/
Enhancing Security (Release 4.1 and Prior)

Enhancing Security (Release 4.1 and Prior)

25-Feb-2025

For SmartServer 4.2 and higher, see Enhancing Security.

You can install the SmartServer IoT in a private network, with or without an internet connection. You can also install the SmartServer in the DMZ of an IP router or connect it directly to the Internet. To prevent exposure to malicious attacks, you can also install the SmartServer on a VPN. You can secure the communication between any web browser clients and the SmartServer using certificates.  Certificates use a public and private key pair to encrypt communication from a web browser to the SmartServer. Certificates may be self-signed or signed. Self-signed certificates are signed and validated by the SmartServer. Self-signed certificates provide encryption, but they do not authenticate that you are communicating with the SmartServer you intended to communicate with.  You can authenticate the SmartServer by using a signed certificate where the certificate is validated by an external certificate authority. When using a signed certificate, you can use a signed certificate included with the SmartServer, or for enhanced security you can provide your own custom signed certificate.

The following sections describe the various network architecture scenarios, how to access a SmartServer from the Internet, and the use of both self-signed and signed certificates along with DDNS.

Enabling / Disabling Enhanced Security

Enabling / Disabling enhanced security is Available with SmartServer release 3.5 and higher.

Enhanced security is enabled by default on:

  • A factory-configured SmartServer that is shipped with 3.5 or higher

  • A SmartServer with 3.5 or higher after a factory reset

  • A SmartServer that is  re-imaged with 3.5 or higher

Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5.

Enhanced Security has no effect when using SAML or OAuth 2.0 Authentication Methods. Enhanced Security passwords are used when the Authentication Method is set to Basic. 

Enhanced security enables/disables the following features:

  • Password (pwd) – controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. 

  • SCP (scp) – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.

  • Firewall (fw) – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.

You can enable/disable enhanced security using an option on the System Configuration page or using the SmartServer Secure Utility. These options are described in the sections that follow.

Using the System Configuration Page

With SmartServer 3.5 and higher, you should always use HTTPS (not HTTP) in the browser to access the SmartServer.

To disable/re-enable this feature using the System Configuration page, perform the following steps:

  1. Open the SmartServer Configuration page.  


    The Network Configuration page appears.





  2. Click the System tab at the top of the page.

    The System Configuration page appears.





  3. Click Enable Enhanced Security so that a check mark does not appear next to it to disabled the enhanced security feature.



Using the SmartServer Secure Utility

The SmartServer Secure Utility provides a way to enable/disable enhanced security features using the console. 

To use the SmartServer Secure Utility, perform the following steps:

  1. Log into the SmartServer console using USB or SSH.


  2. Use the following command to enable or disable enhanced security options:
     
    smartserver-secure [Option] [-|+<feat> ...]

    If all the options are enabled, the command output is all.

    • The help option outputs enabled features and provides information about the utility.

    • Features are as follows:
       +<feat> to enable a feature
      -<feat> to disable a feature

      where <feat> is one of the following:

      • pwd –  controls whether strong passwords are required and whether the console times out. Strong password requirements are: must have at least 14 characters, including digits, as well as lower-case, upper-case, and special characters. A fresh login session is required for changes to take effect.

      • scp – SCP (secure copy protocol) controls permissions for root access over SSH. With enhanced security enabled, root access over SSH is not allowed.

      • fw  – controls whether the firewall is enhanced or not (default is enhanced). The enhanced feature sets the default to deny outgoing and routed ports, and resets port rules to factory defaults. Ports will be opened for enabled services dynamically, except for incoming MQTT ports on the Features Configuration page. When disabled, the default for outgoing ports is set to allow.

      • all – controls all features.

        Examples:

        • To enable all features:
          smartserver-secure +all
          Output is all.


        • To disable strong passwords and console timeouts:
          smartserver-secure -pwd
          If this command followed the previous example, then the output is scp fw.


        • To output the currently enabled features:
          smartserver-secure
          If this command followed the previous example, then the output is scp fw.