189
edits
Changes
→General security guidelines
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.
==General security guidelines==
==Security guidelines==
Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.
Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.
==General Security Guidelines==
* Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions''
* Keep Firmware Updated - Always ensure that firmware is up to date.
* Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device
* Set Strong Passwords - Use strong, unique passwords for all services (WebUI, SSH, Post/Get). Passwords should include numbers, symbols, uppercase, and lowercase letters. Passwords should be between 15-20 characters long.
* If public access is necessary, have it firewalled for '''specific source IPs and source ports'''
* Install Trusted Packages - Only install packages from known and trusted sources.
* If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535)
* Use Secure Configuration Protocols - Use SSH or HTTPS for device configuration. Avoid using insecure protocols like telnet or HTTP, especially for remote configuration.
* If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet
* Disable unused services - Disable services that are not used, especially those that provide some sort of administrative capabilities (e.g.: WiFi, SMS Utilities, Web CLI).
* Ensure WiFi Security - If WiFi is used, ensure it employs the latest encryption standards like WPA3 or WPA2 with AES. Avoid using TKIP.
* '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK).
* Assign Minimum Necessary Permissions - Make sure to provide the least amount of required permissions for any additionally created user account.
* When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary)
* Set SIM Card Limits - Set SMS and data limits for your SIM card to prevent misuse.
* Make sure to provide the least amount of required permissions for any additionally created user account
==Security Hardening Guidelines==
* Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH)
* Limit Administrative Access - Avoid exposing administrative services to the internet. If public access is mandatory, set unconventional ports (e.g., 32768-65535) for common services.
* Set '''SMS limits, data limits''' for your SIM card plans
* Secure Exposed Services - If remote access is necessary, ensure that it is protected by a firewall. If remote access is required for any administrative interface, modify the rule to only accept traffic from known sources (e.g. modify the SSH WAN access rule to only allow connections from a specific source address).
* Manage WiFi Effectively - Disable WiFi if it is not needed. Consider reducing wireless transmission power rather than hiding the ESSID.
* Use Key-Based Authentication - Make sure to use key-based authentication wherever possible (e.g. accessing device via SSH).
* Verify Backup Integrity - Always write down & compare MD5/SHA hashes of backup files and firmware files before uploading them to the device.
* Use Phone Number Whitelisting - Create phone number groups for SMS commands to act as a whitelist.
* Disable Unnecessary Utilities - Review and disable unnecessary SMS/Call utilities and commands, or disable this functionality completely.
==Secure Operation Guidelines==
* Regularly Update Firmware - Regularly check and apply firmware updates for security patches and improvements.
* Monitor Access Continuously - Continuously monitor access to administrative services and restrict as needed. Create and regularly review ”Events Reporting” rules to inform when certain events occur on the device.
* Update Passwords Periodically - Regularly update passwords and ensure they adhere to strong password policies.
* Audit Protocols Regularly - Regularly audit the protocols used for configuration and management to ensure they remain secure.
* Review Firewall rules - Regularly audit and review firewall and traffic rules.
* Review used services - Regularly review the services that are being used on the device. Disable services that are not used.
* Configure Secure VPNs - Use secure VPN protocols (e.g., IPsec, OpenVPN, WireGuard) for remote access instead of exposing sensitive services directly.
* Conduct WiFi Audits - Periodically review WiFi settings and ensure they comply with the latest security requirements.
* Review SIM Card Usage - Regularly review SMS and data usage limits and adjust them based on current needs and usage patterns. Disable SMS utilities entirely, if it is not utilized whatsoever.
