This article discusses a few suggested best practices for a secure airOS. The best practices discussed are just the minimum suggested, any extra precautions are encouraged.
Table of Contents
- Keep Firmware Up to Date
- Restrict Access
- Select the Correct Password
- Identify Infected Devices
- Related Articles
Keep Firmware Up to Date
One of the most important steps will be to keep your airOS firmware up to date. Using out of date firmware poses a significant risk as they will not include patches for identified security holes. If you would like to receive automatic notifications of new airOS firmware releases and security notices, please subscribe to the airMAX Updates Blog by clicking on Blog Options > Subscribe on the upper left hand side.
Restricting access is especially important for devices with public IP addresses. Restrict access to management interfaces such as SSH/HTTP/HTTPS via firewall or by disabling “Remote Management” on the Network tab.
Another option would be to use the built-in firewall to restrict access to management interfaces. This example shows an airOS devices in Router mode w/ WLAN port as WAN (Internet-facing).
Radio IP = 192.168.1.67 (This should be a public IP address)
Whitelisted/allowed IP = 22.214.171.124
airMAX AC - Router mode
As of v8.5.8+ firmware, airMAX AC devices in router mode can now add use an IP/Mask Access Control List (under WAN -> ACL) to whitelist remote IPs to allow remote access when Block Management Access is enabled.
airMAX AC - Bridge mode
Select the Correct Password
Use 8+ character non-dictionary administrator passwords. For additional complexity, change the username to something other than ubnt. Do so in the System tab.
Identify Infected Devices
Symptoms of an infected device may include:
- An inaccessible or corrupted web interface
- Increased traffic
- Management ports changed or disabled
- Custom scripts Detected warning message on Main airOS tab (see below)