/
Hardening guide

Hardening guide

This document provides recommendations for enhancing the security of BAS-IP devices. By following these measures, you reduce the risk of external threats and protect your network, devices, and services. Adhering to these guidelines should be a priority at all stages of installation, operation, and maintenance.

BAS-IP Devices in a Network Environment

Use vandal-resistant enclosures and install devices according to our guidelines to prevent sabotage, vandalism, or unauthorized access.

Limiting Internet Exposure

Avoid exposing BAS-IP devices to the Internet. Restrict access to the local network only.

Limiting Local Network Exposure

Grant access only to required systems and personnel.

Whenever possible, place devices in a segmented or isolated network.

Access via Web Browser

Use the built-in web interface only for configuration and maintenance, not for daily operation.
Always end the session after finishing configuration.

Data Confidentiality

  • Do not share device credentials with third parties;

  • Avoid distributing configuration files containing unfiltered sensitive information;

  • Do not share network logs or security keys.

Setting a Strong Password

All BAS-IP devices require administrator and user passwords to access settings and security functions. Always use strong passwords and keep them confidential.

Default passwords are restored after a factory reset. They are used both for accessing monitor settings and for disabling alarm modes.

Change these passwords immediately after installation and after every reset to prevent unauthorized access.

Firmware Update

Keep firmware up to date. New releases may contain security patches and stability improvements.
Always install the latest software available on the BAS-IP website.

SIP Accounts

  • Enable authentication when using SIP-PBX for calls;

  • Avoid anonymous accounts;

  • Use the SIP-TLS protocol to secure calls.

Access Control

Use time profiles to control access.

If 24/7 access is not required, limit access timeframes accordingly.

Video Streaming and Data Transmission

  • If video only is required, disable audio transmission;

  • Protect access with a strong password and an allowlist of trusted IP addresses.

Email

Use an SMTP server that requires authentication;
Verify the server identity using certificates.

HTTP API

Enable TLS encryption and protect API access with a strong password.

Relay

Use the SH-42 remote relay to prevent unauthorized door unlocking or device tampering.
Assign unique PIN access codes for each user.