Moxa NPort 6000 User manual

Released on March 26, 2021

About Moxa

Moxa is a leading provider of edge connectivity, industrial computing, and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things (IIoT). With over 30 years of industry experience, Moxa has connected more than 57 m customers in more than 70 countries. Moxa delivers lasting business value by empowering industries with reliable networks and sincere service. Information about Moxa’s solutions is available at www.moxa.com.

How to Contact Moxa

Tel : +886-2-8919-1230

The Security Hardening Guide for the NPort 6000 Series

Moxa Technical Support Team

support@moxa.com

Contents

1. Introduction .................................................................................... 2

2. General System Information ........................................................... 3

2.1. Basic Information About the Device ............................................................ 3

2.2. Deployment of the Device ......................................................................... 3

3. Configuration and Hardening Information ...................................... 4

3.1. TCP/UDP Ports and Recommended Services ................................................. 5

3.2. HTTPS and SSL Certificates ......................................................................10

3.3. Account Management ..............................................................................13

3.4. Accessible IP List .....................................................................................16

3.5. Logging and Auditing ...............................................................................17

4. Patching/Upgrades ....................................................................... 18

4.1. Patch Management ..................................................................................18

4.2. Firmware Upgrades .................................................................................18

5. Security Information and Vulnerability Feedback ......................... 19

illion devices worldwide and has a distribution and service network that reaches

Moxa Tech Note

The Security Hardening Guide for the NPort 6000

Series

Page 2 of 19

1. Introduction

This document provides guidelines on how to configure and secure the NPort 6000 Series. The

recommended steps in this document should be considered as best practices for security in

most applications. It is highly recommended that you review and test the configurations

thoroughly before implementing them in your production system in order to ensure that your

application is not negatively impacted.

Moxa Tech Note

The Security Hardening Guide for the NPort 6000

Series

Page 3 of 19

the NPort devices and/or the system fulfill

2. General System InformationBasic Information About the

Device

Model Function Operating System Firmware Version

NPort 6000 Series Device server Moxa Operating System Version 1.20

The NPort 6000 Series is a device server specifically designed to allow industrial

devices to be directly accessible from a network. Thus, legacy devices can be

transformed into Ethernet devices, which then can be monitored and controlled from

any network location or even the Internet. Different configurations and features are

available for specific applications, such as protocol conversion, Real COM drivers, and

TCP operation modes, to name a few. The series uses TLS protocols to transmit

encrypted serial data over Ethernet.

Moxa Operating System (MOS) is an embedded proprietary operating system that is

only used in Moxa edge devices. Because the MOS operating system is not freely

available, the chances of malware attacks are significantly reduced.

2.2. Deployment of the Device

You should deploy the NPort 6000 Series

behind a secure firewall network that has

sufficient security features in place to

ensures that networks are safe from

internal and external threats.

Make sure that the physical protection of

meet the security needs of your

application. Depending on the

environment and the threat situation, the

form of protection can vary significantly.

Moxa Tech Note

The Security Hardening Guide for the NPort 6000

Series

Page 4 of 19

3. Configuration and Hardening Information

For security reasons, account and password protection is enabled by default, so you must

provide the correct account and password to unlock the device before entering the web

console of the gateway.

The default account and password are admin and moxa (both in lowercase letters),

respectively. Once you are successfully logged in, a pop-up notification will appear to remind

you to change the password in order to ensure a higher level of security.

From firmware version 1.20, there is no default username or password. You should

immediately create a username and password after logging in for the first time to enhance the

security of your device.

Moxa Tech Note

The Security Hardening Guide for the NPort 6000

Series

Page 5 of 19

Setting

(Client) data

address from the server

Log

remote log server

3.1. TCP/UDP Ports and Recommended Services

Refer to the table below for all the ports, protocols, and services that are used to

communicate between the NPort 6000 Series and other devices.

Service Name Option

Moxa Command

(DSCI)

DNS_wins Enable Enable UDP 53, 137, 949

SNMP agent Enable/Disable Enable UDP 161 SNMP handling routine

RIPD_PORT Enable/Disable Disable UDP 520, 521 Processing RIP routing data

HTTP server

HTTPS server Enable/Disable Enable TCP 443 Secured web console

SSH Enable/Disable Enable TCP 22 SSH console

Telnet server Enable/Disable Disable TCP 23 Telnet console

RADIUS Enable/Disable Disable UDP

TACACS+ Enable/Disable Disable TCP 49 Authentication server

DHCP client Enable/Disable Disable UDP 68

Enable/Disable Enable

Redirect to

HTTPS/Disable

Default

Disable TCP 80 Web console

Type Port Number Description

TCP 14900, 4900

UDP 4800

User-defined

(1645 as

default or 1812)

For Moxa utility

communication

Processing DNS and WINS

Authentication server

The DHCP client needs to

acquire the system IP

SNTP Enable/Disable Disable UDP Random port

Remote System

Enable/Disable Disable UDP Random port

Synchronize time settings

with a time server

Send the event log to a

Operation Mode Option

Real COM Mode Enable/Disable Enable TCP

RFC2217 Mode Enable/Disable Disable TCP

TCP Server Mode Enable/Disable Disable TCP

UDP Mode Enable/Disable Disable UDP

Default

Setting

Type Port Number Description

950+ (Serial port No. -1)

966+ (Serial port No. -1)

User-defined (default:

4000+Serial port No.)

User-defined (default:

4000+Serial Port No.)

User-defined (default:

966+Serial Port No.)

User-defined (default:

4000+Serial Port No.)

Moxa Tech Note

The Security Hardening Guide for the NPort 6000

Series

Page 6 of 19

Operation Mode Option

Pair Connection

Slave Mode

Ethernet Modem

Mode

Reverse Telnet

Mode

Reverse SSH

Mode

Printer RAW Mode Enable/Disable Disable TCP 2048+(Group No. -1)

Printer LPD Mode Enable/Disable Disable TCP 515

Disabled Mode Enable/Disable Disable N/A N/A

Enable/Disable Disable TCP

Enable/Disable Disable TCP User-defined (default:

Default

Setting

Type Port Number Description

User-defined (default:

4000+Serial Port No.)

User-defined (default:

4000+Serial Port No.)

User-defined (default:

4000+Serial Port No.)

For security reasons, you should consider disabling unused services. After initial setup,

use services with stronger security for data communication. Refer to the table below for

the suggested settings.

Service Name

Moxa Command

(DSCI)

DNS_wins Enable UDP 53, 137, 949

SNMP Disable UDP 161

RIPD_PORT Disable UDP 520, 521 Since the NPort is not a router or layer 3

HTTP Server Disable TCP 80

HTTPS Server Enable TCP 443

SSH Enable TCP 22 If you prefer the console mode to

Telnet Server Disable TCP 23

Suggested

Setting

Disable

Type Port Number Security Remark

TCP 14900, 4900

UDP 4800

Disable this service as it is not commonly

used

A necessary service to get IP; cannot be

disabled

Suggest to manage the NPort via HTTPS

console

switch, you may not need this service

Disable HTTP to prevent plain text

transmission

Encrypted data channel with trusted

certificate for NPort configurations

configure the device, you can enable the

SSH service. If you prefer the GUI, then

disable it.

Disable this service as it is not commonly

used

+ 13 hidden pages