Minepeon security issue

If you use Minepeon for your Raspberry Pi based Bitcoin mining rig then you might be a risk of someone changing your pool settings and sealing your mining power!

The Minepeon web interface uses the API to get the stats from the mining software. It seems the default setting on Minepeon is to have the miners API accessible to all IPs and without a password!
This means if your mining rig is on a public IP or someone gets on to your network then they could connect to that IP and point your rig at another mining pool/user so that they get the hashes you have generated.

Below is how to change the configuration so that the API is only listening on the local host and therefore securing it from anything accessing it which isn’t running on the Raspberry Pi.

1) SSH on to the Raspberry Pi.
2) Put in the following command to edit the miner config files.

nano /opt/minepeon/etc/miner.conf /opt/minepeon/etc/miner.conf.donate /opt/minepeon/etc/miner.user.conf

3) Edit the following line from

"api-allow": "W:0\/0",


"api-allow": "",

4) Press CRTL + X This will then ask you if you want to save the changes, Press y
5) After saving the changes the next file will open, make the same changes you did in step 3. This will be done 3 times to change all the files.
6) Login to the Minepeon web interface and restart the miner.

To check to make sure the changes are working you can try to connect to the API at the following URL, change <ip> to be the IP of your Pi.

You should get an error message, Something like Connection reset or no data received depending on your browser.
If you get a page which looks like the following then API access is still open and you should check the changes have been saved, if they have save then try restarting the Pi.

STATUS=E,When=1390150582,Code=14,Msg=Invalid command,Description=bfgminer 3.4.0

A fix has been pushed to the Minepeon Git repo, so this should be fixed in the next version. I believe Minepeon version 0.2.4 and lower are vulnerable to this issue.