Extension Login Security

Endpoint Security is the third line of defense in multi-layered security strategy, preventing fraudsters from registering or logging in to extension accounts. Yeastar P-Series Software Edition has default rules to prevent malicious login to SIP extensions by monitoring Login Attempts, you can also enhance extension login security by utilizing the Single Sign-on (SSO), Two-factor Authentication (2FA), Login QR Code / Link, Password, and User Role policies.

Account Lockout for Failed Login Attempts

Yeastar P-Series Software Edition has a built-in account lockout policy to prevent unauthorized access to PBX web portal and Linkus clients:
  • If an IP address reaches the defined number of failed login attempts within a specific time period, the IP address will be denied further attempts temporarily.
  • If the IP address reaches the maximum number of failed login attempts, the IP address will be banned from logging into the account permanently. The PBX will block the IP address, display it in Block IPs, and send notifications of Web User Blocked Out or Linkus User Blocked Out to the specified contacts.

To ensure that you can be notified when an IP address is blocked, you need to enable the event notification and add contacts to receive notifications.

  1. Go to System > Event Notification.
  2. Under Event Type tab, turn on the notification of Web User Blocked Out and Linkus User Blocked Out.

  3. Under Notification Contacts tab, add contacts to receive event notifications.

After receiving notifications, you can check the details on PBX web portal (Path: Security > Security Rules > Blocked IPs).

Single Sign-on (SSO) for Third-party Authentication

The integration between Yeastar P-Series Software Edition and Microsoft 365 supports Single Sign-on (SSO) feature, which allows users to log in to Linkus UC Clients using their Microsoft accounts. This eliminates the need to remember multiple credentials. Additionally, it will further enhance security due to the multi-factor authentication mandatory for Microsoft accounts.

To allow users to log in to Linkus UC Clients using their Microsoft 365 accounts, you need to integrate the PBX with Azure Active Directory or Active Directory, and enable SSO. For more information on how to set up the integration, see Azure Active Directory Integration Guide and Active Directory Integration Guide.

Two-factor Authentication (2FA) for Extra Login Security

Two-factor Authentication (2FA) provides an extra layer of security to protect account by requiring two verification factors to log in. The first factor is the password that is used to log in to account, the second factor is a code that is sent to the specified device.

Extension users can enable 2FA themselves on Linkus Web Client or Linkus Desktop Client, either by installing an authenticator app on smartphone or via email. With 2FA enabled, the account password as well as an authentication code are required when logging in to their accounts. For more information on how to set up 2FA, see Enable 2FA on Linkus Web Client and Enable 2FA on Linkus Desktop Client.

Note: You can also enable 2FA for your Super Administrator account. For more information, see Enable 2FA using Authenticator Application or Enable 2FA using Email.

QR Code / Link for Passwordless Login

QR Code Authentication and Link Authentication are more secure ways to log in to Linkus clients than traditional password login, as they are encrypted and can only be used ONCE.

You can send the Linkus login QR code / link to users in the following ways:

Provide a single user with login QR code / link
  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. Under Linkus Clients tab, click Login QR Code or Login Link to copy the credential and send to users.

Provide multiple users with login QR code / link
  1. Go to Extension and Trunk > Extension.
  2. Select the desired extensions, then click Welcome Email.

Strong Password for Manual Login

Weak passwords can leave a potential security gap that fraudsters can easily exploit. Therefore, strong password should be set in case users need to manually log in to Linkus UC clients.

  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the User Information section, set a strong user password.
    Tip: Here are some tips for a strong password:
    • At least 8 characters long.
    • A combination of uppercase letters, lowercase letters, and numbers.
  3. Click Save and Apply.

User Role for Granular Access Control

Role-based access control is a security approach that authorizes or restricts system access permissions to users based on their roles within the company. This allows users to access the administrative privileges they need to conduct their jobs, and minimizes the risk of unauthorized users accessing sensitive information or performing unauthorized tasks.

Yeastar P-Series Software Edition has built-in roles: Super Administrator, Administrator, Supervisor, Operator, Employee, Human Resource, and Accounting. You can use the built-in roles and assign them to employees without further configuration, or create your own custom roles with the exact set of permissions you need.

Create a Custom Role
  1. Go to Extension and Trunk > Role.
  2. Click Add to create a role from scratch, or click Copy Role to create a role by copying an existing role.

Assign Roles to Users
  1. Go to Extension and Trunk > Extension, edit the desired extension.
  2. In the User Information section, select a role from the drop-down list of User Role.

  3. Click Save and Apply.