This article discusses a few suggested best practices for a secure airOS. The best practices discussed are just the minimum suggested, any extra precautions are encouraged.
Table of Contents
- Keep Firmware Up to Date
- Restrict Access
- Select the Correct Password
- Identify Infected Devices
- Related Articles
Keep Firmware Up to Date
One of the most important steps will be to keep your airOS firmware up to date. Using out of date firmware poses a significant risk as they will not include patches for identified security holes. If you would like to receive automatic notifications of new airOS firmware releases and security notices, please subscribe to the airMAX Updates Blog by clicking on Blog Options > Subscribe on the upper left hand side.
NOTE: airOS devices that can reach the Internet and have valid DNS servers will show that an update is available in the Web UI, provided this feature has not been disabled.
Restricting access is especially important for devices with public IP addresses. Restrict access to management interfaces such as SSH/HTTP/HTTPS via firewall or by disabling “Remote Management” on the Network tab.
Another option would be to use the built-in firewall to restrict access to management interfaces. This example shows an airOS devices in Router mode w/ WLAN port as WAN (Internet-facing).
Radio IP = 192.168.1.67 (This should be a public IP address)
Whitelisted/allowed IP = 188.8.131.52
Select the Correct Password
Use 8+ character non-dictionary administrator passwords. For additional complexity, change the username to something other than ubnt. Do so in the System tab.
Identify Infected Devices
Symptoms of an infected device may include:
- Inaccessible or corrupted web interface
- Increased traffic
- Management ports changed or disabled
- Custom scripts Detected warning message on Main airOS tab (see below)
If you are unsure if a device has been compromised, please contact email@example.com. If you would like to report a vulnerability you have discovered, please either contact firstname.lastname@example.org or submit via our bug bounty portal https://hackerone.com/ubnt