Extension Registration Security
Endpoint Security is the third line of defense in multi-layered security strategy, preventing fraudsters from registering or logging in to extension accounts. Yeastar P-Series PBX System has default rules to prevent malicious registration of SIP extensions by monitoring Registration Attempts, you can also enhance extension registration security by restricting Registration Credential, Concurrent Registration, User Agent, IP Address, and Remote Registration.
Account Lockout for Failed Registration Attempts
Yeastar P-Series PBX System has a built-in account lockout policy to prevent unauthorized access to extension accounts by automatically locking out the risky accounts after a certain number of failed registration attempts from the same IP address. When an account is locked out, the PBX will block the source IP address, display it in Block IPs, and send notifications of Extension Registration Blocked Out to the specified contacts.
To ensure that you can be notified when an account is locked out, you need to enable the event notification and add contacts to receive notifications.
- Go to .
- Under Event Type tab, turn on the notification of Extension Registration Blocked Out.
- Under Notification Contacts tab, add contacts to receive event notifications.
Use Complex Credentials for SIP Registration
Weak SIP credentials can leave a potential security gap that fraudsters can easily exploit. Therefore, complex name and password should be used when registering extensions.
- Go to , edit the desired extension.
- In the Extension Information section, set complex
registration name and registration password.Tip: Here are some tips for a complex credential:
- At least 8 characters long.
- A combination of uppercase letters, lowercase letters, and numbers.
- Click Save and Apply.
Restrict Multiple Registrations on the Same Extension
By default, Yeastar P-Series PBX System allows one extension to be registered on a single device only. We recommend that you keep the restriction UNLESS you need multiple devices to register with a single SIP extension. If necessary, you can increase the concurrent registration limit for a SIP extension as follows:
- Go to , edit the desired extension.
- In the Extension Information section, select a value from the drop-down list of .
- Click Save and Apply.
Restrict Extension Registration by User Agent
Restrict extension registration by authenticating user agent. When registering, SIP phones will send packets containing a user agent string. If the prefix of the user agent does not match the defined value, the registration will fail.
To restrict extension registration by user agent, follow the instructions below:
- Go to , edit the desired extension.
- Under Security tab, select the checkbox of Enable User Agent Registration Authorization, and set up the user agent.
- Click Save and Apply.
Restrict Extension Registration by IP Address
Restrict extension registration to trusted IP addresses. In this way, the system will automatically drop registration requests from untrusted IPs to prevent unauthorized devices from registering.
To restrict extension registration by IP address, follow the instructions below:
- Go to , edit the desired extension.
- Under Security tab, select the checkbox of Enable IP Restriction and add the allowed IP address.
- Click Save and Apply.
Restrict Remote Registration
By default, all extensions are restricted from remote registration. We recommend that you keep this restriction UNLESS a remote extension is required. If necessary, you can enable the remote registration feature for a SIP extension as follows:
- Go to , edit the desired extension.
- Under Security tab, select the checkbox of Allow Remote Registration.
- Click Save and Apply.