SMSEagle devices are designed to achieve highest security standards in terms of application design and operating system security. A default device settings allow you to keep a balance between flexibility and security. However, if you would like to strengthen your default configuration with additional security-oriented measures, here is what you may do:
- Change default passwords (for webGUI and SSH console)!
- Replace default self-signed SSL certificate with your own SSL certificate (or install Let's encrypt certificate).
- Redirect HTTP traffic to HTTPS
- In features (like Email2SMS Poller, SMS To Email, LDAP) always use SSL/TLS encryption
- Disable external access to the database (webGUI > menu Settings > parameter "Access to DB for external applications"). This is disabled by default since software version 3.5.
- Use API token as API Authentication method.
- Disable SNMP or change default SNMP community name (webGUI > menu Settings > SNMP)
- If your device is capable to connect to update servers, regularly update system packages
Some possible additional steps:
- Configure Linux iptables to allow access only from a specified IP range.
- Configure your device to use SNMPv3 instead of v1 or v2 (see corresponding chapter in User's Manual how to switch)
- You can also harden the HTTPS security by editing webserver configuration and using your own SSL ciphers suite/protocols.
- Minimize information in a modem log.
- By default intrusion prevention software Fail2ban protects your device from brute-force attacks. You may additionally harden fail2ban ruleset.
- Follow this guide to completely block incoming messages
- Follow this guide to limit incoming SMS to specific numbers