TheVoĉoTheVoĉo
Security

Security Rules

Purpose

Create and manage security rules to protect your PBX from unauthorized access and abuse.

IP Restrictions

Allowed IPs (Whitelist)

Purpose

Add trusted IP addresses that should never be blocked by security systems.

Use Cases

  • Office public IP address
  • VPN server IP ranges
  • Known SIP trunk provider IPs
  • Remote worker static IPs
  • Partner/vendor IPs requiring access

Go to Security > Allowed IPs and click Add IP.

Enter IP Information

  • Name: Descriptive label (e.g., "Main Office")
  • Type: IP Address or Domain Name
  • IP Address/Domain: Enter IP or FQDN
  • Subnet Mask: For IP ranges (e.g., /24)
  • Description: Purpose and owner

Save

Click Save to whitelist the IP.

Result

Whitelisted IPs bypass all security blocks and rate limits.

Examples

  • Single IP: 203.0.113.50
  • IP Range: 203.0.113.0/24 (256 addresses)
  • Domain: sip.provider.com

Best Practice

Whitelist conservatively. Too many allowed IPs reduce security effectiveness.

Blocked IPs (Blacklist)

Purpose

View and manage automatically blocked IP addresses.

How Blocking Works

Automatic blocking triggers after:

  • Multiple failed login attempts (5 within 5 minutes)
  • Repeated SIP registration failures (10 within 5 minutes)
  • Suspicious call patterns
  • Port scanning detection
Navigate to Security > Blocked IPs
View list with: IP address, block reason, block time, expiry time (auto-unblock after 24 hours)
Find IP in blocked list
Click Unblock button
Confirm action

Result

IP immediately removed from blacklist.

Use Case

Unblock legitimate IP that was mistakenly flagged (e.g., user forgot password, IT testing).

Navigate to Security > Blocked IPs
Select IP and click Block Permanently
IP never auto-expires

Use Case

Known malicious IP from repeated attack attempts.

Rate Limiting

Outbound Call Frequency Restriction

Purpose

Prevent toll fraud by limiting how many outbound calls can be made in a short time period.

Default Rule

  • Limit: 5 outbound calls
  • Time Period: 1 second
  • Applies To: All extensions

Result: Prevents automated dialing attacks that rapidly make expensive calls.

Creating Custom Rate Limit Rules

Purpose

Define specific rate limits for users, groups, or time periods.

Go to Security > Outbound Call Frequency Restriction and click Add Rule.

Configure Rule

Rule Name: Descriptive identifier

Apply To:

  • All Extensions: System-wide default
  • Specific Extensions: Select individual users
  • Extension Groups: Apply to entire group
  • Trunks: Limit calls via specific trunk

Call Limit:

  • Maximum Calls: Number of calls allowed
  • Time Period: Seconds, minutes, or hours
  • Example: "10 calls per minute"

Action When Exceeded:

  • Block: Reject additional calls
  • Alert: Allow but send notification
  • Route to Approval: Transfer to supervisor

Time Schedule (optional):

  • Apply rule during specific hours/days
  • Example: Stricter limits after hours

Save

Click Save to apply rule.

Result

Rule enforced immediately for specified targets.

Common Rate Limit Scenarios

  • Limit: 30 calls per minute
  • Applies To: Call center extension group
  • Purpose: Prevent autodialers from overwhelming trunks
  • Limit: 5 calls per minute
  • Applies To: All staff extensions
  • Purpose: Detect compromised accounts
  • Limit: 2 calls per hour
  • Applies To: All extensions
  • Time: 6 PM - 8 AM weekdays, all day weekends
  • Purpose: Prevent after-hours toll fraud
  • Limit: 3 calls per hour
  • Applies To: Users with international dial permissions
  • Purpose: Control high-cost international dialing
  • Limit: 1 call per minute
  • Applies To: Contractor extension group
  • Purpose: Minimize risk from temporary access

IP-Based Access Rules

Admin Portal IP Restriction

Purpose

Limit administrative access to specific IP addresses or ranges.

Enable IP Restriction

Navigate to Security > Settings > IP Restriction for Admin Login and enable Restrict Admin Access by IP.

Add Allowed IPs

Click Add IP Range and enter:

  • IP Address/Range: Office IP or VPN range
  • Description: Location/purpose

Repeat for all allowed IPs.

Save

Click Save to apply restrictions.

Result

Admin portal only accessible from whitelisted IPs. All other IPs see access denied error.

Use Case

Ensure administrators only log in from office network or company VPN.

Warning

Ensure you don't lock yourself out. Add your current IP before enabling.

Extension Registration Restrictions

Purpose

Limit where extensions can register from.

Navigate to Extensions > Select extension > Advanced > IP Restrictions
Enable Restrict by IP
Add allowed IP addresses/ranges
Click Save

Result

Extension can only register from whitelisted IPs.

Use Cases

  • Desk Phones: Restrict to office network only
  • Remote Workers: Allow home IP + VPN IP
  • Shared Extensions: Lock to specific location
  • High-Value Targets: Restrict executives to secure networks

Fail2Ban Integration

Purpose

Automatically block IPs after repeated failed authentication attempts.

How It Works

  1. System monitors authentication attempts
  2. Tracks failures per IP address
  3. After threshold exceeded, IP auto-blocked
  4. Block expires after timeout period
  5. Persistent offenders blocked permanently

Configure Parameters

Navigate to Security > Settings > Fail2Ban and configure:

  • Max Attempts: 3-10 failures
  • Time Window: 5-60 minutes
  • Block Duration: 15 minutes - 7 days
  • Permanent Block After: 3-10 temporary blocks

Enable Services

Enable for:

  • Web Login: Admin portal and user portal
  • SIP Registration: Extension registration
  • API Access: REST API authentication

Save and Monitor

Click Save to apply settings.

Result

Automated protection against brute-force attacks.

Monitoring

  • View blocked IPs in Security > Blocked IPs
  • Review fail2ban logs in System > Logs > Security

DDoS Protection

Purpose

Mitigate distributed denial-of-service attacks.

Built-In Protection

  • Cloud provider DDoS mitigation (TheVoĉo Cloud infrastructure)
  • Connection rate limiting
  • SYN flood protection
  • UDP flood detection

Configure Thresholds

Navigate to Security > Settings > DDoS Protection and configure:

  • Max Connections per IP: 50-500 simultaneous
  • Connection Rate: 10-100 per second
  • Packet Rate: 1000-10000 per second

Enable Auto-Block

Enable Auto-Block and set Block Duration: 1-24 hours.

Save

Click Save to activate protection.

Result

System automatically detects and blocks DDoS attacks.

Note

For TheVoĉo Cloud-PBX, DDoS protection is automatically managed. Custom configuration only needed for on-premise deployments.

Rule Priority

When Multiple Rules Apply

  1. Whitelist (Allowed IPs): Highest priority - never blocked
  2. Blacklist (Blocked IPs): Block always applies
  3. Country Restrictions: Geographic blocks
  4. Fail2Ban: Automatic blocking
  5. Rate Limits: Call frequency restrictions
  6. DDoS Protection: Network-level protection

Conflict Resolution: Most restrictive rule wins, except whitelisted IPs bypass all blocks.

Testing Security Rules

Create test extension
Apply rules to test extension/group

Verify Expected Behavior

  • Allowed access works
  • Blocked access fails appropriately
  • Rate limits trigger correctly
Monitor logs for unexpected blocks
Adjust thresholds as needed
Roll out to production
  • Periodic security audits
  • Penetration testing
  • Simulate attacks in staging
  • Review rule effectiveness

Troubleshooting

Check Blocked IPs list
Identify user's IP
Unblock IP immediately
Add to Allowed IPs if trusted
Investigate why user was blocked
Review rejected call logs
Identify legitimate use patterns
Adjust rule thresholds
Consider time-based rules (looser during business hours)
Verify rule is enabled
Check rule scope (applies to correct users/groups)
Review rule priority
Check for conflicting rules
Review system logs for errors
Whitelist known good IPs
Increase failure thresholds
Extend time windows
Refine rule targeting

Configuration Summary

Add Allowed IP

Security > Allowed IPs > Add → Enter name, IP/domain, description → Save

Unblock IP

Security > Blocked IPs → Find IP → Unblock

Create Rate Limit Rule

Security > Outbound Call Frequency > Add Rule → Set name, scope, limits → Save

Enable Admin IP Restriction

Security > Settings → Enable IP Restriction for Admin Login → Add allowed IPs → Save

Configure Fail2Ban

Security > Settings > Fail2Ban → Set thresholds → Enable for services → Save

Result

Security rules active and enforced system-wide.

Next Steps

Security Settings

Configure country restrictions and password policies

Extension Security

Secure individual extension configurations

Monitoring & Logs

Review security events and audit logs

Incident Response

Handle security breaches and incidents

Security

Protect your Cloud PBX system with comprehensive security controls

Security Settings

Configure global security options and policies

On this page

Security Rules
IP Restrictions
Allowed IPs (Whitelist)
Navigate to Allowed IPs
Enter IP Information
Save
Blocked IPs (Blacklist)
Rate Limiting
Outbound Call Frequency Restriction
Creating Custom Rate Limit Rules
Navigate and Create
Configure Rule
Save
Common Rate Limit Scenarios
IP-Based Access Rules
Admin Portal IP Restriction
Enable IP Restriction
Add Allowed IPs
Save
Extension Registration Restrictions
Fail2Ban Integration
Configure Parameters
Enable Services
Save and Monitor
DDoS Protection
Configure Thresholds
Enable Auto-Block
Save
Rule Priority
Testing Security Rules
Verify Expected Behavior
Troubleshooting
Configuration Summary
Add Allowed IP
Unblock IP
Create Rate Limit Rule
Enable Admin IP Restriction
Configure Fail2Ban
Next Steps