If your router needs remote access, the steps that matter most are: keep the management interface off the public internet where possible (use a private IP SIM with VPN), change all default credentials to strong unique passwords, restrict access by source IP or VPN if a public IP is unavoidable, and keep firmware updated. None of these are difficult individually, but together they significantly reduce the attack surface of an internet-connected router.
1. Avoid exposing the management interface where possible
The single biggest factor in router security is whether the management interface (the web UI, SSH, Telnet, or similar) is reachable from the public internet at all. A device behind a private IP with VPN simply isn’t visible to internet-wide scanning – there’s no public address to find. If your access requirements allow it, this is the strongest starting position, and our Fixed vs Dynamic IP guide can help you work out whether your use case fits.
2. Change default credentials immediately
Every router ships with a default username and password, and these defaults are well known and actively scanned for. Before a router goes live – whether it has a public or private IP – change the admin credentials to something unique and strong. If multiple routers are being deployed, use unique credentials per device rather than one shared password across the fleet, ideally managed through a password manager or your remote management platform.
3. Disable unnecessary WAN-facing services
Most industrial routers have a range of services that can be enabled on the WAN interface – remote management, SSH, FTP, and others. Disable anything that isn’t actively needed. If remote management is required, prefer accessing it via VPN rather than directly over the WAN interface.
4. Restrict access by source IP where practical
If you only ever need to access a router from a small number of known locations – your office, a data centre, a specific monitoring platform – configure the router to only accept management connections from those IP addresses. This significantly narrows who can even attempt to connect, though it requires those source locations to have static IPs of their own. Where access locations vary, a VPN is usually the more practical and equally secure alternative.
5. Use VPN for remote access wherever possible
A VPN tunnel – whether IPsec, OpenVPN or WireGuard, all commonly supported by Teltonika and Milesight routers – provides authenticated, encrypted access without exposing the router’s services directly to the internet. Combined with a private IP SIM, this means the router has no public-facing attack surface at all; access is only possible after successfully connecting to the VPN. See our private APN and VPN explained guide for more on how this works in practice.
6. Keep firmware up to date
Router manufacturers regularly release firmware updates, some of which address security vulnerabilities. Check for updates periodically and apply security-relevant ones promptly. For fleets of routers, remote management platforms such as Teltonika RMS allow firmware to be updated across multiple devices without a site visit.
If you’re using a fixed public IP SIM
If your application genuinely requires a fixed public IP – for example, a third-party system connects directly to your router’s address – all of the steps above still apply, and matter more, since the router is directly reachable on the public internet. In particular, disabling WAN management entirely (using VPN for any management access even though the IP is public) and restricting by source IP are worth prioritising.
Not sure which SIM type and security setup fits your deployment? Get in touch and our team can talk through the options.