Jump to content
  • EN

Security Features: Difference between revisions

From Teltonika Networks Wiki
← Older edit
VisualWikitext
No edit summary
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
In the table below you can find all the security features supported by Teltonika's devices.
In the table below you can find all the security features supported by Teltonika's devices.


<table class="wikitable">
{| class="wikitable"
    <tr>
|+
        <th width="200">Security measurement type</th>
|-
      <th width="200">Security measurement name</th>
! Category !! Feature !! Default !! Purpose/Description
      <th width="200">By default</th>
|-
<th width="500">Details</th>
| rowspan="5" | '''DDoS Protection''' || SYN Flood Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
    </tr>
|-
    <tr>
| Ping Flood Protection || Off || Mitigates ICMP (Ping) flood attacks.
      <td rowspan="5">DDOS Prevention</td>
|-
      <td>SYN Flood Protection</td>
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
      <td>On</td>
|-
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
    </tr>
|-
    <tr>
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
      <td>Remote ICMP Requests</td>
|-
      <td>On</td>
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
|-
    </tr>
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
    <tr>
|-
      <td>SSH Attack Prevention</td>
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
      <td>Off</td>
|-
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
    </tr>
|-
    <tr>
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
      <td>HTTP Attack Prevention</td>
|-
      <td>Off</td>
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
|-
    </tr>
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
    <tr>
|-
      <td>HTTPS Attack Prevention</td>
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
      <td>Off</td>
|-
      <td>Hypertext Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
| rowspan="4" | '''Access Control Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
    </tr>
|-
    <tr>
| HTTP Access || Off || Disabled by default; use only with strong passwords.
      <td rowspan="6">Port Scan Prevention</td>
|-
      <td>Port Scan</td>
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
      <td>Off</td>
|-
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
| CLI Access || Off || Disabled by default; use only with strong passwords.
    </tr>
|-
    <tr>
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
      <td>SYN-FIN attack</td>
|-
      <td>Off</td>
| HTTP Access || On || Allows local WebUI configuration over LAN.
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
|-
    </tr>
| HTTPS Access || On || Allows local WebUI configuration over LAN.
    <tr>
|-
      <td>SYN-RST attack</td>
| CLI Access || On || Allows local command-line configuration over LAN.
      <td>Off</td>
|-
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
    </tr>
|-
    <tr>
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
      <td>X-Mas attack</td>
|-
      <td>Off</td>
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
|-
    </tr>
| Default Admin Password || On || Default password is present on the device label.
    <tr>
|-
      <td>FIN scan</td>
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
      <td>Off</td>
|-
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
| rowspan="2" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
    </tr>
|-
    <tr>
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
      <td>NULLflags attack</td>
|}
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmitter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>


==Security recommendations==
==RUTxxx series security features==


Security features will not help if you won't use them properly, below you can find a table with recommendations.
In the table below you can find all the security features supported by Teltonika's '''RUTxxx''' series devices.


<table class="wikitable">
{| class="wikitable"
    <tr>
|+
        <th width="300">Topic</th>
|-
      <th width="300">Recommendation</th>
! Category !! Feature !! Default !! Purpose/Description
      <th width="550">Comment</th>
|-
    </tr>
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
    <tr>
|-
      <td rowspan="2">SSH access</td>
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
      <td>Use a different port than 22</td>
|-
      <td>22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.</td>
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
    </tr>
|-
    <tr>
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
      <td>Use strong passwords and passphrases</td>
|-
      <td>Most of the servers security are compromised because of the weak passwords. They use easy to guess passwords like the brand name of the device or some universal password like 123456 or Admin123. Weak password is more likely to be cracked by brute-force attacks. You should be using a very strong password or passphrase to log in your SSH server.</td>
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
    </tr>
|-
    <tr>
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
      <td rowspan="2">Firewall</td>
|-
      <td>Block traffic by default</td>
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
      <td>Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. </td>
|-
    </tr>
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
    <tr>
|-
      <td>Reviewing firewall rules</td>
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
      <td>Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary.</td>
|-
    </tr>
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
    <tr>
|-
      <td>VPN</td>
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
      <td>Always use VPN if you have the possibility</td>
|-
      <td>Encrypted traffic is more secure than unencrypted traffic. Unencrypted traffic can be easily sniffed or even altered by malicious 3rd party.</td>
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
    </tr>
|-
    <tr>
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
      <td rowspan="3">WiFi AP</td>
|-
      <td>Use WPA2-PSK (AES) encryption</td>
| rowspan="4" | '''Access Control – Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
      <td>This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol</td>
|-
    </tr>
| HTTP Access || Off || Disabled by default; use only with strong passwords.
    <tr>
|-
      <td>Use WiFi AP strong key (password/passphrase)</td>
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
      <td>"If malicious 3rd party is able to capture encrypted 4-way handshake, with strong password, decryption time can increase up to n years.</td>
|-
    </tr>
| CLI Access || Off || Disabled by default; use only with strong passwords.
    <tr>
|-
      <td>Separate clients</td>
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
      <td>Separate clients also known as wireless client isolation is a security feature that prevents wireless clients from communicating with one another. This feature adds additional level of security to limit attacks and threats between devices connected to the wireless networks.</td>
|-
    </tr>
| HTTP Access || On || Allows local WebUI configuration over LAN.
    <tr>
|-
      <td rowspan="2">WiFi Hotspot</td>
| HTTPS Access || On || Allows local WebUI configuration over LAN.
      <td>Setting up a guest network for visitors</td>
|-
      <td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main business LAN</td>
| CLI Access || On || Allows local command-line configuration over LAN.
    </tr>
|-
    <tr>
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
      <td>Hotspot  configuration</td>
|-
      <td>Setup data bandwidth limit. In that case  malicious 3rd party will be unable to drain all your bandwidth. Use session time limit. In that case malicious 3rd party will be unable to drain your mobile data limit </td>
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
    </tr>
|-
      <td>WiFi SSID</td>
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
      <td>Don't broadcast your router details</td>
|-
      <td>Service set identifier (SSID) should be changed. Default name will broadcast your device model.</td>
| Default Admin Password || On || Default password is present on the device label.
    </tr>
|-
    <tr>
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
      <td>DNS server</td>
|-
      <td>Don't use your Internet Service Providers (ISP) default Domain Name System (DNS)</td>
| rowspan="2" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
      <td>There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud.</td>
|-
    </tr>
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
    <tr>
|}
      <td>Password</td>
      <td>Always use only strong passwords</td>
      <td>Strong password requirements:


*Has 12 characters, minimum;
==RUTXxxx series security features==
*Includes numbers, symbols, capital letters, and Lower-Case Letters;
*Isn’t a dictionary word or combination of dictionary words;
*Doesn’t rely on obvious substitutions.


You can check your current password strength here: https://howsecureismypassword.net/"</td>
In the table below you can find all the security features supported by Teltonika's '''RUTXxxx''' series devices.
    </tr>
    <tr>
      <td>Firmware update</td>
      <td>Keep firmware up to date</td>
      <td>With new firmware comes a lot of improvements:


*Security fixes;
{| class="wikitable"
*Performance enhancements;
|+
*Visual updates;
|-
So where is no reason why you shouldn't update firmware.</td>
! Category !! Feature !! Default !! Purpose/Description
    </tr>
|-
    <tr>
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
      <td>Secure firmware update</td>
|-
      <td>Always update firmware from official website</td>
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
      <td>Always update firmware downloaded from our official page or use firmware over the air (FOTA).</td>
|-
    </tr>
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
    <tr>
|-
      <td>RMS</td>
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
      <td>Use RMS for remote access to the router</td>
|-
      <td>Disable remote access to your public IP and use RMS for remote management instead. You can find more details about RMS here:
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
https://teltonika-networks.com/product/rms/</td>
|-
    </tr>
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
    <tr>
|-
      <td>Unused features</td>
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
      <td>Turn off router features you don’t use that could pose a security risk</td>
|-
      <td>This would include remote access, Universal Plug and Play (UPnP), etc...</td>
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
    </tr>
|-
    <tr>
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
      <td>Common sense</td>
|-
      <td>Always use common sense while configuring any network device</td>
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
        <td>-</td>
|-
    </tr>
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
</table>
|-
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
|-
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
|-
| rowspan="4" | '''Access Control – Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords and appropriate firewall rules.
|-
| HTTP Access || Off || Disabled by default; unencrypted traffic, avoid usage.
|-
| HTTPS Access || Off || Disabled by default; use only with strong passwords and appropriate firewall rules.
|-
| CLI Access || Off || Disabled by default; use only with strong passwords and appropriate firewall rules.
|-
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
|-
| HTTP Access || On || Allows local WebUI configuration over LAN. Unencrypted traffic, avoid usage.
|-
| HTTPS Access || On || Allows local WebUI configuration over LAN.
|-
| CLI Access || On || Allows local command-line configuration over LAN.
|-
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
|-
| Default Admin Password || On || Default password is present on the device label.
|-
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
|-
| rowspan="3" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
|-
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
|-
| TPM || On || Enabled by default. Securely stores cryptographic keys and other sensitive data.
|}


==RUT2xx security features==
==RUTMxxx series security features==


In the table below you can find all the security features supported by Teltonika's '''RUT2xx''' devices.
In the table below you can find all the security features supported by Teltonika's '''RUTMxxx''' series devices.


<table class="wikitable">
{| class="wikitable"
    <tr>
|+
        <th width="200">Security measurement type</th>
|-
      <th width="200">Security measurement name</th>
! Category !! Feature !! Default !! Purpose/Description
      <th width="200">By default</th>
|-
<th width="500">Details</th>
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
    </tr>
|-
    <tr>
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
      <td rowspan="5">DDOS Prevention</td>
|-
      <td>SYN Flood Protection</td>
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
      <td>On</td>
|-
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
    </tr>
|-
    <tr>
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
      <td>Remote ICMP Requests</td>
|-
      <td>On</td>
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
|-
    </tr>
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
    <tr>
|-
      <td>SSH Attack Prevention</td>
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
      <td>Off</td>
|-
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
    </tr>
|-
    <tr>
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
      <td>HTTP Attack Prevention</td>
|-
      <td>Off</td>
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
|-
    </tr>
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
    <tr>
|-
      <td>HTTPS Attack Prevention</td>
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
      <td>Off</td>
|-
      <td>Hypertext Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
| rowspan="4" | '''Access Control Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
    </tr>
|-
    <tr>
| HTTP Access || Off || Disabled by default; use only with strong passwords.
      <td rowspan="6">Port Scan Prevention</td>
|-
      <td>Port Scan</td>
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
      <td>Off</td>
|-
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
| CLI Access || Off || Disabled by default; use only with strong passwords.
    </tr>
|-
    <tr>
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
      <td>SYN-FIN attack</td>
|-
      <td>Off</td>
| HTTP Access || On || Allows local WebUI configuration over LAN.
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
|-
    </tr>
| HTTPS Access || On || Allows local WebUI configuration over LAN.
    <tr>
|-
      <td>SYN-RST attack</td>
| CLI Access || On || Allows local command-line configuration over LAN.
      <td>Off</td>
|-
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
    </tr>
|-
    <tr>
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
      <td>X-Mas attack</td>
|-
      <td>Off</td>
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
|-
    </tr>
| Default Admin Password || On || Default password is present on the device label.
    <tr>
|-
      <td>FIN scan</td>
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
      <td>Off</td>
|-
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
| rowspan="3" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
    </tr>
|-
    <tr>
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
      <td>NULLflags attack</td>
|-
      <td>Off</td>
| TPM || On || Enabled by default. Securely stores cryptographic keys and other sensitive data.
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
|}
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmitter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>


==RUT9xx security features==
== RUTCxxx series security features ==


In the table below you can find all the security features supported by Teltonika's '''RUT9xx''' devices.
{| class="wikitable"
|+
|-
! Category !! Feature !! Default !! Purpose/Description
|-
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
|-
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
|-
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
|-
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
|-
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
|-
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
|-
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
|-
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
|-
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
|-
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
|-
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
|-
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
|-
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
|-
| rowspan="4" | '''Access Control – Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
|-
| HTTP Access || Off || Disabled by default; use only with strong passwords.
|-
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
|-
| CLI Access || Off || Disabled by default; use only with strong passwords.
|-
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
|-
| HTTP Access || On || Allows local WebUI configuration over LAN.
|-
| HTTPS Access || On || Allows local WebUI configuration over LAN.
|-
| CLI Access || On || Allows local command-line configuration over LAN.
|-
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
|-
| Default Admin Password || On || Default password is present on the device label.
|-
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
|-
| rowspan="2" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
|-
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
|}


<table class="wikitable">
==TRBxxx series security features==
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td rowspan="5">DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>Hypertext Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmitter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>


==RUT9xx security features==
In the table below you can find all the security features supported by Teltonika's '''TRBxxx''' series devices.


In the table below you can find all the security features supported by Teltonika's '''RUT9xx''' devices.
{| class="wikitable"
|+
|-
! Category !! Feature !! Default !! Purpose/Description
|-
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
|-
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
|-
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
|-
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
|-
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
|-
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
|-
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
|-
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
|-
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
|-
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
|-
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
|-
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
|-
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
|-
| rowspan="4" | '''Access Control – Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
|-
| HTTP Access || Off || Disabled by default; use only with strong passwords.
|-
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
|-
| CLI Access || Off || Disabled by default; use only with strong passwords.
|-
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
|-
| HTTP Access || On || Allows local WebUI configuration over LAN.
|-
| HTTPS Access || On || Allows local WebUI configuration over LAN.
|-
| CLI Access || On || Allows local command-line configuration over LAN.
|-
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
|-
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
|-
| Default Admin Password || On || Default password is present on the device label.
|-
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
|-
| rowspan="2" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
|-
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
|}


<table class="wikitable">
== TSWxxx series security features ==
    <tr>
        <th width="200">Security measurement type</th>
      <th width="200">Security measurement name</th>
      <th width="200">By default</th>
<th width="500">Details</th>
    </tr>
    <tr>
      <td rowspan="5">DDOS Prevention</td>
      <td>SYN Flood Protection</td>
      <td>On</td>
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
    </tr>
    <tr>
      <td>Remote ICMP Requests</td>
      <td>On</td>
      <td>An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).</td>
    </tr>
    <tr>
      <td>SSH Attack Prevention</td>
      <td>Off</td>
      <td>A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests.</td>
    </tr>
    <tr>
      <td>HTTP Attack Prevention</td>
      <td>Off</td>
      <td>A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests.</td>
    </tr>
    <tr>
      <td>HTTPS Attack Prevention</td>
      <td>Off</td>
      <td>Hypertext Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
    </tr>
    <tr>
      <td rowspan="6">Port Scan Prevention</td>
      <td>Port Scan</td>
      <td>Off</td>
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td>
    </tr>
    <tr>
      <td>SYN-FIN attack</td>
      <td>Off</td>
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td>
    </tr>
    <tr>
      <td>SYN-RST attack</td>
      <td>Off</td>
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td>
    </tr>
    <tr>
      <td>X-Mas attack</td>
      <td>Off</td>
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td>
    </tr>
    <tr>
      <td>FIN scan</td>
      <td>Off</td>
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td>
    </tr>
    <tr>
      <td>NULLflags attack</td>
      <td>Off</td>
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td>
    </tr>
    <tr>
      <td rowspan="8">Access Control</td>
      <td>Remote SSH access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTP access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote HTTPS access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Remote CLI access</td>
      <td>Off</td>
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
    </tr>
    <tr>
      <td>Local SSH access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTP access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td>Local HTTPS access</td>
      <td>Off</td>
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
    </tr>
    <tr>
      <td>Local CLI access</td>
      <td>On</td>
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
    </tr>
    <tr>
      <td rowspan="2">Block Unwanted Access</td>
      <td>SSH Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
    </tr>
    <tr>
      <td>WebUI Access Secure</td>
      <td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
    </tr>
    <tr>
      <td>Configuration via SMS</td>
      <td>SMS Utilities</td>
      <td> By router admin password</td>
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
    </tr>
      <td>Universal Plug and Play</td>
      <td>UPnP</td>
      <td>Not installed / Off</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN  can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
    </tr>
      <td>Universal Asynchronous Receiver – Transmitter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>


==TRB14x security features==
In the table below you can find all the security features supported by Teltonika's '''TSWxxx''' series devices.


In the table below you can find all the security features supported by Teltonika's '''TRB14x''' devices.
{| class="wikitable"
 
|+
<table class="wikitable">
|-
    <tr>
! Category !! Feature !! Default !! Purpose/Description
        <th width="200">Security measurement type</th>
|-
      <th width="200">Security measurement name</th>
| rowspan="5" | '''DDoS Protection''' || SYN Attack Protection || On || Blocks excessive SYN requests to prevent resource exhaustion.
      <th width="200">By default</th>
|-
<th width="500">Details</th>
| Ping Attack Protection || Off || Mitigates ICMP (Ping) flood attacks.
    </tr>
|-
    <tr>
| SSH Attack Prevention || Off || Blocks excessive SSH requests.
      <td>DDOS Prevention</td>
|-
      <td>SYN Flood Protection</td>
| HTTP Attack Prevention || Off || Blocks excessive HTTP requests.
      <td>On</td>
|-
<td>A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.</td>
| HTTPS Attack Prevention || Off || Blocks excessive HTTPS requests.
    </tr>
|-
    <tr>
| rowspan="2" | '''Custom Configuration''' || Custom Rules || Empty || Allows adding custom firewall rules via iptables commands.
      <td rowspan="8">Access Control</td>
|-
      <td>Remote SSH access</td>
| DMZ || Off || Allows separating LAN-side network into separate zones with heavily restricted access.
      <td>Off</td>
|-
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
| rowspan="6" | '''Port Scan & TCP Attack Protection''' || Port Scan Prevention || Off || Detects and blocks port scanning attempts.
    </tr>
|-
    <tr>
| SYN-FIN Attack || Off || Blocks packets with both SYN and FIN flags set.
      <td>Remote HTTP access</td>
|-
      <td>Off</td>
| SYN-RST Attack || Off || Prevents abrupt TCP session resets.
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
|-
    </tr>
| X-Mas Attack || Off || Blocks TCP packets with multiple unusual flags set.
    <tr>
|-
      <td>Remote HTTPS access</td>
| FIN Scan || Off || Blocks FIN packets used to bypass firewalls.
      <td>Off</td>
|-
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
| NULL Flags Attack || Off || Blocks TCP packets with no flags set.
    </tr>
|-
    <tr>
| rowspan="4" | '''Access Control Remote''' || SSH Access || Off || Disabled by default; use only with strong passwords.
      <td>Remote CLI access</td>
|-
      <td>Off</td>
| HTTP Access || Off || Disabled by default; use only with strong passwords.
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td>
|-
    </tr>
| HTTPS Access || Off || Disabled by default; use only with strong passwords.
    <tr>
|-
      <td>Local SSH access</td>
| CLI Access || Off || Disabled by default; use only with strong passwords.
      <td>On</td>
|-
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
| rowspan="4" | '''Access Control – Local''' || SSH Access || On || Allows local configuration over LAN.
    </tr>
|-
    <tr>
| HTTP Access || On || Allows local WebUI configuration over LAN.
      <td>Local HTTP access</td>
|-
      <td>On</td>
| HTTPS Access || On || Allows local WebUI configuration over LAN.
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
|-
    </tr>
| CLI Access || On || Allows local command-line configuration over LAN.
    <tr>
|-
      <td>Local HTTPS access</td>
| rowspan="2" | '''Login Protection''' || SSH Login Attempts || On || Blocks IP after 10 failed attempts (default).
      <td>Off</td>
|-
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td>
| WebUI Login Attempts || On || Blocks IP after 10 failed attempts (default).
    </tr>
|-
    <tr>
| rowspan="2" | '''Configuration Security''' || SMS Utilities || Admin password || SMS commands require admin password.
      <td>Local CLI access</td>
|-
      <td>On</td>
| Default Admin Password || On || Default password is present on the device label.
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td>
|-
    </tr>
| '''Certificates''' || Root CA || Preloaded || Default root certificate included; can be replaced.
    <tr>
|-
      <td>Configuration via SMS</td>
| rowspan="2" | '''Other Protections''' || UPnP || Not installed / Off || Disabled to prevent unauthorized port forwarding.
      <td>SMS Utilities</td>
|-
      <td> By router admin password</td>
| UART Interface || Admin password || Requires password to prevent unauthorized physical access.
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td>
|}
    </tr>
    <tr>
      <td>Default admin password</td>
      <td>First login</td>
      <td>On</td>
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. It is recommended to use a strong password</td>
    </tr>
      <td>Certificates</td>
      <td>Root CA</td>
      <td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
    </tr>
    <tr>
      <td>Universal Asynchronous Receiver – Transmitter</td>
      <td>UART</td>
      <td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
    </tr>
</table>
 
==Active services==
 
In the table below you can find all the services, which are enabled on default configuration in Teltonika's devices.
 
<table class="wikitable">
    <tr>
        <th width="500">Service</th>
      <th width="200">Port</th>
      <th width="200">LAN</th>
<th width="200">WAN</th>
    </tr>
    <tr>
      <td>SSH</td>
      <td>22</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
    <tr>
      <td>HTTP</td>
      <td>80</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
    <tr>
      <td>HTTPS</td>
      <td>443</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
</table>


[[Category:Security]]
[[Category:Security]]

Latest revision as of 14:30, 18 August 2025

Main Page > FAQ > Security > Security Features

Security features

In the table below you can find all the security features supported by Teltonika's devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Flood Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Flood Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.

RUTxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTxxx series devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.

RUTXxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTXxxx series devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords and appropriate firewall rules.
HTTP Access Off Disabled by default; unencrypted traffic, avoid usage.
HTTPS Access Off Disabled by default; use only with strong passwords and appropriate firewall rules.
CLI Access Off Disabled by default; use only with strong passwords and appropriate firewall rules.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN. Unencrypted traffic, avoid usage.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.
TPM On Enabled by default. Securely stores cryptographic keys and other sensitive data.

RUTMxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTMxxx series devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.
TPM On Enabled by default. Securely stores cryptographic keys and other sensitive data.

RUTCxxx series security features

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.

TRBxxx series security features

In the table below you can find all the security features supported by Teltonika's TRBxxx series devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.

TSWxxx series security features

In the table below you can find all the security features supported by Teltonika's TSWxxx series devices.

Category Feature Default Purpose/Description
DDoS Protection SYN Attack Protection On Blocks excessive SYN requests to prevent resource exhaustion.
Ping Attack Protection Off Mitigates ICMP (Ping) flood attacks.
SSH Attack Prevention Off Blocks excessive SSH requests.
HTTP Attack Prevention Off Blocks excessive HTTP requests.
HTTPS Attack Prevention Off Blocks excessive HTTPS requests.
Custom Configuration Custom Rules Empty Allows adding custom firewall rules via iptables commands.
DMZ Off Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection Port Scan Prevention Off Detects and blocks port scanning attempts.
SYN-FIN Attack Off Blocks packets with both SYN and FIN flags set.
SYN-RST Attack Off Prevents abrupt TCP session resets.
X-Mas Attack Off Blocks TCP packets with multiple unusual flags set.
FIN Scan Off Blocks FIN packets used to bypass firewalls.
NULL Flags Attack Off Blocks TCP packets with no flags set.
Access Control – Remote SSH Access Off Disabled by default; use only with strong passwords.
HTTP Access Off Disabled by default; use only with strong passwords.
HTTPS Access Off Disabled by default; use only with strong passwords.
CLI Access Off Disabled by default; use only with strong passwords.
Access Control – Local SSH Access On Allows local configuration over LAN.
HTTP Access On Allows local WebUI configuration over LAN.
HTTPS Access On Allows local WebUI configuration over LAN.
CLI Access On Allows local command-line configuration over LAN.
Login Protection SSH Login Attempts On Blocks IP after 10 failed attempts (default).
WebUI Login Attempts On Blocks IP after 10 failed attempts (default).
Configuration Security SMS Utilities Admin password SMS commands require admin password.
Default Admin Password On Default password is present on the device label.
Certificates Root CA Preloaded Default root certificate included; can be replaced.
Other Protections UPnP Not installed / Off Disabled to prevent unauthorized port forwarding.
UART Interface Admin password Requires password to prevent unauthorized physical access.
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Security_Features&oldid=154156"