From VoIP.ms Wiki
|[quality revision]||[quality revision]|
(→Use IP and POP restrictions)
|Line 1:||Line 1:|
Latest revision as of 21:34, 6 November 2020
|Article en Français||Artículo en Español|
Security for VoIP.ms Customers
Your calls and the login process for VoIP.ms are very secure from our network. To login to your account you will need to enter your information on our secure HTTPS portal (https://www.voip.ms). This login information is encrypted and is not sent to the open web.
Calls are made with the SIP/2.0 protocol which is built to work with point to point connections. Essentially your call authentication (Login) information is only sent between your VoIP equipment (hardware or software) and VoIP.ms and it is encrypted. Please note that by default we do not encrypt the SIP traffic, however, the passwords are MD5 hashed. Basically, the communication is secure but not encrypted.
We now provide the feature that allows you to enable the SIP Traffic encryption, visite the article Call Encryption - TLS/SRTP if you need it!
Keep in mind that we do not listen in on calls nor have access to user`s account passwords.
We believe in customer privacy at VoIP.ms, as disclosed in our User Agreement.
Our initial protection to all our customers and potential customers is that we have an IP Security Company that prevents Proxy Logins. This Means that no one can make an account and have it automatically activated nor can a person access your Customer Portal by trying to hide their originating IP address.
How to be sure you are Protected?
To further protect yourself there are a few steps you may take with your VoIP.ms account. The information provided below is provided to assist you in both securing your end and protecting your account(s) with VoIP.ms.
Choose passwords which are not easy to decipher when opening your account using both numbers and special characters as well as alphabetical characters. In addition to choosing a secure password for your VoIP.ms Account Customer Portal, you can also change your SIP Account Password so that the 2 are different. You may change your Customer Portal login password and/or SIP password at any time here https://www.voip.ms/m/settings.php then click on your security tab.
For users using devices/software requiring login, a secure password will also help. Most notably users using PBX software such as Asterisk, pbxnsip, 3CX... etc will definitely want to ensure they are using complex passwords as PBX systems are common targets for third parties to hack and use for fraudulent purposes. Weak passwords are the most common way a PBX extension(s) can be compromised and used for calls that will be charged to your VoIP.ms account.
Maintain the Sub Accounts
Verify and delete any old subaccount that is no longer used. An old subaccount with an outdated password is a potential point of access.
Use IP and POP restrictions
If Ip restriction is enabled, the system will onlly allow outgoing phone calls from the IP addresses provided. If POP restriction is enabled, the system will only allow outgoing phone calls from the POP servers selected in this configuration. These options can be enabled or disabled on the main and sub accounts. For Main Account go to Main Menu >> Account Settings >> Security. For Sub Accounts enter to edit your Sub Account and go to the security section.
Change the default password on your device. Most IP Phones and different flavors of PBX installs come with default administration passwords to access their web configuration portal. Make sure to change the default passwords immediately after your initial setup and also make sure the web interface is not reachable from the internet.
We are not responsible for unwanted access to software or hardware, and calls made from your software or hardware, on the user's end.
Foreign IP Guard
In your Customer Portal>> Main Menu>> Account Settings>> Security tab you will see your Foreign IP Guard. This prevents any foreign country IP from access your Customer Portal. If a foreign IP attempts to access your portal you will receive an email asking if you want to authorize this IP to do so. This is in case you are trying to access it while in a foreign country.
Restrict Calling Areas
If you only call certain countries or areas of the world from your VoIP.ms account we suggest you disable calling to areas you either never or infrequently call. You can configure within the Customer Portal>> Main Menu>> Account Settings under the Account Restrictions Tab "Allow International Calls" to Allow or Disallow International Calling. The Allow Calls to Countries setting will let you choose to only allow calls to specific countries and/or regions of the world. For example if you never or rarely call anywhere in Africa you can choose to disable calls to all of Africa. When calling a region/country that has not been allowed you will be directed to an error message stating calls are not enabled to this area.
We strongly recommend customers using IP PBX's (such as Asterisk, 3CX, pbxnsip, etc) only enable calling to areas/countries you actually call as a fraud control should your IP PBX be compromised. This will in many cases prevent expensive calls from being placed on your VoIP.ms account should your IP PBX be compromised, as most fraudulent calls are placed to generally expensive and frequently non-called areas of the world by most of our customers.
Max Call Time
You can further protect yourself by going to Customer Portal>> Main Menu>> Account Settings and under the Account Restrictions Tab a maximum calling time for Max. Call Time for US48/Canadian Calls or for Max. Call Time for International Calls. This affects the length of time an outbound call can take and will cut off the call at the time specified.
International Amount Restriction
Another Feature to further protect yourself is the International Amount Restriction which you can get to by going to Customer Portal>> Main Menu>> Account Settings and under the Account Restrictions Tab. This sets a maximum amount per minute allowed for international calling so that very expensive per minute countries or telephones cannot be called.
Most users today use routers to access the internet. While this may be advanced for some users we highly recommend that you check the basic security settings for your router to make sure that remote login is not enabled and, if it is, that it is secured with a strong password.
Remote access may also be investigated to make sure that only the wanted users have access to make changes and actually login to your network. A secure network will also lead to less worry and not just with VoIP.ms.
Avoid leaving your PBX systems, ATA Adapters and IP Phones open to the internet. Do not use DMZ mode on your router and do not forward ports to your equipment, unless you absolutely know what you are doing. This is only needed on specific cases, and only leave it open to the internet if you have experience on how to properly manage security on equipment that is open to the internet.
Finally for some users, mainly users of PBX systems such as 3CX and especially Asterisk based systems, unwanted access should be a top concern. In general if you do not have a basic understanding of networks and authentication it is highly recommended that you speak to a professional or someone with more experience in these fields in order to make sure you are using the correct solution for your needs.
The list below provides some information which will certainly be beneficial in these cases:
NOTE: Some of the information below may be too advanced for certain users. If you do not understand the information below then we highly recommend visiting a forum or speaking with someone more familiar with these concepts.
Use port security options, such as fail2ban, portsentry, portmap...etc to secure local ports and monitor for unwanted traffic Use firewalls to secure the system locally by limiting access for the services you actually need to run on your system Blocking ports at the gateway/router level can also provide extra security for your network and is recommended Block services which are not being used using xinetd.conf or inetd.conf Properly secure ssh, ftp and/or telnet services to prevent unwanted access Make sure the sudo command allows access to only the necessary users. This is done in the /etc/sudoers file on most Unix systems Make sure that the root account is secured and if necessary is disabled in favor of a user who can use the sudo command Check your running services and disable any unneeded services. For example if you do not need an ftp server you may want to disable it Make sure that local extensions on your PBX have secured passwords to prevent easy access
General Device Security
Please make sure that your device is not accessible through external means. Your device should only be able to be accessed locally when connected through your own network. This can be achieved, as mentioned in previous points, by making sure that your device is not placed in DMZ, set on a public IP, or that TCP Port 80 is forwarded to it.
Confirm that both your device's admin and guest passwords have been changed to something strong, making sure that you are not able to access your device using the default passwords that appear in your manual (e.g. admin). It is very important that you remember this new password in case you need to make any further changes to your configuration in the future.
If you have no need for Call Transfers and Call Forwarding (Setup on your device, instead of using our own feature), please disable them on your device's configuration settings. Most of these features can be deactivated through their web interface, and some devices have feature star codes to disable these as well, you can check your manual and documentation for more information.
Please see our page here http://wiki.voip.ms/article/PBX_Security for PBX Security Details.
VoIP.ms services are proven to be among the best offered on the internet. We take pride in knowing that our clients have with us what they are looking for. As such we believe that any single VoIP.ms client should be able to trust that we can deliver the features and services they need as well as believe that the client can access their accounts and use their software or hardware without any serious concerns. We do hope that the above information has helped you secure your initial account options and welcome you to contact us via Live Chat or the Ticket System if you have any questions or issues.