Template:Security guidelines: Difference between revisions
Added general security guidelines section with recommendations
(Added general security guidelines section with recommendations) |
|||
Line 1: | Line 1: | ||
==Summary== | ==Summary== | ||
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly. | In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly. | ||
==General security guidelines== | |||
General security recommendations for any internet-facing device. | |||
It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way. | |||
* Set '''SMS limits, data limits''' for your SIM card plans | |||
* Disable SMS utilities entirely, ''if it is not utilized whatsoever'' | |||
* Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device | |||
* Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions'' | |||
* If public access is necessary, have it firewalled for '''specific source IPs and source ports''' | |||
* If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535) | |||
* If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet | |||
* When configuring VPNs purely for security, opt in to use UDP-based VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard | |||
* '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK). | |||
* When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary) | |||
* Make sure to provide the least amount of required permissions for any additionally created user account | |||
* Do not install extra packages from '''unknown sources''' | |||
* '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router | |||
* Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH) | |||
Please note that regardless of currently running configuration, '''we strongly recommend to keep up with the latest firmware version''' which generally includes not only overall improvements to the router functionality, but also security patches & vulnerability fixes. | |||
Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''. | |||
==Security features== | ==Security features== |