airMAX - Securing airOS Best Practices

Overview

In this article, users will learn the minimum suggested best practices for securing airOS.


Table of Contents


  1. Keeping Firmware Up to Date
  2. Restricting Access
  3. Selecting the Correct Password
  4. Identifying an Infected Device

#1 - Keeping Firmware Up-to-Date


Back to Top

Probably the most important step is keeping your airOS firmware up to date. Using out of date firmware poses a significant risk as we have patched several security holes. If you would like to receive automatic notifications of new airOS firmware releases and security notices, please subscribe to the airMAX Updates Blog HERE. (Blog Options > Subscribe).

 

NOTE: airOS devices that can reach the Internet and have valid DNS servers will show that an update is available in the Web UI, provided this feature has not been disabled.

#2 - Restricting Access


Back to Top

Restrict access to management interfaces such as SSH/HTTP/HTTPS via firewall or by disabling “Remote Management” on the Network tab.  This is especially important for devices with public IP addresses.

Another option would be to use the built-in firewall to restrict access to management interfaces. This example shows an airOS devices in Router mode w/ WLAN port as WAN (Internet-facing).  

Radio IP = 192.168.1.67 (This should be a public IP address)

Whitelisted/allowed IP = 1.1.1.1

#3 - Selecting the Correct Password


Back to Top

Use 8+ character non-dictionary administrator passwords.  For additional complexity, you can also change the username from ubnt. Do so in the System tab.

#4 - Identifying an Infected Device


Back to Top

Symptoms of an infected device may include:

  • Inaccessible or corrupted web interface
  • Increased traffic
  • Management ports changed or disabled
  • Custom scripts Detected warning message on Main airOS tab (see below)

If you are unsure if a device has been compromised, please contact support@ubnt.com.

If you would like to report a vulnerability you have discovered, please either contact security@ubnt.com or submit via our bug bounty portal https://hackerone.com/ubnt