PortSIP Knowledge Base
  • PortSIP Communications Solution
    • What is PortSIP?
    • The Advantages of PortSIP PBX vs. Other PBXs
    • Cloud PBX Empowering Service Providers
    • Simplifying Unified Communications with WebRTC and SIP
    • What is CPaaS? Communications Platform as a Service Explained
    • UCaaS is Unified Communications as a Service
    • PortSIP PBX Administration Guide
      • Overview
      • PortSIP Security Features
      • Summary of Changes
      • Before Started
      • 1 Installation of the PortSIP PBX
        • Installation of PortSIP PBX v22.x
          • Install PortSIP PBX on Linux
          • Install PortSIP IM Server on Linux
          • Install PortSIP PBX on Windows
          • Upgrade to the Latest Version Within v22.x on Linux
          • Upgrade to the Latest v22.x on Windows
          • Upgrade v16.x to the Latest v22.x on Linux
        • Installation of PortSIP PBX v16.x
          • Upgrade to the Latest v16.x Release
      • 2 Configuring the PortSIP PBX
      • 3 Tenant Management
      • 4 Phone Device Management
        • Managing Phones
        • Auto Provisioning Security
        • Custom IP Phone Template
        • Bulk Importing Users and Auto Provisioning IP Phones
        • Zero Touch Provisioning Phones
        • Provision Phone Using PnP
        • PnP Auto Provisioning IP Phone Multicast Debug
        • Provision Phone Using RPS
        • Provision Phone Using DHCP Option 66
        • Provision Phone Using TFTP
        • Provisioning Cisco 79xx IP Phones
        • Provision Fanvil DECT IP Phones
        • Provision Yealink DECT IP Phones
        • Provision SNOM DECT IP Phones
        • Configuring Private RPS Account
      • 5 User Management
        • Users
        • How to Configure the Endpoints?
        • User Groups
        • DND and Automatic Callback
        • Speed Dial 8
        • Speed Dial 100
      • 6 Transport Management
      • 7 Trunk Management
        • Configuring SIP Trunk
        • Handle Outbound Calls Through SIP Trunk
      • 8 Call Route Management
        • Configuring Inbound Rule
        • Configuring Outbound Rule
      • 9 Configuring PortSIP SBC
        • Topology
        • Summary of Changes
        • Installation PortSIP SBC v11.x
        • Installation PortSIP SBC v10.x
        • Configuring PortSIP SBC for WebRTC
        • Upgrade to the Latest v11.x Release
        • Upgrade to the Latest v10.x Release
      • 10 Configuring SBC for MS Teams
        • Architecture
        • Configuring Microsoft Teams
        • Configuring SBC and PBX
        • Configure an SBC for Multiple Tenants
      • 11 Deploy the SBC Cluster
      • 12 Configuring Virtual Receptionist
        • Managing Virtual Receptionist
        • Visual IVR Editor Guide
        • Direct Inward System Access (DISA)
      • 13 Configuring Ring Group
      • 14 Call Parking
        • PortSIP Call Parking Feature
        • Using Call Parking Feature
        • Using Enhanced Call Park on Fanvil IP Phones
        • Using Enhanced Call Park on Yealink IP Phones
        • Using Enhanced Call Park on Grandstream IP Phones
        • Using Enhanced Call Park on Dinstar IP Phones
      • 15 Shared Voicemail
      • 16 Call Queue
        • Configuring Call Queue
        • Configuring Queue Callback
        • Agent States and Work Modes
        • Skills-Based Routing
        • Silent Monitoring
        • Wallboards
      • 17 Roles and Permissions
      • 18 E164 Number Processing
      • 19 Billing
      • 20 CDR and Call Recordings
        • CDR
        • Call Recordings
        • CDR Field Descriptions
      • 21 Call Reports
      • 22 Dealers
      • 23 Feature Access Codes
      • 24 Call Pickup
      • 25 Meetings
        • Joining a Meeting with the Invite Link
      • 26 Hot Desking
      • 27 STIR/SHAKEN
        • Configuring STIR/SHAKEN
      • 28 Digital Engagement Channels
        • SMS Channel
        • WhatsApp Channel
        • Manage SMS/WhatsApp Message Conversations
      • 29 Integrations
        • Microsoft 365 Integration
        • Google Workspace Integration
      • 30 Office Hours and Holiday Schedule
        • Configuring Office Hours and Holiday Schedule
        • Routing Calls Based on Office Hours and Holidays
      • 31 Configuring Email Notifications
      • PBX and SIP Trunk using PortSIP SBC
      • SIP Header Manipulation
      • Rebranding PortSIP PBX, SBC
      • System Service Extension Numbers
      • Certificates for TLS/HTTPS/WebRTC
        • Preparing TLS Certificates
        • Update Certificates
      • Backup and Restore: An Essential Guide
        • Backup and Restore PortSIP PBX
        • Backup and Restore PortSIP SBC
      • Storing Into AWS S3
      • Storing Into Azure Blob Storage
      • Trace Server - A Better Way to Monitoring SIP Messages and QoS for PortSIP PBX
    • Configuring SIP Trunks
      • QuestBlue SIP Trunk
        • Purchase a DID on QuestBlue Platform
        • Configuring QuestBlue IP Authentication Trunk
        • Configuring QuestBlue Register Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • QuestBlue SMS Integration
      • Twilio SIP Trunk
        • Purchase a DID on the Twilio
        • Configuring Twilio Register Based Trunk
        • Configuring Twilio Interconnect Trunk
        • Configuring Outbound & Inbound Calls
        • Twilio SMS Integration
      • Telnyx SIP Trunk
        • Purchase a DID on Telnyx Platform
        • Configuring Telnyx IP Authentication Trunk
        • Configuring Telnyx Register Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • Telnyx SMS Integration
      • Vonage SIP Trunk
        • Purchase a DID on Vonage Platform
        • Configuring Vonage IP Authentication Trunk
        • Configuring Vonage Register Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • Vonage SMS Integration
      • VoIP.ms SIP Trunk
        • Purchase a DID on VoIP.ms
        • Configuring VoIP.ms Register Based Trunk
        • Configuring Outbound & Inbound Calls
        • VoIP.ms SMS Integration
      • Voxtelesys SIP Trunk
        • Purchase a DID on Voxtelesys Platform
        • Configuring Voxtelesys IP Authentication Trunk
        • Configuring Voxtelesys Register Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • Voxtelesys SMS Integration
      • Wavix SIP Trunk
        • Purchase a DID on Wavix Platform
        • Configuring Wavix IP Authentication Trunk
        • Configuring Wavix Digest Trunk
        • Configuring Outbound & Inbound Calls
        • Wavix SMS Integration
      • VoIP Innovations SIP Trunk
        • Purchase a DID on VoIP Innovations Platform
        • Configuring VoIP Innovations IP Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • VoIP Innovations SMS Integration
      • Bandwidth SIP Trunk
        • Purchase a DID on Bandwidth Platform
        • Configuring Bandwidth IP Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • Bandwidth SMS Integration
      • Flowroute SIP Trunk
        • Purchase a DID on Flowroute Platform
        • Configuring Flowroute IP Authentication Trunk
        • Configuring Outbound & Inbound Calls
        • Flowroute SMS Integration
      • Gamma SIP Trunk
      • Aire Networks SIP Trunk
      • VoiceMeUp SIP Trunk
        • Configuring VoiceMeUp Trunk
        • VoiceMeUp SMS Integration
    • PBX Cluster (v22.x)
      • Topology
      • Preparing Cluster Servers
      • Configuring Cluster Servers
      • Managing Cluster
    • High Availability (v22.x)
      • High Availability and Sclability On-Premise
        • PortSIP PBX High Availability Architecture
        • High Availability Installations on Ubuntu
        • Upgrading High Availability Installation
        • Scaling Servers On-Premise for High Availability
        • Scaling SBC On-Premise for High Availability
        • Scaling IM Server On-Premise for High Availability
      • High Availability and Scalability on AWS
        • PortSIP PBX High Availability Architecture
        • High Availability Installations on AWS
        • Upgrading High Availability Installation
        • Increase Size of EBS Volume
        • Scaling Servers on AWS for High Availability
    • PBX Cluster(v16.x)
      • Topology
      • Preparing Cluster Servers
      • Configuring Cluster Servers
      • Managing Cluster
      • Configuring Cluster Servers for High Availability
    • High Availability (v16.x)
      • High Availability for On-Premise
        • PortSIP PBX High Availability Architecture
        • High Availability Installations on Ubuntu
        • Upgrading High Availability Installation
      • High Availability and Scalability on AWS
        • PortSIP PBX High Availability Architecture
        • High Availability Installations on AWS
        • Upgrading High Availability Installations
        • Increase Size of EBS Volume
        • Scaling Servers on AWS for HA
    • PortSIP UCaaS
    • FAQ
      • Troubleshooting Call Issues
      • How to Activate License key?
      • What is the Multi-Tenant PBX?
      • Is the PortSIP PBX built on Asterisk, FreeSwitch?
      • What is the SBC?
      • What is the PBX? Features, Benefits
      • What File Format Is Required for PortSIP PBX Prompt?
      • What is Direct Inward Dialing (DID)?
      • What is the DID Pool?
      • What are IP Phones Work with PortSIP PBX?
      • Hardware Specifications
      • How to Adjust the REST API Rate Limit?
      • SIP Status Code of Response
      • What is SIP ALG and Why You Need to Disable It?
      • Essential Factors for Choosing a Could PBX Solution
      • Migrate from legacy FCM APIs to HTTP v1 for Android Push Notifications
      • PortSIP SDK License Agreement
      • PortSIP Software End-User License Agreement
  • Apps Guides
    • PortSIP ONE Desktop App
      • Sign in to PBX
      • Calls, Messages, and Voicemails
      • Customize Your Caller ID
      • SMS and WhatsApp Messaging
      • Click to Call
      • Calling from Another Device
      • Change Your Call Queue Status
    • PortSIP ONE Mobile App
      • Sign in to PBX
      • Calls, Messages, and Voicemails
      • Customize Your Caller ID
      • SMS and WhatsApp Messaging
      • Change Your Call Queue Status
    • PortSIP Softphone
  • DEVELOPING WITH PORTSIP
    • Getting Started
    • Calling APIs
      • User Manual for Windows
      • User Manual for iOS
      • User Manual for Android
      • User Manual for macOS
    • REST APIs
      • Version 22.0
        • About
        • API reference
          • Info
          • Login
            • By microsoft
          • Logout
          • Network
          • Sbc
            • Token
              • Destroy
          • Im
            • Token
              • Destroy
          • Dealers
            • Password
            • Destroy
          • Mobile push
            • Destroy
          • Ip filters
            • Destroy
            • Export
          • Transports
            • Destroy
            • Status
          • Tenants
            • Switch
            • Dealers
              • Destroy
            • Destroy
          • Tenant
            • Status
            • Notification
            • Password policy
            • Billing
            • Balance
            • Custom headers
          • Conference servers
            • Status
            • Destroy
          • Media servers
            • Status
            • Destroy
          • License
          • Key
          • Brand
          • Dealer
            • Status
            • Username
            • Password
          • Roles
            • Destroy
          • User
            • Password
            • Extension password
            • Profile
            • Status
            • Presence
            • Balance
            • Greetings
              • Enable
              • Disable
              • Destroy
            • Phones
              • Destroy
            • Cdrs
              • Sync tokens
                • Diff
            • Recordings
              • Destroy
            • Speed dial 8
              • Destroy
            • Speed dial 100
              • Destroy
            • Meetings
              • Destroy
              • Status
              • Mute
              • Unmute
              • Lock
              • Unlock
              • Start
              • Stop
              • Start recording
              • Stop recording
              • Participants
                • Layout
                • Invite
                • Mute
                • Unmute
                • Chairman
                • Position
                • Destroy
            • Holidays
              • Destroy
            • Global holidays
            • Contacts
              • Favorite
              • Unfavorite
              • Destroy
              • Sync tokens
                • Diff
            • Call queues
              • Agent
            • Outbound caller ids
            • Ring groups
            • Business contacts
              • Favorite
              • Unfavorite
              • Sync tokens
                • Diff
            • Extension contacts
              • Favorite
              • Unfavorite
              • Sync tokens
                • Diff
          • Users
            • Profile
            • Password
            • Extension password
            • Role
            • Ms365 binding
              • Destroy
            • Destroy
            • Status
              • Destroy status
            • Balance
            • Greetings
              • Enable
              • Disable
              • Destroy
            • Phones
              • Destroy
            • Holidays
              • Destroy
            • Global holidays
            • Call queues
              • Agent
            • Speed dial 8
              • Destroy
            • Speed dial 100
              • Destroy
          • Extension numbers
          • Groups
            • Destroy
            • Members
              • Destroy
          • Voicemails
            • Set read
            • Set unread
            • Destroy
          • Recordings
            • Destroy
          • Call queue servers
            • Status
            • Destroy
          • Call queues
            • Status
            • Destroy
            • Waiting
              • Pickup
            • Agents
          • Exclusive numbers
            • Destroy
            • Call queues
              • Agents
              • Destroy
            • Export
          • Vip numbers
            • Destroy
            • Export
          • Call queue blacklisted numbers
            • Destroy
            • Export
          • Call queue blacklist prompts
          • Sessions
            • Directly
            • Hold
            • Unhold
            • Refer
            • Attended refer
            • Destroy
          • Conference rooms
            • Destroy
            • Status
            • Mute
            • Unmute
            • Lock
            • Unlock
            • Start recording
            • Stop recording
            • Participants
              • Layout
              • Invite
              • Mute
              • Unmute
              • Chairman
              • Position
              • Destroy
            • Recordings
              • Destroy
              • Set read
              • Set unread
          • Contacts
            • Destroy
            • Export
          • Emergency numbers
            • Destroy
          • Files
            • Destroy
          • Blobs
            • Uploads
              • Append
              • Complete
              • Status
              • Destroy
          • Inbound rules
            • Destroy
            • Export
          • Moh server
            • Musics
              • Destroy
          • Monitor
          • Monitor groups
            • Destroy
            • Members
              • Destroy
            • Managers
              • Destroy
          • Call park
          • Call park groups
            • Destroy
            • Members
              • Destroy
          • Call pickup groups
            • Destroy
            • Members
          • Voicemail
          • Acb
          • Outbound rules
            • Destroy
            • Export
            • Applied groups
              • Destroy
          • Phone models
          • Phones
            • Reprovision
            • Assignee
            • Reboot
            • Reject
          • Dect phone models
          • Dect phones
            • Destroy
            • Members
          • Providers
            • Status
            • Destroy
            • Export
            • Assignees
              • Destroy
          • Ring groups
            • Agents
            • Destroy
          • Shared voicemails
            • Destroy
            • Voicemails
              • Set read
              • Set unread
              • Destroy
            • Greetings
              • Enable
              • Disable
              • Destroy
          • Holidays
            • Destroy
          • Allowed country codes
          • Disallowed codes
            • Destroy
            • Export
          • Blacklisted numbers
            • Destroy
            • Export
          • Call rates
            • Destroy
            • Export
          • Ivr servers
            • Status
            • Destroy
          • Ivrs
            • Status
            • Destroy
            • Action urls
              • Destroy
          • Hotdesking
            • Status
            • Logout
            • Destroy
          • Sms
            • Destroy
          • Whatsapp
            • Destroy
          • Cdrs
          • Call reports
            • Destroy
          • Completed call reports
            • Destroy
          • Feature access codes
          • Default email templates
          • Custom email templates
          • Audit logs
          • Event logs
          • Test email
          • Ms365
            • Certificate
            • Users
          • Admin
            • Status
            • Username
            • Password
            • Settings
            • Notification
          • Templates
            • Phones
              • Destroy
        • Specification
      • Version 22.1
        • About
        • API reference
          • Info
          • Login
            • By microsoft
          • Logout
          • Network
          • Sbc
            • Token
              • Destroy
          • Im
            • Token
              • Destroy
          • Dealers
            • Password
            • Destroy
          • Mobile push
            • Destroy
          • Ip filters
            • Destroy
            • Export
          • Transports
            • Destroy
            • Status
          • Tenants
            • Switch
            • Dealers
              • Destroy
            • Destroy
          • Tenant
            • Status
            • Notification
              • Test email
            • Password policy
            • Billing
            • Balance
            • Custom headers
          • Conference servers
            • Status
            • Destroy
          • Media servers
            • Status
            • Destroy
          • License
          • Key
          • Brand
          • Dealer
            • Status
            • Username
            • Password
          • Roles
            • Destroy
          • User
            • Password
            • Extension password
            • Profile
            • Status
            • Presence
            • Balance
            • Greetings
              • Enable
              • Disable
              • Destroy
            • Phones
              • Destroy
            • Cdrs
              • Sync tokens
                • Diff
            • External messages
            • Recordings
              • Destroy
            • Speed dial 8
              • Destroy
            • Speed dial 100
              • Destroy
            • Meetings
              • Destroy
              • Status
              • Mute
              • Unmute
              • Lock
              • Unlock
              • Start
              • Stop
              • Start recording
              • Stop recording
              • Participants
                • Layout
                • Invite
                • Mute
                • Unmute
                • Chairman
                • Position
                • Destroy
            • Holidays
              • Destroy
            • Global holidays
            • Contacts
              • Favorite
              • Unfavorite
              • Destroy
              • Sync tokens
                • Diff
            • Call queues
              • Agent
            • Outbound caller ids
            • Ring groups
            • Business contacts
              • Favorite
              • Unfavorite
              • Sync tokens
                • Diff
            • Extension contacts
              • Favorite
              • Unfavorite
              • Sync tokens
                • Diff
          • Users
            • Profile
            • Password
            • Extension password
            • Role
            • Ms365 binding
              • Destroy
            • Destroy
            • Status
              • Destroy status
            • Balance
            • Greetings
              • Enable
              • Disable
              • Destroy
            • Phones
              • Destroy
            • Holidays
              • Destroy
            • Global holidays
            • Call queues
              • Agent
            • Speed dial 8
              • Destroy
            • Speed dial 100
              • Destroy
          • Extension numbers
          • Groups
            • Destroy
            • Members
              • Destroy
          • Voicemails
            • Set read
            • Set unread
            • Destroy
          • Recordings
            • Destroy
          • Call queue servers
            • Status
            • Destroy
          • Call queues
            • Status
            • Destroy
            • Waiting
              • Pickup
            • Agents
          • Exclusive numbers
            • Destroy
            • Call queues
              • Agents
              • Destroy
            • Export
          • Vip numbers
            • Destroy
            • Export
          • Call queue blacklisted numbers
            • Destroy
            • Export
          • Call queue blacklist prompts
          • Sessions
            • Directly
            • Hold
            • Unhold
            • Refer
            • Attended refer
            • Destroy
          • Conference rooms
            • Destroy
            • Status
            • Mute
            • Unmute
            • Lock
            • Unlock
            • Start recording
            • Stop recording
            • Participants
              • Layout
              • Invite
              • Mute
              • Unmute
              • Chairman
              • Position
              • Destroy
            • Recordings
              • Destroy
              • Set read
              • Set unread
          • Contacts
            • Destroy
            • Export
          • Emergency numbers
            • Destroy
          • Files
            • Destroy
          • Blobs
            • Uploads
              • Append
              • Complete
              • Status
              • Destroy
          • Inbound rules
            • Destroy
            • Export
          • Moh server
            • Musics
              • Destroy
          • Monitor
          • Monitor groups
            • Destroy
            • Members
              • Destroy
            • Managers
              • Destroy
          • Call park
          • Call park groups
            • Destroy
            • Members
              • Destroy
          • Call pickup groups
            • Destroy
            • Members
          • Voicemail
          • Acb
          • Outbound rules
            • Destroy
            • Export
            • Applied groups
              • Destroy
          • Phone models
          • Phones
            • Reprovision
            • Assignee
            • Reboot
            • Reject
          • Dect phone models
          • Dect phones
            • Destroy
            • Members
          • Providers
            • Status
            • Destroy
            • Export
            • Assignees
              • Destroy
          • Ring groups
            • Agents
            • Destroy
          • Shared voicemails
            • Destroy
            • Voicemails
              • Set read
              • Set unread
              • Destroy
            • Greetings
              • Enable
              • Disable
              • Destroy
          • Holidays
            • Destroy
          • Allowed country codes
          • Disallowed codes
            • Destroy
            • Export
          • Blacklisted numbers
            • Destroy
            • Export
          • Call rates
            • Destroy
            • Export
          • Ivr servers
            • Status
            • Destroy
          • Ivrs
            • Status
            • Destroy
            • Action urls
              • Destroy
          • Hotdesking
            • Status
            • Logout
            • Destroy
          • Sms
            • Destroy
          • Whatsapp
            • Destroy
          • Cdrs
          • Calllogs
          • External messages
          • Call reports
            • Destroy
          • Completed call reports
            • Destroy
          • Feature access codes
          • Default email templates
          • Custom email templates
          • Audit logs
          • Event logs
          • Ms365
            • Certificate
            • Users
          • Google
          • Admin
            • Status
            • Username
            • Password
            • Settings
            • Notification
              • Test email
            • Ms365
              • Certificate
            • Google
          • Templates
            • Phones
              • Destroy
        • Specification
      • Authentication
      • Accessing CDRs and Recordings
    • Call Control APIs
    • Messaging APIs
      • Protocol
      • API Examples
    • WSI: Pub/Sub
    • Webhook Events
      • Registering a Webhook
      • Receiving Events via a Webhook
      • Event Reference
    • Mobile Push Notifications
      • How Do Push Notifications Work with PortSIP PBX?
      • Integrating the Push Notifications in Native iOS APP
      • Integrating the Push Notifications in Android APP
  • PBX v12.x (EOL)
    • PortSIP PBX v12.x is EOL
    • High Availability
      • PortSIP PBX High Availability
      • UCaaS High Availability
      • Deploy the PortSIP PBX HA on AWS
      • Deploy PortSIP PBX HA for CentOS
      • Deploy PortSIP PBX HA for Ubuntu
      • Migrate the HA data
    • Push Notifications
      • How do push notifications work with PortSIP PBX?
      • Implement the PUSH notifications in Xamarin iOS APP with PortSIP PBX 12.x
      • Implement the PUSH notifications in native iOS APP with PortSIP PBX 12.x
      • Implement PUSH notifications in Android APP with PortSIP PBX 12.x
      • Implement PUSH notifications in Xamarin Android APP with PortSIP PBX 12.x
    • Tutorials
      • REST API Examples
      • Trace server - A Better Way to Debug PortSIP UC
      • Setup SSL Certificates for HTTPS/WebRTC
      • Going Real-Time with PortSIP PBX Pub/Sub
      • Upgrade PortSIP PBX for offline
      • PortSIP UC Architecture
      • PortSIP PBX Features
      • PortSIP Security Feature
      • Hardware Specifications
      • Setup PortSIP PBX for Linux
      • Upgrade PortSIP PBX
      • Upgrade PortSIP PBX v12.x to the v12.8.7
      • Add Extended Media Server
      • Store the recording files to AWS S3
      • Configure Notifications for Kubernetes
      • Rebranding PortSIP PBX
Powered by GitBook
On this page
  • Overview
  • Ports Security
  • The Best Practices for AWS, Azure, GCE
  • Network Security
  • Transport Security
  • Web Access Security
  • Password and Login Security
  • Web Portal Username and Password for PBX Administrator
  • Web Portal Username and Password for Tenant Manager
  • Web Portal Username and Password for Extension
  • Login Security
  • SIP and TCP/IP Security
  • Detection Period
  • Failed Authentication Protection
  • Failed Challenge Requests (407)
  • Level 2 security
  • Level 1 security
  • Extension Security
  • Whitelist/Blacklist
  • Adding a Whitelist Entry
  • Blocking an IP Address or a range of IP Addresses
  • Trunk Security
  • SIP Trunk Authentication
  • Outbound Route Permission
  • Disable Outbound Calls for the Extension Groups
  1. PBX v12.x (EOL)
  2. Tutorials

PortSIP Security Feature

Overview

Being in charge of a VoIP system in the planning to deployment stage, makes VoIP security one of your main considerations. This document presents simple and clear guidelines for PortSIP PBX, that can help you understand and make PortSIP PBX deployment more resilient to network attacks.

Ports Security

PortSIP PBX provides various services that use different protocols on different ports. To secure the PBX, blocked the unnecessary ports on the firewall just allow the below ports can be accessed remotely.

Service

Port

Description

Web Portal

8887

Web Portal over HTTPS

Web Portal

8888

Web Portal over HTTP

Rest API

8899

Rest API over HTTP

Rest API

8900

Rest API over HTTPS

WebRTC

8881

The WebRTC client over HTTPS

WSI

8885

The WebSocket Interface

File Access

8882;8883;8884

The ports for file download and upload over TCP

RTP

25000-3499; 45000-64999

The UDP ports for the RTP packets

SSH

22

SSH port over TCP

By default, PortSIP creates the UDP transport on 5060 and WSS transport on 5065, you can simply delete the transports and create them again with different ports. Once created the transports on new ports, don't forget to create the firewall rule by the firewalld command, and create the security group rules if deployed on the cloud platform.

We strongly suggest changing the default SSH port 22 to another port for example 10210.

By default, after the PortSIP PBX is installed, the Firewalld is enabled and all firewall rules have been configured. If installed the PBX is on Debian/Ubuntu, the default firewall UFW will be disabled.

The Best Practices for AWS, Azure, GCE

  • Installed the PortSIP PBX is in AWS/Azure/GCE, let the PBX running on a private network called VPC for AWS and GCE, for Azure, it's called VNet, then the PBX is isolated to the internet.

  • In order to allow users to access PBX from the internet, a static public IP is required to assign to the PBX server.

    • AWS: assign an elastic IP to the PBX EC2, and create the necessary inbound rules in the security group for services port in the above section

    • Azure: associate a Public IP to the PBX VM NIC then change the IP address assignment to static, and create necessary inbound rules in the security group for service port in the above section

    • GCE: in the "External IP" settings, select static external IP address to assign to the VM instance, and create the necessary VPC firewall rules for the services port in the above section

  • Disable the firewalld service in PBX server: systemctl disable firewalld && systemctl stop firewalld

Important: don't stop and disable the firewalld if the PBX was deployed in the on-premise.

Network Security

Separate Voice Traffic and Data Traffic for some VoIP ISPs, they provide dedicated SIP trunks that support NGN ports (Next Generation Network). NGN can separate data, voice, and video networks or any combination of the three to form a converged network.

For the on-premise deployment, the best practice is to suggest set up VLAN (Virtual Local Networks) on the PBX. VLAN can improve the call quality, but also can secure PBX. The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secure. Also, limiting the rate of traffic to IP telephony VLANs can slow down an outside attack.

Transport Security

TLS and WSS for SIP Signaling

Transport Layer Security (TLS) is a mechanism for securing SIP connections. It is recommended to use TLS as PortSIP PBX SIP transport to prevent data being passed between other SIP endpoints and PortSIP PBX.

For the WebRTC client, PortSIP offers WSS transport (WebSockets over SSL/TLS). WSS is encrypted, just like HTTPS, and so protects against man-in-the-middle attacks. If the transport is secured, a range of attacks against WebSockets become unfeasible.

SRTP and DTLS-SRTP for Audio and Video

PortSIP PBX and PortSIP Apps support SRTP and DTLS-SRTP. SRTP extends RTP to include encryption and authentication so that all SIP and WebRTC conversations are as secure as possible. The audio and video media data is transported and protected by SRTP/DTLS-SRTP with AES-256 encryption.

Web Access Security

PortSIP PBX provides the HTTPS and HTTP access on the port 8887 and 8888. The following are the recommended practices for securing web portal transactions and preventing unwanted access.

  • Create the security rule/firewall rule to disable the HTTP access on TCP port 8888

  • Disable Redirect from port 80

  • Disable Redirect from port 443

  • Upload the trusted SSL certificates, for example, purchase an SSL certificate from DigiCert, GeoTrust

Password and Login Security

Web Portal Username and Password for PBX Administrator

The default username and password of PortSIP PBX administrator for Web Portal Access both are "admin". There are strongly suggest change the username and password after first logged in to the Web Portal.

  • Click the left menu "Profile", on the "General" page, enter a difficult to guess username then click the "Apply" button to change the default username

  • Click on the "avatar" in the upper right corner, choose the "Change Password" menu, then enter the current password and new password, the new password must meet all the following requirements

    • Include at least one number

    • Include at least one lower-case letter

    • Include at least one upper-case letter

    • The password size must in 8 - 16 characters

Web Portal Username and Password for Tenant Manager

After a tenant was created, the PBX administrator has been setting up the username and password for the tenant manager.

There are strongly suggest change the username and password after the tenant manager first logged in to the Web Portal.

  • Click the left menu "Profile", on the "General" page, enter a difficult to guess username then click the "Apply" button to change the default username

  • Click on the "avatar" in the upper right corner, choose the "Change Password" menu, then enter the current password and new password, the new password must meet all the following requirements

    • Include at least one number

    • Include at least one lower-case letter

    • Include at least one upper-case letter

    • The password size must in 8 - 16 characters

Web Portal Username and Password for Extension

After a tenant was created, the tenant manager has been setting up the extension number and password for the extension, there have two passwords with an extension.

  • SIP Password. It's using for the IP Phone, Softphone, WebRTC client to register to PortSIP PBX

  • Web Password. It's using for the extension sign the PBX Web Portal to checking voicemail, recording, CDR

  • Both SIP Password and Web Password must meet all the following requirements

    • Include at least one number

    • Include at least one lower-case letter

    • Include at least one upper-case letter

    • The password size must in 8 - 16 characters

Login Security

After the PortSIP PBX administrator signed in Web Portal, there have some settings that allow to secure the login security for tenant managers, tenants, and extensions.

  • Click the left menu "Advanced > Security", on the "Web Login" page, set the maximum number of login tries on the "Web Login" page, and the user IP will be blocked if the number of failed login attempts exceeds the allowed times

  • Set the period of an IP block, a blocked IP will be removed after this time

SIP and TCP/IP Security

PortSIP PBX provides security features with the main purpose to block any malicious attacks targeted to the PortSIP PBX in case the administrator has not taken necessary precautions at the firewall level. It works by detecting and blocking packet floods / DoS attacks or brute force dictionary attacks within the scope of identifying and cracking the extension number and the password.

Click the left menu "Advanced > Security", on the "Anti Hacking" page, there shows the main interface of the PortSIP PBX Anti Hacking configurations.

Detection Period

This is a time interval in seconds when counting starts but no action is enforced. To disable security, set it to a higher value.

Failed Authentication Protection

This is the protection in case the attacker tries to use a dictionary attack to guess the password set for a particular extension.

To do this the attacker has to send numerous requests and after the server sends a “Proxy Authentication Required” message the attacker will send a request with authentication. With this feature, the attacker can only send 50 requests in an attempt to crack the password. If an IP Address spams PortSIP with 50 wrong Authentication attempts in “Detection Period”, that IP address will be blocked and put in the blacklist for the time specified in the “SIP Blacklist time interval” parameter, by default 1 hour.

Failed Challenge Requests (407)

D.O.S attacks can send REGISTER/INVITE requests but do not reply to Challenge (407). Configure the amount of "fake" requests that PortSIP PBX will accept per IP Address. If this value is exceeded in the "Detection Period" interval the source IP address is put in the Blacklist. IP will remain blacklisted till the "SIP Blacklist time interval" expires, by default 1 hour.

Level 2 security

This is the 2nd layer of protection. Here you can specify how many packets can be sent from a unique source IP address. The default value is 2000 packets per second. If an IP Address is sending more than 200 packets per second, it means that there is something wrong. At this point, the attacker IP will be blocked until the "Level 2 blacklist time interval" expires.

Level 1 security

This is the 1st layer in packets per second. If an IP sends more packets than the amount specified per second, it will get blacklisted for the “Level 1 blacklist time interval”. By default value is 500 packets per second.

At this layer, once that packet rate exceeds the rating, the blacklist is enforced, the user IP will get blacklisted for the “Level 1 blacklist time interval”.

Once an IP address was blocked due to the above L1/L2 rules, it will display in the menu "Blacklist and Codes > IP Blacklist", from which you can add it into “Whitelist” manually.

Extension Security

All extensions are assigned to the "Default" extension group by default, the tenant manager can change the default user group settings to secure the extension.

Click "Call Manager > Extension Groups" on the left menu, then double-click the listed group to see the settings.

  • Allow Paging/Intercom: if selected, the group members have the ability to make the Paging/Intercom call

  • Allow external call: if selected, the group members have the ability to make the outbound call to PSTN

  • Allow Access to Web Portal: if selected, the group members have the ability to sign in the Web Portal

  • Enable Call Group Members: if selected, the group members have the ability call to other group members

Whitelist/Blacklist

PortSIP PBX allows you to whitelist and blacklist IP addresses. All traffic originating from whitelisted IP addresses will be allowed unchecked by the anti-hacking features. All traffic originating from blacklisted IP addresses will be dropped immediately and silently.

Adding a Whitelist Entry

Assume a remote office is connected to the PortSIP PBX. The public IP address of the remote office is 103.224.182.210. This IP address's traffic is safe to trust. Follow the settings below to add this IP address to a whitelist.

  • Click on "Blacklist and Codes" > "IP Blacklist"

  • Click "Add" to add an entry

  • Enter the IP address that you want to allow – in this example it should be 103.224.182.210 (you can also enter the IP 103.224.182.210.0 and choose a Subnet Mask to allow an IP range)

  • Choose "Allow" for the "Action" dropdown

  • Add a description for the IP address, for example, "My Remote office"

  • Click "Apply", the allow entry will be created in the IP Blacklist page for the whitelisted IP address. All traffic originated from this IP address will not be checked and the anti-hacking algorithms will not come into effect

Blocking an IP Address or a range of IP Addresses

Let us look at another scenario. Assume that there is a distributed attack coming from the following IP addresses – 41.202.160.2 and 41.202.191.5. These two IP addresses have already been blacklisted by PortSIP PBX’s anti-hacking auto-detection mechanisms. You would, however, want to blacklist all the range, since you are sure that you will never get any traffic from these IP addresses. In this case, we will blacklist the whole range from 41.202.0.0 to 41.202.255.255, i.e. all the IP addresses that started with 41.202. 1.

  • Click on "Blacklist and Codes" > "IP Blacklist"

  • Click "Add" to add an entry

  • In the “IP address” enter the first address of the network range you want to block. For this example, we will enter 41.202.0.0

  • Since we want to block all IP addresses started with 41.202, we will select a Subnet Mask of 255.255.0.0. The range of IP addresses contained in this mask will be displayed below

  • Set Action to “Permanently block“

  • Enter a Description for this entry to help you remember why you added this entry, for example, “Anti D.O.S attack coming from 41.202.x.x”

  • Click “Apply“. A blocked entry will be created on the IP Blacklist page. All traffic coming from this IP address range will be checked, anti-hacking algorithms will come into effect and all packets from this IP Address range will be completely dropped and ignored

  • The PortSIP Blacklist/Whitelist mechanism does not conform to a replacement of firewall. It merely provides a defense mechanism to help differentiate traffic trustable, and traffic not trustworthy. If, for example, you want to block all traffic to your network and allow only your VoIP Provider IP address, you need to set this up on your firewall

When configuring a range of IP addresses in the Blacklist, you should also ensure that the range does not include the IP address of which the PBX is installed.

Trunk Security

SIP Trunking is often a Peer to Peer connection for the primary use of delivering PSTN connectivity over VoIP. SIP Trunking is delivered over a couple of different methods, Internet Telephony Service Providers (ITSP) deliver SIP Trunking over the Internet and Managed Service Providers deliver SIP Trunking over the dedicated carriers WAN connections. The application of security solutions involves providing a Firewall in combination with an IP-PBX that is used to define the Peer to Peer relationship at various networks and VoIP application layers, and also ensuring signaling and media are secure as well.

SIP Trunk Authentication

Register Based Authentication: Many SIP Trunk Service Providers will require a level of Authentication within the SIP Trunk. The Service Provider requires Registration Authentication and Call Initiation Authentication from the PBX. When the PBX initiates a call to the Service Provider, the PBX must provide Authentication within the SIP Protocol for the Service Provider to accept and process the call.

IP Based Authentication: Because some SIP Trunk Service Providers do not support the SIP REGISTER method, you'll need to set up Trunk as the "IP Based" and add Trunk IP addresses as trusted peers in PBX, then the PBX is to accept SIP traffic from trunk IP do not challenge for authentication credentials.

PortSIP PBX supports both Register Based and IP Based Authentication Trunks, but the IP Based Authentication trunk is strongly recommended, it's more secure.

PortSIP PBX is also supporting accept the Trunk/E1/T1 gateway registration. For example, if an E1/T1 gateway is located in a local LAN but the PBX is in the cloud, we can create a "Accept Register" Trunk in PortSIP PBX, set the username and password, and the E1/T1 gateway will be able to use that username and password register to the PortSIP PBX, the PBX only allows make & accept calls with E1/T1 gateway after successfully authorized.

Outbound Route Permission

When creating the outbound rule in the PortSIP PBX, you will need to consider outbound rule permission for different users.

You can create the outbound rule using the provided called number prefix, called number length, and caller belonged extension groups.

For example, you can set up outbound rules as below.

  • Outbound rule for local calls

    • Create an outbound rule and select the trunk that is least-cost for local calls, and set the outbound rule permission for an extension group or for multiple extension groups, the extension who in the groups will have the ability to make the local calls

  • Outbound rule for long-distance calls

    • Create an outbound rule and select the trunk that is least-cost for national calls, and set the outbound rule permission for an extension group or multiple extension groups, the extension who in the groups will have the ability to make the national calls

  • Outbound rule for international calls

    • Create an outbound rule and select the trunk that is least-cost for international calls, and set the outbound rule permission for an extension group or multiple extension groups, the extension who in the groups will have the ability to make the international calls.

  • Office hours for the outbound rule

    • PortSIP PBX allows specified office hours for an outbound rule, once set, the outbound rule will be unavailable and no one can make the call on it when outside of those hours.

Disable Outbound Calls for the Extension Groups

The tenant manager can simply disable the outbound calls authorization for specific extension groups.

Click "Call Manager > Extension Groups" on the left menu, then double-click the listed group to see the settings.

  • Allow Paging/Intercom: if this option is not chosen, all members of the group will be unable to make outbound calls

PreviousPortSIP PBX FeaturesNextHardware Specifications

Last updated 3 years ago