Extension Registration Security

Endpoint Security is the third line of defense in multi-layered security strategy, preventing fraudsters from registering or logging in to extension accounts. Yeastar P-Series PBX System has default rules to prevent malicious registration of SIP extensions by monitoring Registration Attempts, you can also enhance extension registration security by restricting Registration Credential, Concurrent Registration, User Agent, IP Address, and Remote Registration.

Account Lockout for Failed Registration Attempts

Yeastar P-Series PBX System has a built-in account lockout policy to prevent unauthorized access to extension accounts. It automatically locks the risky accounts after a certain number of failed registration attempts from the same IP address. When an account is locked, the PBX will block the source IP address, display it in Blocked IPs, and send an Extension Registration Blocked Out notification to the specified contacts.

To ensure that you can be notified when an account is locked out, you need to enable the event notification and add contacts to receive notifications.

  1. Go to System > Event Notification.
  2. Under Event Type tab, turn on the notification of Extension Registration Blocked Out.

  3. Under Notification Contacts tab, add contacts to receive event notifications.

After receiving notifications, you can check the details on PBX web portal (Path: Security > Security Rules > Blocked IPs).

Use Complex Credentials for SIP Registration

Weak SIP credentials leave a potential security gap that fraudsters can readily exploit. You can mitigate the risk by enforcing system-wide password length requirements and configuring strong registration credentials for all extensions.

Enforce minimum registration password length
  1. Go to Security > Security Settings > Security Options.
  2. In the Extension Password Rules section, specify the minimum character length of registration password.

  3. Click Save and Apply.
Configure strong registration credentials for extension
  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the Extension Information section, set complex registration name and registration password.
    Tip: Here are some tips for a complex credential:
    • Use a combination of uppercase letters, lowercase letters, and numbers.
    • Avoid repeated or consecutive numbers.
    • Avoid extension number or extension name.
  3. Click Save and Apply.

Restrict Multiple Registrations on the Same Extension

By default, Yeastar P-Series PBX System allows one extension to be registered on a single device only. We recommend that you keep the restriction UNLESS you need multiple devices to register with a single SIP extension. If necessary, you can increase the concurrent registration limit for a SIP extension as follows:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the Extension Information section, select a value from the drop-down list of IP Phone Concurrent Registrations.

  3. Click Save and Apply.

Restrict Extension Registration by User Agent

Restrict extension registration by authenticating user agent. When registering, SIP phones will send packets containing a user agent string. If the prefix of the user agent does not match the defined value, the registration will fail.

To restrict extension registration by user agent, follow the instructions below:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Security tab, select the checkbox of Enable User Agent Registration Authorization, and set up the user agent.

  3. Click Save and Apply.

Restrict Extension Registration by IP Address

Restrict extension registration to trusted IP addresses. In this way, the system will automatically drop registration requests from untrusted IPs to prevent unauthorized devices from registering.

To restrict extension registration by IP address, follow the instructions below:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Security tab, select the checkbox of Enable IP Restriction and add the allowed IP address.

  3. Click Save and Apply.

Restrict Remote Registration

By default, all extensions are restricted from remote registration. We recommend that you keep this restriction UNLESS a remote extension is required. If necessary, you can enable the remote registration feature for a SIP extension as follows:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Security tab, select the checkbox of Allow Remote Registration.

  3. Click Save and Apply.
Note: Further settings are required to register the extension on a remote phone. For more information on how to set up a remote phone, see Set up a Remote SIP Phone via Public IP Address and Port and Set up a Remote SIP Phone via Yeastar FQDN.