Essential Security Measures

Simple, effective steps to harden ALPON X5 AI and ALPON X4: review open ports, set up SSH key authentication, keep the system updated, configure a firewall, and add a daily-use user.

Essential Security Measures for ALPON

Keeping your ALPON X5 AI or ALPON X4 secure prevents problems and keeps it running smoothly. This guide walks through five practical steps: reviewing open ports, enabling SSH key authentication, keeping the system updated, configuring a firewall, and adding a daily-use user.

ALPON X5 AI ALPON X4 SSH · UFW Hardening
ALPON · Tutorial · Security · Hardening
How do I secure my ALPON device?

Harden your ALPON X5 AI or ALPON X4 in five steps: review open ports with netstat and close unused services, switch from passwords to SSH key-based authentication, keep the OS and Sixfab apps updated, add a UFW firewall that denies incoming traffic by default while allowing the required Sixfab ports, and create a separate daily-use user. Never block the platform's core ports, or remote management breaks.

Never close the ALPON core ports

ALPON reserves ports 30010, 30020, 30030, 30040, 30050, 30070, 30080, 10250, 6443, and 22 for its core functionality. Do not close or block these — doing so interferes with the normal operation of the device and can cut off remote management.

  1. 1

    Check and close unnecessary open ports

    Open network ports can be entry points for attacks. Review them periodically and close anything unnecessary — but leave the ALPON core ports untouched (see the warning above).

    List the active listening ports and their services:

    bash · list open ports
    sudo netstat -tuln

    Once you identify an unnecessary service, stop and disable it:

    bash · stop a service
    sudo systemctl stop <SERVICE_NAME>
    sudo systemctl disable <SERVICE_NAME>
  2. 2

    Set up SSH key-based authentication

    Use SSH keys instead of password login. This requires a user account — if you don't have one, create it in step 5 first.

    Generate a key pair on your personal computer:

    bash · generate key pair
    ssh-keygen -t rsa -b 4096

    By default the keys are saved to ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public).

    Copy the public key to the ALPON, replacing the address with your device's actual IP:

    bash · copy public key
    ssh-copy-id USERNAME@YOUR_ALPON_IP
    If ssh-copy-id isn't available

    ssh-copy-id is usually available on Linux. If it doesn't work on your system, copy the contents of id_rsa.pub to the ALPON's ~/.ssh/authorized_keys file manually.

    Test the key authentication — you should log in without a password:

    bash · test login
    ssh USERNAME@YOUR_ALPON_IP

    Disable password authentication (optional but recommended). SSH into the ALPON and edit the SSH config:

    bash · edit sshd_config
    sudo nano /etc/ssh/sshd_config

    Find #PasswordAuthentication yes and change it to:

    config · /etc/ssh/sshd_config
    PasswordAuthentication no

    Save, exit, and restart the SSH service:

    bash · restart ssh
    sudo systemctl restart ssh
  3. 3

    Keep the system updated

    Keeping the system current is one of the simplest yet most effective security measures. Update the package list and upgrade installed packages:

    bash · update packages
    sudo apt update
    sudo apt upgrade

    Then update the default ALPON applications from Sixfab Connect: open the asset's DetailsDevice tab → Device Maintenance section → click Update.

  4. 4

    Set up and configure a firewall

    A firewall protects the system from unauthorized access. Install UFW:

    bash · install ufw
    sudo apt update && sudo apt install ufw

    Apply the essential rules — deny incoming by default, allow outgoing, and permit SSH plus the required Sixfab application ports:

    bash · ufw rules
    sudo ufw default deny incoming   # Block incoming by default
    sudo ufw default allow outgoing  # Allow outgoing
    sudo ufw allow 22                # SSH
    sudo ufw allow 30010             # Sixfab application
    sudo ufw allow 30030             # Sixfab application
    sudo ufw allow 30040             # Sixfab application
    sudo ufw allow 30080             # Sixfab application
    Other Sixfab ports

    The standard Sixfab apps on ports 30020, 30050, and 30070 do not need explicit firewall rules.

  5. 5

    Create a new user for daily use optional

    Create a new user:

    bash · add user
    sudo adduser <NEW_USERNAME>

    Assign the user to the sudo group for administrative privileges:

    bash · grant sudo
    sudo usermod -aG sudo <NEW_USERNAME>

    You can then log in with ssh NEW_USERNAME@YOUR_ALPON_IP.

A hardened ALPON

Securing an ALPON is a proactive process: lock down SSH access, patch known vulnerabilities with regular updates, and disable unused services to shrink the attack surface. Following these principles makes your ALPON X5 AI or ALPON X4 significantly more resilient against potential threats.