Changes

==General security guidelines==

==General security guidelines==

General security recommendations for any internet-facing device.

Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.

 

It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.

* Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions''  

 

* Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device          

* Set '''SMS limits, data limits''' for your SIM card plans   

* If public access is necessary, have it firewalled for '''specific source IPs and source ports'''  

* Disable SMS utilities entirely, ''if it is not utilized whatsoever''      

* Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device      

* If public access is necessary, have it firewalled for '''specific source IPs and source ports'''      

* If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535)         

* If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535)         

* If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet         

* If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet         

* When configuring VPNs purely for security, opt in to use UDP-based VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard         

* When configuring VPNs purely for security, opt in to use VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard         

* '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK).       

* '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK).       

* When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary)         

* When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary)         

* '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router         

* '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router         

* Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH)

* Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH)