Security Guidelines

Summary

This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices.

Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.

Guideline Categories

General Security Best Practices
Device Hardening Recommendations
Secure Operation & Maintenance

General Security Guidelines

Recommendation	Priority	Details
Keep Firmware Updated	Critical	Always run the latest stable firmware. Firmware updates contain critical vulnerability patches.
Use Complex Passwords	Critical	Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words.
Enforce HTTPS and SSH	Critical	Only use secure protocols (HTTPS, SSH). Avoid the usage of HTTP, Telnet and other insecure protocols where available.
Install Only Trusted Packages	Critical	Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages.
Disable Unused Services	Critical	Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface.
Use WPA3 WiFi	High	WPA2 is still considered secure. However WPA3 introduces features that provide better support IoT device security.
Assign Minimum Necessary Permissions	High	Make sure to provide the least amount of required permissions for any additionally created user account.
Use Key-Based SSH Authentication	High	If possible, use public/private key pair SSH authentication instead of password-based SSH logins.
Regularly Review SIM Usage	Medium	Monitor and limit SIM card SMS/data use. Disable SMS management if not in use.

Security Hardening Recommendations

Recommendation	Priority	Details
Limit Administrative Access	Critical	Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed.
Use a VPN for Remote Access	Critical	Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly.
Apply IP Whitelisting	Critical	Restrict access to remote services based on specific IP addresses using a firewall.
Do Not Rely on Obscure Ports Alone	High	Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules.
Disable WiFi if Not Needed	High	Disable WiFi instead or reduce transmission power.
Use Secure Firmware Validation	High	Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified SHA-256 hashes. Avoid MD5/SHA-1.
Disable SMS/Call Utilities by Default	Medium	Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number.

Secure Operation & Maintenance

Recommendation	Priority	Details
Continuous Access Monitoring	Critical	Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes.
Review and Audit Firewall Rules	Critical	Keep firewall rules up to date. Remove unused or overly permissive rules.
Rotate Passwords & SSH Keys Periodically	High	Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials.
Audit Protocols and Services	High	Ensure only secure protocols are used. Disable legacy or insecure options (e.g., FTP, Telnet).
Conduct Periodic WiFi Audits	Medium	Reassess SSID use, encryption standards, and user access.
Verify Backups Securely	Medium	Encrypt backups. Use SHA-256/SHA-512 hashes to validate backups before restoring them. Store securely.