I’m currently working router “backdoor” setup based on Portserver TS1/2 devices.
I’ve encountered a few shortcomings in the security features supported by these devices.
The root account is always able to login to the PortServer - this is probably quite usefull, but i also leaves the root account open to bruteforce attacks. Why not make it possible to associate a public key (for SSH) to the root user aswell ?? This way it would actually be able to control all access to the PortServer with certificates - which at this point makes no sense as the root account is always allowed to login anyway…
Listening TCP ports - the portserver has several ports listening even after disabling the associated services - telnet for instance - even when disabled leaves port TCP21 open.
I really hope you will consider addressing these issues as they would make it possible to use the PortServers directly over the internet without any further security measures.