change? Something that’s more secure?
I was able to cheat using xdotool to automate the login until something a bit more secure and elegant becomes available. It’s not the best solution, but it works for now.
We use digital signage modules all over the NOC and Helpdesk areas for flipping through websites and monitoring pages… is there another way to display specific NMS pages without logging in? Previously, we used this method, but now all the panels are displaying user/pass prompts.
Only the default changed, how you are doing it before is still supported, you just have to enable it. PR describes how to enable it.
The reason the default changed is GET login allowed brute force attacks against LibreNMS installs and the plain text passwords would be stored in logs. Just need to make sure the user is aware of those issues and handles them. They can be handled for example by not having your LibreNMS publicly available.
If you want to get fancy, you could block access to GET logins via a firewall in front of your LibreNMS server as well.