Template:Security guidelines: Difference between revisions

From Teltonika Networks Wiki
No edit summary
 
(44 intermediate revisions by 4 users not shown)
Line 1: Line 1:
==Summary==
==Summary==
123
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.


==Security features==
==Security Guidelines==


In the table below you can find all the security features supported by Teltonika's devices:
Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.


<table class="wikitable">
==General Security Guidelines==
    <tr>
 
        <th width="200">Security measurement type</th>
* '''Keep Firmware Updated''' - Always ensure that firmware is up to date.
      <th width="200">Security measurement name</th>
* '''Set Strong Passwords''' - Use strong, unique passwords for all services (WebUI, SSH, Post/Get). Passwords should include numbers, symbols, uppercase, and lowercase letters. Passwords should be between 15-20 characters long.
      <th width="200">By default</th>
* '''Install Trusted Packages''' - Only install packages from known and trusted sources.
<th width="500">Details</th>
* '''Use Secure Configuration Protocols''' - Use SSH or HTTPS for device configuration. Avoid using insecure protocols like telnet or HTTP, especially for remote configuration.
    </tr>
* '''Disable unused services''' - Disable services that are not used, especially those that provide some sort of administrative capabilities (e.g.: WiFi, SMS Utilities, Web CLI).
    <tr>
* '''Ensure WiFi Security''' - If WiFi is used, ensure it employs the latest encryption standards like WPA3 or WPA2 with AES. Avoid using TKIP.
      <td rowspan="5">DDOS Prevention</td>
* '''Assign Minimum Necessary Permissions''' - Make sure to provide the least amount of required permissions for any additionally created user account.
      <td>SYN Flood Protection</td>
* '''Set SIM Card Limits''' - Set SMS and data limits for your SIM card to prevent misuse.
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>


==Security recommendations==
==Security Hardening Guidelines==


123
* '''Limit Administrative Access''' - Avoid exposing administrative services to the internet. If public access is mandatory, set unconventional ports (e.g., 32768-65535) for common services.
* '''Secure Exposed Services''' - If remote access is necessary, ensure that it is protected by a firewall. If remote access is required for any administrative interface, modify the rule to only accept traffic from known sources (e.g. modify the SSH WAN access rule to only allow connections from a specific source address).
* '''Manage WiFi Effectively''' - Disable WiFi if it is not needed. Consider reducing wireless transmission power rather than hiding the ESSID.
* '''Use Key-Based Authentication''' - Make sure to use key-based authentication wherever possible (e.g. accessing device via SSH).
* '''Verify Backup Integrity''' - Always write down & compare MD5/SHA hashes of backup files and firmware files before uploading them to the device.
* '''Use Phone Number Whitelisting''' - Create phone number groups for SMS commands to act as a whitelist.
* '''Disable Unnecessary Utilities''' - Review and disable unnecessary SMS/Call utilities and commands, or disable this functionality completely.


<table class="wikitable">
==Secure Operation Guidelines==
    <tr>
        <th width="300">Topic</th>
      <th width="300">Recommendation</th>
      <th width="550">Comment</th>
    </tr>
    <tr>
      <td rowspan="2">SSH access</td>
      <td>Use a different port than 22</td>
      <td>22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.</td>
    </tr>
    <tr>
      <td>Use strong passwords and passphrases</td>
      <td>Most of the servers security are compromised because of the weak passwords. They use easy to guess passwords like the brand name of the device or some universal password like 123456 or Admin123. Weak password is more likely to be cracked by brute-force attacks. You should be using a very strong password or passphrase to log in your SSH server.</td>
    </tr>
    <tr>
      <td rowspan="2">Firewall</td>
      <td>Block traffic by default</td>
      <td>Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. </td>
    </tr>
    <tr>
      <td>Reviewing firewall rules</td>
      <td>Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary.</td>
    </tr>
    <tr>
      <td>VPN</td>
      <td>Always use VPN if you have the possibility</td>
      <td>Encrypted traffic is more secure than unencrypted traffic. Unencrypted traffic can be easily sniffed or even altered by malicious 3rd party.</td>
    </tr>
    <tr>
      <td rowspan="3">WiFi AP</td>
      <td>Use WPA2-PSK (AES) encryption</td>
      <td>This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol</td>
    </tr>
    <tr>
      <td>Use WiFi AP strong key (password/passphrase)</td>
      <td>"If malicious 3rd party is able to capture encrypted 4-way handshake, with strong password, decryption time can increase up to n years.</td>
    </tr>
    <tr>
      <td>Separate clients</td>
      <td>Separate clients also known as wireless client isolation is a security feature that prevents wireless clients from communicating with one another. This feature adds aditional level of security to limit attacks and threats between devices connected to the wireless networks.</td>
    </tr>
    <tr>
      <td rowspan="2">WiFi Hotspot</td>
      <td>Setting up a guest network for visitors</td>
      <td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main bussiness LAN</td>
    </tr>
    <tr>
      <td>Hotspot  configuration</td>
      <td>Setup data bandwidth limit. In that case  malicious 3rd party will be unable to drain all your bandwidth. Use session time limit. In that case malicious 3rd party will be unable to drain your mobile data limit </td>
    </tr>
      <td>WiFi SSID</td>
      <td>Don't broadcast your router details</td>
      <td>Service set identifier (SSID) should be changed. Default name will broadcast your device model.</td>
    </tr>
    <tr>
      <td>DNS server</td>
      <td>Don't use your Internet Service Providers (ISP) default Domain Name System (DNS)</td>
      <td>There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud.</td>
    </tr>
    <tr>
      <td>Password</td>
      <td>Always use only strong passwords</td>
      <td>Strong password requirements:


*Has 12 characters, minimum;
* '''Regularly Update Firmware''' - Regularly check and apply firmware updates for security patches and improvements.
*Includes numbers, symbols, capital letters, and Lower-Case Letters;
* '''Monitor Access Continuously''' - Continuously monitor access to administrative services and restrict as needed. Create and regularly review ”Events Reporting” rules to inform when certain events occur on the device.
*Isn’t a dictionary word or combination of dictionary words;
* '''Update Passwords Periodically''' - Regularly update passwords and ensure they adhere to strong password policies.
*Doesn’t rely on obvious substitutions.
* '''Audit Protocols Regularly''' - Regularly audit the protocols used for configuration and management to ensure they remain secure.
* '''Review Firewall rules''' -  Regularly audit and review firewall and traffic rules.
* '''Review used services''' - Regularly review the services that are being used on the device. Disable services that are not used.
* '''Configure Secure VPNs''' - Use secure VPN protocols (e.g., IPsec, OpenVPN, WireGuard) for remote access instead of exposing sensitive services directly.
* '''Conduct WiFi Audits''' - Periodically review WiFi settings and ensure they comply with the latest security requirements.
* '''Review SIM Card Usage''' - Regularly review SMS and data usage limits and adjust them based on current needs and usage patterns. Disable SMS utilities entirely, if it is not utilized whatsoever.


You can check your current password strength in link below: https://howsecureismypassword.net/"</td>
    </tr>
    <tr>
      <td>Firmware update</td>
      <td>Keep firmware up to date</td>
      <td>With new firmware comes a lot of improvements:


*Security fixes;
*Perfomance enchancements;
*Visual updates;
So where is no reason why you should't update firmware.</td>
    </tr>
    <tr>
      <td>Secure firmware update</td>
      <td>Always update firmware from official website</td>
      <td>Always update firmware downloaded from our official page or use firmware over the air (FOTA).</td>
    </tr>
    <tr>
      <td>RMS</td>
      <td>Use RMS for remote access to the router</td>
      <td>"Disable remote access to your public IP and use RMS for remote managment instead. More about RMS you can find in link below:
https://teltonika-networks.com/product/rms/"</td>
    </tr>
    <tr>
      <td>Unused features</td>
      <td>Turn off router features you don’t use that could pose a security risk</td>
      <td>This would include remote access, Universal Plug and Play (UPnP), etc...**.</td>
    </tr>
    <tr>
      <td>Common sense</td>
      <td>Always use common sense while configuring any network device</td>
        <td>-</td>
    </tr>
</table>


==RUT2xx security features==
Please note that regardless of currently running configuration, '''we strongly recommend to keep up with the latest firmware version''' which generally includes not only overall improvements to the router functionality, but also security patches & vulnerability fixes.


In the table below you can find all the security features supported by Teltonika's '''RUT2xx''' devices:
Understandably, every production environment is different and some features may be altered or changed in newer firmware versions please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''.
 
<table class="wikitable">
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td rowspan="5">DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>
 
==RUT850 security features==
 
In the table below you can find all the security features supported by Teltonika's '''RUT850''' device:
 
<table class="wikitable">
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td rowspan="5">DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>
 
==RUT9xx security features==
 
In the table below you can find all the security features supported by Teltonika's '''RUT9xx''' devices:
 
<table class="wikitable">
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td rowspan="5">DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>
 
==RUTXxx security features==
 
In the table below you can find all the security features supported by Teltonika's '''RUTXxx''' devices:
 
<table class="wikitable">
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td>DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities (Only in RUTX09 and RUTX11)</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>
 
==TRB14x security features==
 
In the table below you can find all the security features supported by Teltonika's '''TRB14x''' devices:
 
<table class="wikitable">
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td>DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
    </tr>
    <tr>
      <td>Universal Asynchronous Receiver – Transmiter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>

Latest revision as of 12:17, 23 July 2024

Summary

In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.

Security Guidelines

Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.

General Security Guidelines

  • Keep Firmware Updated - Always ensure that firmware is up to date.
  • Set Strong Passwords - Use strong, unique passwords for all services (WebUI, SSH, Post/Get). Passwords should include numbers, symbols, uppercase, and lowercase letters. Passwords should be between 15-20 characters long.
  • Install Trusted Packages - Only install packages from known and trusted sources.
  • Use Secure Configuration Protocols - Use SSH or HTTPS for device configuration. Avoid using insecure protocols like telnet or HTTP, especially for remote configuration.
  • Disable unused services - Disable services that are not used, especially those that provide some sort of administrative capabilities (e.g.: WiFi, SMS Utilities, Web CLI).
  • Ensure WiFi Security - If WiFi is used, ensure it employs the latest encryption standards like WPA3 or WPA2 with AES. Avoid using TKIP.
  • Assign Minimum Necessary Permissions - Make sure to provide the least amount of required permissions for any additionally created user account.
  • Set SIM Card Limits - Set SMS and data limits for your SIM card to prevent misuse.

Security Hardening Guidelines

  • Limit Administrative Access - Avoid exposing administrative services to the internet. If public access is mandatory, set unconventional ports (e.g., 32768-65535) for common services.
  • Secure Exposed Services - If remote access is necessary, ensure that it is protected by a firewall. If remote access is required for any administrative interface, modify the rule to only accept traffic from known sources (e.g. modify the SSH WAN access rule to only allow connections from a specific source address).
  • Manage WiFi Effectively - Disable WiFi if it is not needed. Consider reducing wireless transmission power rather than hiding the ESSID.
  • Use Key-Based Authentication - Make sure to use key-based authentication wherever possible (e.g. accessing device via SSH).
  • Verify Backup Integrity - Always write down & compare MD5/SHA hashes of backup files and firmware files before uploading them to the device.
  • Use Phone Number Whitelisting - Create phone number groups for SMS commands to act as a whitelist.
  • Disable Unnecessary Utilities - Review and disable unnecessary SMS/Call utilities and commands, or disable this functionality completely.

Secure Operation Guidelines

  • Regularly Update Firmware - Regularly check and apply firmware updates for security patches and improvements.
  • Monitor Access Continuously - Continuously monitor access to administrative services and restrict as needed. Create and regularly review ”Events Reporting” rules to inform when certain events occur on the device.
  • Update Passwords Periodically - Regularly update passwords and ensure they adhere to strong password policies.
  • Audit Protocols Regularly - Regularly audit the protocols used for configuration and management to ensure they remain secure.
  • Review Firewall rules - Regularly audit and review firewall and traffic rules.
  • Review used services - Regularly review the services that are being used on the device. Disable services that are not used.
  • Configure Secure VPNs - Use secure VPN protocols (e.g., IPsec, OpenVPN, WireGuard) for remote access instead of exposing sensitive services directly.
  • Conduct WiFi Audits - Periodically review WiFi settings and ensure they comply with the latest security requirements.
  • Review SIM Card Usage - Regularly review SMS and data usage limits and adjust them based on current needs and usage patterns. Disable SMS utilities entirely, if it is not utilized whatsoever.


Please note that regardless of currently running configuration, we strongly recommend to keep up with the latest firmware version which generally includes not only overall improvements to the router functionality, but also security patches & vulnerability fixes.

Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions before deploying any such firmware onto devices in production environment.