Important Device Security Guidelines & Settings
This guide covers the essential security settings for Proroute routers. It applies to all models. Some features (auth log, brute-force protection, IP whitelisting) were introduced in H685 4G firmware v3.2.355+ and are being rolled out to other models in subsequent firmware updates.
First login and password security
All Proroute routers manufactured from June 2024 onwards ship with unique credentials for both the WebUI and Wi-Fi, printed on the device label.
On first successful login to the WebUI, you will be prompted to set a new password. This password applies to:
- WebUI user
admin - SSH user
router
Password requirements
The enforced minimum policy is:
| Requirement | Detail |
|---|---|
| Minimum length | 8 characters |
| Digit | At least one digit (0–9) |
| Uppercase letter | At least one uppercase letter (A–Z) |
| Lowercase letter | At least one lowercase letter (a–z) |
| Special character | At least one special character (e.g., !@#$%) |
Recommendation: Use a password of at least 12 characters. 16+ characters is strongly advised if the router is directly accessible from the public internet.
Update to the latest firmware
Ensure your router is running the latest firmware version to receive the most recent security patches and feature updates.
Download firmware for your router model from: Proroute Firmware Selector.
Limit administrative access & security hardening
Location in WebUI: Network > Firewall > Security
Administrative access to the router is available via three protocols:
| Protocol | Purpose | Encryption |
|---|---|---|
| SSH | Command-line interface (CLI) for advanced configuration | Encrypted and secure |
| HTTPS | Web interface (WebUI) via browser | Encrypted and secure |
| HTTP | Web interface (WebUI) via browser | Unencrypted — credentials sent in plaintext |
Note: TELNET is disabled by default and not configurable via the WebUI.
Deny WAN access
Do not expose the WebUI or SSH to the public internet.
The Wide Area Network (WAN) refers to the public internet in most deployments. A mobile interface connected via SIM card is a WAN connection. For each protocol (SSH, HTTPS, HTTP), ensure "Access from WAN" is set to "Deny". If set to "Allow", any device on the internet can attempt to connect to your router.
| Network > Firewall > Security | |
| SSH | |
| Enable | ✓ |
| Access from WAN | Deny ▼ |
| Port | 22 |
| HTTPS | |
| Enable | ✓ |
| Access from WAN | Deny ▼ |
| Port | 443 |
| HTTP | |
| Enable | ✓ |
| Access from WAN | Deny ▼ |
| Port | 80 |
| Save and Apply | |
Remote management (if required)
The preferred method for remote management is a VPN. A VPN provides encryption, authentication, and network isolation — administrative interfaces are never directly exposed to the internet.
If a VPN is not possible and WAN access is required:
| Guideline | Detail |
|---|---|
| Use HTTPS only | Never use HTTP for remote access — credentials are transmitted in plaintext |
| Avoid SSH from WAN | Only enable if absolutely necessary |
| Enable IP whitelisting | Restrict access to known source IP addresses only (see below) |
| Use non-standard ports | Reduces exposure to automated scanners — not a substitute for firewall rules |
WAN IP blocking & brute-force protection
Brute-force protection automatically blocks IP addresses that exceed a threshold of failed login attempts. By default, brute-force protection is enabled for all three protocols (SSH, HTTPS, HTTP).
Default settings
| Setting | Default | Notes |
|---|---|---|
| Failed attempt threshold | 10 attempts | Triggers lockout for the source IP |
| Lockout duration | 60 minutes | Configurable |
| Protection enabled | Yes (all protocols) | Can be disabled per protocol — not recommended |
Login attempts and lockout events are recorded in the Auth Log at Status > Event Log > Auth Log.
IP whitelisting
Location in WebUI: Network > Firewall > Security
The Remote Access IP Whitelist restricts WAN administrative access to trusted IP addresses or ranges only. When enabled, all other source IPs are blocked from the WebUI and CLI.
Configuration
- Tick Enable Whitelist — an input field will appear
- Enter allowed IP addresses or ranges (one per line):
- Single IP:
203.0.113.45 - CIDR range:
192.168.10.0/24
- Single IP:
- Click Save and Apply
Important: The whitelist applies to all protocols (HTTP, HTTPS, SSH) and also governs port forwarding rules — ports will not be reachable from IPs not on the whitelist. Ensure your own public IP is listed before enabling to avoid locking yourself out.
| Network > Firewall > Security — Remote Access IP Whitelist | |
| Enable Whitelist | ✓ |
| Allowed IPs | 203.0.113.45 192.168.10.0/24 One IP or CIDR range per line |
| Save and Apply | |
Event logging & auth log
Location in WebUI: Status > Event Log > Auth Log
The auth log records all access attempts — successful and unsuccessful — to the WebUI (HTTPS) and CLI (SSH).
Log entries include
| Field | Description |
|---|---|
| Timestamp | Date and time of the attempt |
| Result | Successful or unsuccessful |
| Management interface | CLI (SSH) or WebUI (HTTPS) |
| Source IP address | Originating IP of the connection attempt |
| Failed attempt count | Running count for that source IP |
| Lockout trigger | Logged when threshold is reached, including lockout duration applied |
Important: If the router has a fixed public IP address via SIM, it is directly reachable from the entire internet. Reviewing the auth log regularly is critical in this scenario to detect brute-force attempts and unauthorised access.
| Status > Event Log > Auth Log | |||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
Security checklist
| # | Action |
|---|---|
| 1 | Set a strong password — 12+ characters, mix of upper/lowercase, digits, and special characters |
| 2 | Update firmware to the latest version |
| 3 | Set "Access from WAN" to "Deny" for SSH, HTTPS, and HTTP |
| 4 | Keep brute-force protection enabled on all protocols |
| 5 | If remote access is required, use a VPN rather than exposing protocols directly |
| 6 | If VPN is not possible, enable IP whitelisting and use HTTPS only |
| 7 | Regularly review the Auth Log for suspicious activity |