Extension Registration Security

Endpoint Security is the third line of defense in multi-layered security strategy, preventing fraudsters from registering or logging in to extension accounts. Yeastar P-Series Cloud Edition has default rules to prevent malicious registration of SIP extensions by monitoring Registration Attempts, you can also enhance extension registration security by restricting Registration Credential, Concurrent Registration, User Agent, and IP Address.

Account Lockout for Failed Registration Attempts

Yeastar P-Series Cloud Edition has a built-in account lockout policy to prevent unauthorized access to extension accounts by automatically locking out the risky accounts after a certain number of failed registration attempts from the same IP address. When an account is locked out, the PBX will block the source IP address, display it in Block IPs, and send notifications of Extension Registration Blocked Out to the specified contacts.

To ensure that you can be notified when an account is locked out, you need to enable the event notification and add contacts to receive notifications.

  1. Go to System > Event Notification.
  2. Under Event Type tab, turn on the notification of Extension Registration Blocked Out.
  3. Under Notification Contacts tab, add contacts to receive event notifications.

After receiving notifications, you can check the details on PBX web portal (Path: Security > Security Rules > Blocked IPs).

Use Complex Credentials for SIP Registration

Weak SIP credentials can leave a potential security gap that fraudsters can easily exploit. Therefore, complex name and password should be used when registering extensions.

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the Extension Information section, set complex registration name and registration password.
    Tip: Here are some tips for a complex credential:
    • At least 10 characters long.
    • A combination of uppercase letters, lowercase letters, and numbers.
    • Avoid 4 repeated or consecutive numbers.
    • Avoid extension number or extension name.
  3. Click Save and Apply.

Restrict Multiple Registrations on the Same Extension

By default, Yeastar P-Series Cloud Edition allows one extension to be registered on a single device only. We recommend that you keep the restriction UNLESS you need multiple devices to register with a single SIP extension. If necessary, you can increase the concurrent registration limit for a SIP extension as follows:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the Extension Information section, select a value from the drop-down list of IP Phone Concurrent Registrations.

  3. Click Save and Apply.

Restrict Extension Registration by User Agent

Restrict extension registration by authenticating user agent. When registering, SIP phones will send packets containing a user agent string. If the prefix of the user agent does not match the defined value, the registration will fail.

To restrict extension registration by user agent, follow the instructions below:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Security tab, select the checkbox of Enable User Agent Registration Authorization, and set up the user agent.

  3. Click Save and Apply.

Restrict Extension Registration by IP Address

Restrict extension registration to trusted IP addresses. In this way, the system will automatically drop registration requests from untrusted IPs to prevent unauthorized devices from registering.

To restrict extension registration by IP address, follow the instructions below:

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Security tab, select the checkbox of Enable IP Restriction and add the allowed IP address.

  3. Click Save and Apply.