Protection of Traccar open ports
If I want to be very security conscious, some cell companies provide an option for private network SIM cards. Basically your GPS tracker will connect directly to your network via VPN in those cases, so you don't need to expose anything to public.
I wonder though why you would be worried about a protocol port while the tracker itself sends the data unecrypted over the internet to that port.
My point was that it's possible to send data over encrypted connection and not public internet.
Yes Anton, my remark was pointed at alextruppel, while he wants to secure his server port (i actually wonder how this port could be compromised when only a device protocol runs on that port ?). But what i mean to say is that I wonder why he is only concerned about his open port and not about the fact that the data that his device sends over the internet is not protected in any way.
There could be reasons like spoofing data or potential DDoS.
To answer both:
If I want to be very security conscious, some cell companies provide an option for private network SIM cards.
This I'm not going to do, I already have SIM cards, they are the normal kind.
I wonder though why you would be worried about a protocol port while the tracker itself sends the data unecrypted over the internet to that port.
That's very simple to answer:
- I do not care about who sees the data, or even if the data is changed by a man-in-the-middle attack. Let's say I'm ok with this.
- BUT. At the end of the day, there is a port in my server that is directly exposed to anyone on the internet, to which anyone can send any data, and potentially get replies back. Am I reasonably sure that, through this open port, some malicious attacker cannot find some vulnerability on the server (i.e. Traccar) and, for example, find a way to, by sending specific data to this open port, run arbitrary code on the server?
That is why I'm asking if there are steps that I can take to protect the access to my server. Not in the sense that the data I'm sending to it should be encrypted or protected, but in the sense of guaranteeing the integrity of the server itself.
It is very unlikely that attacker would be able to do anything other than spoof some data. That's if you just open a device port, not web.
Ok, that's good to know! Thank you. So, in your opinion, no extra protection needs to be added between my router's firewall and the Traccar device port (Wialon IPS, in this case), from the point of view of server integrity?
Yeah, I don't think you need to do anything. But if you feel paranoid, you can potentially restrict IP addresses only to the range used by your cell service provider.
I would think that if you are really paranoid about your open port then just run traccar server on a free tier vpn. Because as you stated you do not care about who sees the data. Then there's no need to host it on your own server. You can even use the demo servers for it. All ports closed :)
personally, i lock the ports 5000-8081 to open only at the sim network ip's and only 8082 to be public, i think its enough for now as most posts here and discussions at web mentioned that and if someone uknown will connect to those ports they cant do anything to the server.
I posted a question on Reddit about securing Traccar ports, and I'd like to ask it here as well.
I have Traccar running on Docker, and my GPS trackers communicate with my server using the Wialon IPS protocol. They all connect to my DDNS address and a specific port on my router, which then is forwarded to a port on my server hardware, which then goes to a port on the Traccar docker container. This is the only open port on my router's firewall, since everything else is accessed through a VPN (including Traccar's GUI).
My questions are:
Regarding (2), people regularly suggest using a reverse proxy (nginx, traefik, etc), for example. But these are made to handle authentication, certificates, HTTPS, multiple services behing the same proxy, etc. In my case, I only have one service behind the proxy (Traccar's data input port), authentication is handled by Traccar (according to the Wialon protocol), there is no HTTPS, no certificates, etc.
So what would everyone here suggest?
Thank you!