Essential Security Measures
Simple, effective steps to harden ALPON X5 AI and ALPON X4: review open ports, set up SSH key authentication, keep the system updated, configure a firewall, and add a daily-use user.
Essential Security Measures for ALPON
Keeping your ALPON X5 AI or ALPON X4 secure prevents problems and keeps it running smoothly. This guide walks through five practical steps: reviewing open ports, enabling SSH key authentication, keeping the system updated, configuring a firewall, and adding a daily-use user.
Harden your ALPON X5 AI or ALPON X4 in five steps: review open ports with
netstat and close unused services, switch from passwords to SSH key-based
authentication, keep the OS and Sixfab apps updated, add a UFW firewall that
denies incoming traffic by default while allowing the required Sixfab ports, and create a separate
daily-use user. Never block the platform's core ports, or remote management breaks.
ALPON reserves ports 30010, 30020, 30030, 30040, 30050, 30070, 30080, 10250, 6443, and 22 for its core functionality. Do not close or block these — doing so interferes with the normal operation of the device and can cut off remote management.
-
1
Check and close unnecessary open ports
Open network ports can be entry points for attacks. Review them periodically and close anything unnecessary — but leave the ALPON core ports untouched (see the warning above).
List the active listening ports and their services:
bash · list open portssudo netstat -tuln
Once you identify an unnecessary service, stop and disable it:
bash · stop a servicesudo systemctl stop <SERVICE_NAME> sudo systemctl disable <SERVICE_NAME>
-
2
Set up SSH key-based authentication
Use SSH keys instead of password login. This requires a user account — if you don't have one, create it in step 5 first.
Generate a key pair on your personal computer:
bash · generate key pairssh-keygen -t rsa -b 4096
By default the keys are saved to
~/.ssh/id_rsa(private) and~/.ssh/id_rsa.pub(public).Copy the public key to the ALPON, replacing the address with your device's actual IP:
bash · copy public keyssh-copy-id USERNAME@YOUR_ALPON_IPIf ssh-copy-id isn't availablessh-copy-idis usually available on Linux. If it doesn't work on your system, copy the contents ofid_rsa.pubto the ALPON's~/.ssh/authorized_keysfile manually.Test the key authentication — you should log in without a password:
bash · test loginssh USERNAME@YOUR_ALPON_IPDisable password authentication (optional but recommended). SSH into the ALPON and edit the SSH config:
bash · edit sshd_configsudo nano /etc/ssh/sshd_config
Find
#PasswordAuthentication yesand change it to:config · /etc/ssh/sshd_configPasswordAuthentication noSave, exit, and restart the SSH service:
bash · restart sshsudo systemctl restart ssh
-
3
Keep the system updated
Keeping the system current is one of the simplest yet most effective security measures. Update the package list and upgrade installed packages:
bash · update packagessudo apt update sudo apt upgrade
Then update the default ALPON applications from Sixfab Connect: open the asset's Details → Device tab → Device Maintenance section → click Update.
-
4
Set up and configure a firewall
A firewall protects the system from unauthorized access. Install UFW:
bash · install ufwsudo apt update && sudo apt install ufw
Apply the essential rules — deny incoming by default, allow outgoing, and permit SSH plus the required Sixfab application ports:
bash · ufw rulessudo ufw default deny incoming # Block incoming by default sudo ufw default allow outgoing # Allow outgoing sudo ufw allow 22 # SSH sudo ufw allow 30010 # Sixfab application sudo ufw allow 30030 # Sixfab application sudo ufw allow 30040 # Sixfab application sudo ufw allow 30080 # Sixfab application
Other Sixfab portsThe standard Sixfab apps on ports 30020, 30050, and 30070 do not need explicit firewall rules.
-
5
Create a new user for daily use optional
Create a new user:
bash · add usersudo adduser <NEW_USERNAME>Assign the user to the
sudogroup for administrative privileges:bash · grant sudosudo usermod -aG sudo <NEW_USERNAME>You can then log in with
ssh NEW_USERNAME@YOUR_ALPON_IP.
Securing an ALPON is a proactive process: lock down SSH access, patch known vulnerabilities with regular updates, and disable unused services to shrink the attack surface. Following these principles makes your ALPON X5 AI or ALPON X4 significantly more resilient against potential threats.
