Line 2: |
Line 2: |
| In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly. | | In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly. |
| | | |
− | ==General security guidelines== | + | ==Security guidelines== |
| | | |
| Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way. | | Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way. |
| + | |
| + | ==General Security Guidelines== |
| | | |
− | * Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions'' | + | * Keep Firmware Updated - Always ensure that firmware is up to date. |
− | * Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device | + | * Set Strong Passwords - Use strong, unique passwords for all services (WebUI, SSH, Post/Get). Passwords should include numbers, symbols, uppercase, and lowercase letters. Passwords should be between 15-20 characters long. |
− | * If public access is necessary, have it firewalled for '''specific source IPs and source ports''' | + | * Install Trusted Packages - Only install packages from known and trusted sources. |
− | * If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535) | + | * Use Secure Configuration Protocols - Use SSH or HTTPS for device configuration. Avoid using insecure protocols like telnet or HTTP, especially for remote configuration. |
− | * If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet | + | * Disable unused services - Disable services that are not used, especially those that provide some sort of administrative capabilities (e.g.: WiFi, SMS Utilities, Web CLI). |
− | * When configuring VPNs purely for security, opt in to use VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard
| + | * Ensure WiFi Security - If WiFi is used, ensure it employs the latest encryption standards like WPA3 or WPA2 with AES. Avoid using TKIP. |
− | * '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK). | + | * Assign Minimum Necessary Permissions - Make sure to provide the least amount of required permissions for any additionally created user account. |
− | * When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary) | + | * Set SIM Card Limits - Set SMS and data limits for your SIM card to prevent misuse. |
− | * Make sure to provide the least amount of required permissions for any additionally created user account | + | |
− | * Do not install extra packages from '''unknown sources'''
| + | ==Security Hardening Guidelines== |
− | * '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router
| + | |
− | * Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH) | + | * Limit Administrative Access - Avoid exposing administrative services to the internet. If public access is mandatory, set unconventional ports (e.g., 32768-65535) for common services. |
− | * Set '''SMS limits, data limits''' for your SIM card plans | + | * Secure Exposed Services - If remote access is necessary, ensure that it is protected by a firewall. If remote access is required for any administrative interface, modify the rule to only accept traffic from known sources (e.g. modify the SSH WAN access rule to only allow connections from a specific source address). |
− | * Disable SMS utilities entirely, ''if it is not utilized whatsoever''
| + | * Manage WiFi Effectively - Disable WiFi if it is not needed. Consider reducing wireless transmission power rather than hiding the ESSID. |
| + | * Use Key-Based Authentication - Make sure to use key-based authentication wherever possible (e.g. accessing device via SSH). |
| + | * Verify Backup Integrity - Always write down & compare MD5/SHA hashes of backup files and firmware files before uploading them to the device. |
| + | * Use Phone Number Whitelisting - Create phone number groups for SMS commands to act as a whitelist. |
| + | * Disable Unnecessary Utilities - Review and disable unnecessary SMS/Call utilities and commands, or disable this functionality completely. |
| + | |
| + | ==Secure Operation Guidelines== |
| + | |
| + | * Regularly Update Firmware - Regularly check and apply firmware updates for security patches and improvements. |
| + | * Monitor Access Continuously - Continuously monitor access to administrative services and restrict as needed. Create and regularly review ”Events Reporting” rules to inform when certain events occur on the device. |
| + | * Update Passwords Periodically - Regularly update passwords and ensure they adhere to strong password policies. |
| + | * Audit Protocols Regularly - Regularly audit the protocols used for configuration and management to ensure they remain secure. |
| + | * Review Firewall rules - Regularly audit and review firewall and traffic rules. |
| + | * Review used services - Regularly review the services that are being used on the device. Disable services that are not used. |
| + | * Configure Secure VPNs - Use secure VPN protocols (e.g., IPsec, OpenVPN, WireGuard) for remote access instead of exposing sensitive services directly. |
| + | * Conduct WiFi Audits - Periodically review WiFi settings and ensure they comply with the latest security requirements. |
| + | * Review SIM Card Usage - Regularly review SMS and data usage limits and adjust them based on current needs and usage patterns. Disable SMS utilities entirely, if it is not utilized whatsoever. |
| + | |
| | | |
| | | |