Line 4: |
Line 4: |
| ==General security guidelines== | | ==General security guidelines== |
| | | |
− | General security recommendations for any internet-facing device.
| + | Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way. |
− | | + | |
− | It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way. | + | * Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions'' |
− | | + | * Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device |
− | * Set '''SMS limits, data limits''' for your SIM card plans | + | * If public access is necessary, have it firewalled for '''specific source IPs and source ports''' |
− | * Disable SMS utilities entirely, ''if it is not utilized whatsoever''
| |
− | * Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device | |
− | * Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions''
| |
− | * If public access is necessary, have it firewalled for '''specific source IPs and source ports''' | |
| * If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535) | | * If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535) |
| * If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet | | * If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet |
− | * When configuring VPNs purely for security, opt in to use UDP-based VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard | + | * When configuring VPNs purely for security, opt in to use VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard |
| * '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK). | | * '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK). |
| * When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary) | | * When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary) |
Line 22: |
Line 18: |
| * '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router | | * '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router |
| * Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH) | | * Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH) |
| + | * Set '''SMS limits, data limits''' for your SIM card plans |
| + | * Disable SMS utilities entirely, ''if it is not utilized whatsoever'' |
| | | |
| | | |