Security Features: Difference between revisions

Latest revision as of 14:30, 18 August 2025

Main Page > FAQ > Security > Security Features

Security features

In the table below you can find all the security features supported by Teltonika's devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Flood Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Flood Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

RUTxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTxxx series devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

RUTXxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTXxxx series devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords and appropriate firewall rules.
	HTTP Access	Off	Disabled by default; unencrypted traffic, avoid usage.
	HTTPS Access	Off	Disabled by default; use only with strong passwords and appropriate firewall rules.
	CLI Access	Off	Disabled by default; use only with strong passwords and appropriate firewall rules.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN. Unencrypted traffic, avoid usage.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
	UART Interface	Admin password	Requires password to prevent unauthorized physical access.
	TPM	On	Enabled by default. Securely stores cryptographic keys and other sensitive data.

RUTMxxx series security features

In the table below you can find all the security features supported by Teltonika's RUTMxxx series devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
	UART Interface	Admin password	Requires password to prevent unauthorized physical access.
	TPM	On	Enabled by default. Securely stores cryptographic keys and other sensitive data.

RUTCxxx series security features


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

TRBxxx series security features

In the table below you can find all the security features supported by Teltonika's TRBxxx series devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

TSWxxx series security features

In the table below you can find all the security features supported by Teltonika's TSWxxx series devices.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

@@ Line 64: / Line 64: @@
 | UART Interface || Admin password || Requires password to prevent unauthorized physical access.
 |}
-==Security recommendations==
-Security features will not help if you won't use them properly, below you can find a table with recommendations.
-<table class="wikitable">
-    <tr>
-        <th width="300">Topic</th>
-       	<th width="300">Recommendation</th>
-       	<th width="550">Comment</th>
-    </tr>
-    <tr>
-      	<td rowspan="2">SSH access</td>
-       	<td>Use a different port than 22</td>
-       	<td>22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.</td>
-    </tr>
-    <tr>
-       	<td>Use strong passwords and passphrases</td>
-       	<td>Most of the servers security are compromised because of the weak passwords. They use easy to guess passwords like the brand name of the device or some universal password like 123456 or Admin123. Weak password is more likely to be cracked by brute-force attacks. You should be using a very strong password or passphrase to log in your SSH server.</td>
-    </tr>
-    <tr>
-      	<td rowspan="2">Firewall</td>
-       	<td>Block traffic by default</td>
-       	<td>Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. </td>
-    </tr>
-    <tr>
-       	<td>Reviewing firewall rules</td>
-       	<td>Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary.</td>
-    </tr>
-    <tr>
-      	<td>VPN</td>
-       	<td>Always use VPN if you have the possibility</td>
-       	<td>Encrypted traffic is more secure than unencrypted traffic. Unencrypted traffic can be easily sniffed or even altered by malicious 3rd party.</td>
-    </tr>
-    <tr>
-      	<td rowspan="3">WiFi AP</td>
-       	<td>Use WPA2-PSK (AES) encryption</td>
-       	<td>This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol</td>
-    </tr>
-    <tr>
-       	<td>Use WiFi AP strong key (password/passphrase)</td>
-       	<td>"If malicious 3rd party is able to capture encrypted 4-way handshake, with strong password, decryption time can increase up to n years.</td>
-    </tr>
-    <tr>
-       	<td>Separate clients</td>
-       	<td>Separate clients also known as wireless client isolation is a security feature that prevents wireless clients from communicating with one another. This feature adds additional level of security to limit attacks and threats between devices connected to the wireless networks.</td>
-    </tr>
-    <tr>
-      	<td rowspan="2">WiFi Hotspot</td>
-       	<td>Setting up a guest network for visitors</td>
-       	<td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main business LAN</td>
-    </tr>
-    <tr>
-       	<td>Hotspot  configuration</td>
-       	<td>Setup data bandwidth limit. In that case  malicious 3rd party will be unable to drain all your bandwidth. Use session time limit. In that case malicious 3rd party will be unable to drain your mobile data limit </td>
-    </tr>
-      	<td>WiFi SSID</td>
-       	<td>Don't broadcast your router details</td>
-       	<td>Service set identifier (SSID) should be changed. Default name will broadcast your device model.</td>
-    </tr>
-    <tr>
-      	<td>DNS server</td>
-       	<td>Don't use your Internet Service Providers (ISP) default Domain Name System (DNS)</td>
-       	<td>There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud.</td>
-    </tr>
-    <tr>
-      	<td>Password</td>
-       	<td>Always use only strong passwords</td>
-       	<td>Strong password requirements:
-*Has 12 characters, minimum;
-*Includes numbers, symbols, capital letters, and Lower-Case Letters;
-*Isn’t a dictionary word or combination of dictionary words;
-*Doesn’t rely on obvious substitutions.
-You can check your current password strength here: https://howsecureismypassword.net/"</td>
-    </tr>
-    <tr>
-      	<td>Firmware update</td>
-       	<td>Keep firmware up to date</td>
-       	<td>With new firmware comes a lot of improvements:
-*Security fixes;
-*Performance enhancements;
-*Visual updates;
-So where is no reason why you shouldn't update firmware.</td>
-    </tr>
-    <tr>
-      	<td>Secure firmware update</td>
-       	<td>Always update firmware from official website</td>
-       	<td>Always update firmware downloaded from our official page or use firmware over the air (FOTA).</td>
-    </tr>
-    <tr>
-      	<td>RMS</td>
-       	<td>Use RMS for remote access to the router</td>
-       	<td>Disable remote access to your public IP and use RMS for remote management instead. You can find more details about RMS here:
-https://teltonika-networks.com/product/rms/</td>
-    </tr>
-    <tr>
-      	<td>Unused features</td>
-       	<td>Turn off router features you don’t use that could pose a security risk</td>
-       	<td>This would include remote access, Universal Plug and Play (UPnP), etc...</td>
-    </tr>
-    <tr>
-       	<td>Common sense</td>
-       	<td>Always use common sense while configuring any network device</td>
-        <td>-</td>
-    </tr>
-</table>
 ==RUTxxx series security features==
@@ Line 572: / Line 462: @@
 | UART Interface || Admin password || Requires password to prevent unauthorized physical access.
 |}
-==Active services==
-In the table below you can find all the services, which are enabled on default configuration in Teltonika's devices.
-<table class="wikitable">
-    <tr>
-        <th width="500">Service</th>
-       	<th width="200">Port</th>
-       	<th width="200">LAN</th>
-	<th width="200">WAN</th>
-    </tr>
-    <tr>
-      	<td>SSH</td>
-       	<td>22</td>
-       	<td>Open</td>
-	<td>Closed</td>
-    </tr>
-    <tr>
-      	<td>HTTP</td>
-       	<td>80</td>
-       	<td>Open</td>
-	<td>Closed</td>
-    </tr>
-    <tr>
-      	<td>HTTPS</td>
-       	<td>443</td>
-       	<td>Open</td>
-	<td>Closed</td>
-    </tr>
-</table>
 [[Category:Security]]