Credit goes to Marcus @mldowling for writing the “Securing InControl Access” Section.
Securing the Web Admin
One of the most frequent form of router attacks are directed towards the Web UI. Here are several things you can do to secure the Web UI of your Peplink / Pepwave router, all of which are accessible on your Web UI by navigating to System > Admin Security
Change Your Admin Password, Make Your Web UI accessible only from the LAN
For security reasons, after logging in to the web admin Interface for the first time, it is recommended to change the administrator password. Configuring the administration interface to be accessible only from the LAN can further improve system security.
Share a User Account, Keep an Admin Account
There are two types of user accounts available for accessing the web admin: admin and user. They represent two user levels: the admin level has full administration access, while the user level is read-only. The user level can access only the device’s status information; users cannot make any changes on the device.
Shorten your Web Session Logout Time
A web login session will be logged out automatically when it has been idle longer than the Web Session Timeout. The default value is 4 hours. If your router is protecting a particularly sensitive network, you can set this value lower to improve your router security.
Securing InControl Access
Here are some starters for securing your Peplink routers using InControl2.
At the organisation level in the “Organization Settings” enable “Two-factor authentication” and enable “Authenticated with Password”
The “Idle timeout” shown in this image is the InControl2 default, you may want to reduce this from 240 minutes to 30 or less depending on your security requirements.
Leave access for Peplink Support available until you have stabilised your system. Peplink have excellent in-house security practices, so you may leave this open long term if you choose.
Next navigate into the group settings (you’ll need to do this for each group of devices).
Choose your required timezone and then enable “Devices follow this time zone setting”, many security systems rely on having correct timezone, you’ll also make it easier to analyse logs if your timezone the same in your systems.
Continue down and enable “Device Web Admin Authentication”, the menu will expand.
For “Admin Password” select “Assign a random password for each device” and tick the box “Reassign a new one”.
For “Read-only User Password” select “Disable” and tick the box “Re-disable on all devices”.
For “Web Admin Access from WAN” from the drop down menu choose “Disable”. This is especially important if you are going to be running a web server behind your Peplink router that uses port 80 or port 443.
And remember to press “Save Changes”.
The next thing is to assign user permissions. Only give people trained and knowledgeable as network administrators access to the Organisational Level as “Organization Administrator”, restricted every one else to “Organization Viewer” only (if need at organisation level) or put them into the group(s) they are entitled to access (thus restricting them from seeing other groups) with only “Group Viewer” access.