Proroute Support Tickets / Helpdesk Proroute help desk Knowledgebase General Guides — For All Models
Important Device Security Guidelines & Settings for Proroute Routers
Suggested knowledgebase articles:

Important Device Security Guidelines & Settings for Proroute Routers

This guide covers the essential security settings for Proroute routers. It applies to all models. Some features were modified (Brute-force protection, IP whitelisting) and some introduced (Auth log) in Firmware updates across models at the end of 2025, and early 2026.

First login and password security

All Proroute routers manufactured from June 2024 onwards ship with unique credentials for both the WebUI and Wi-Fi, printed on the device label.

On first successful login to the WebUI, you will be prompted to set a new password. This password applies to:

  • WebUI user admin
  • SSH user router

Password requirements

The enforced minimum policy is:

Requirement Detail
Minimum length 8 characters
Digit At least one digit (0–9)
Uppercase letter At least one uppercase letter (A–Z)
Lowercase letter At least one lowercase letter (a–z)
Special character At least one special character (e.g., !@#$%)

Recommendation: Setting a strong password, such as at least 16+ characters is strongly advised. Especially if the router has exposure to the public internet. 

Update to the latest firmware

Ensure your router is running the latest firmware version to receive the most recent security patches and feature updates.

Download firmware for your router model from: Proroute Firmware Selector.

Limit administrative access & security hardening

Location in WebUI: Network > Firewall > Security

Administrative access to the router is available via three protocols:

Protocol Purpose Encryption
SSH Command-line interface (CLI) for advanced configuration Encrypted and secure
HTTPS Web interface (WebUI) via browser Encrypted and secure
HTTP Web interface (WebUI) via browser Unencrypted — credentials sent in plaintext

Note: TELNET is disabled by default and not configurable via the WebUI.

Deny WAN access

Do not expose the WebUI or SSH to the public internet.

The Wide Area Network (WAN) refers to the public internet in most deployments. A mobile interface connected via SIM card is a WAN connection. For each protocol (SSH, HTTPS, HTTP), ensure "Access from WAN" is set to "Deny". If set to "Allow", any device on the internet can attempt to connect to your router, which is a security risk. 

Network > Firewall > Security
SSH
Enable
Access from WAN Deny
Port 22
HTTPS
Enable
Access from WAN Deny
Port 443
HTTP
Enable
Access from WAN Deny
Port 80
Save and Apply

Remote management (if required)

The suggested method for remote management is a VPN. A VPN provides encryption, authentication, and network isolation — administrative interfaces can be made accessible over the VPN, whilst denying access from the public internet.

If a VPN is not possible for the deployment and WAN access is required, then the below guidelines should be considered:

Guideline Detail
Use HTTPS only Never use HTTP for remote access — credentials are transmitted in plaintext
Avoid SSH from WAN Only enable if absolutely necessary
Enable IP whitelisting Restrict access to known source IP addresses only (see below)
Use non-standard ports Reduces exposure to automated scanners — not a substitute for firewall rules

WAN IP blocking & brute-force protection

Brute-force protection automatically blocks IP addresses that exceed a threshold of failed login attempts. By default, brute-force protection is enabled for all three protocols (SSH, HTTPS, HTTP).

Default settings (Configurable)

Setting Default Notes
Failed attempt threshold 10 attempts Triggers lockout for the source IP
Lockout duration 60 minutes Can be set to very high number, thus acting essentially as a ban (i.e. 525600 mins = 1 Year)
Protection enabled Yes (all protocols) Can be disabled per protocol (not recommended)

Login attempts and lockout events are recorded in the Auth Log at Status > Event Log > Auth Log.

IP whitelisting

Location in WebUI: Network > Firewall > Security

The Remote Access IP Whitelist restricts WAN administrative access to trusted IP addresses or ranges only. When enabled, all other source IPs are blocked by the firewall from communicating with the device, and therefore the WebUI and CLI.

Configuration

  1. Tick Enable Whitelist — an input field will appear
  2. Enter allowed IP addresses or ranges (one per line):
    • Single IP: 203.0.113.45
    • CIDR range: 192.168.10.0/24
  3. Click Save and Apply

Important: The whitelist applies to all protocols (HTTP, HTTPS, SSH). Additionally when port forward rules are configured, only the IP addresses in the whitelist can use them — ports will not be reachable from IPs not on the whitelist. Ensure your own public IP used for administration is listed before enabling to avoid locking yourself out.

Network > Firewall > Security — Remote Access IP Whitelist
Enable Whitelist
Allowed IPs 203.0.113.45
192.168.10.0/24 One IP or CIDR range per line
Save and Apply

Event log & Auth log

Location in WebUI: Status > Event Log > Auth Log (top tab)

The Auth log records all access attempts — successful and unsuccessful — to authenticate and gain access to the WebUI (HTTPS/HTTP) and CLI (SSH). It is a useful tool for auditing security related to connection attempts to the device. 

This is saved to Flash storage, so is persistent after a reboot. It is rotated once it gets too long. 

Log entries include

Field Description
Timestamp Date and time of the attempt
Type Successful or Unsuccessful
Log Listing: Management interface, Protocol, Source IP, User account, event descriptor.

Important: If the router has a fixed public IP address via SIM, it is directly reachable from the entire internet. Reviewing the auth log regularly is critical in this scenario to detect connection attempt patterns from malicious sources.

Status > Event Log > Auth Log
Datetime Type Log
2025-12-01 09:14:02 authen_succeed WEBUI HTTPS from192.168.8.100 user admin login successful
2025-12-02 13:47:19 authen_fail SSH max fails from 192.168.31.100 user router locked-out 60min
2025-12-02 15:45:05 authen_fail SSH max fails from 192.168.31.100 user router locked-out 60min
2025-12-01 03:46:51 authen_fail WEBUI HTTPS from192.168.8.125 user admin login failed 2 time(s)
2025-12-01 02:11:33 authen_succeed SSH from 192.168.31.100 user router login successful

Security checklist

# Action
1 Set a strong password — 16+ characters, mix of upper/lowercase, digits, and special characters
2 Update firmware to the latest version
3 Set "Access from WAN" to "Deny" for SSH, HTTPS, and HTTP
4 Keep brute-force protection enabled on all protocols
5 If remote access is required, use a VPN rather than exposing protocols directly
6 If VPN use is not possible, enable IP whitelisting and use HTTPS only
7 Regularly review the Auth Log for suspicious activity

Article Details

Article ID:
9
Category:
General Guides — For All Models

Related articles