Security hardening checklist
A phone system on the internet is attacked from hour one — SIP scanners probing for extensions, brute-forcing registrations, hunting for toll-fraud routes. Exovo ships with the important defenses on by default; this page is the checklist of what's already protecting you and the handful of decisions worth making deliberately.
On by default
- Abuse control — brute-force detection with automatic IP blacklisting and SIP rate limiting.
- Strong generated credentials — SIP passwords, phone web passwords and provisioning tokens are random and per-device; nothing ships with a default password.
- Encrypted secrets at rest — trunk, CRM and integration credentials are encrypted in the database.
- Container hardening — services run with dropped privileges, the web app has no Docker socket, and internet-facing components hold no keys (see the architecture overview).
- HTTPS everywhere — Traefik redirects HTTP and maintains certificates.
Day-one checklist
- Restrict the admin console — Admin → Advanced → Console Restrictions limits console access to specific IPs/ranges (private ranges stay allowed so you can't lock yourself out of the LAN).
- Turn on 2FA for every admin-role account — each admin enrolls under Settings → Security, and you can Require it from Admin → Users so it can't be switched back off (details). When you require 2FA for a user who hasn't set it up yet, their next sign-in walks them through enrolling before they reach the app — password alone won't get them in.
- Tune allowed country codes — deny-by-default international dialing is the single biggest toll-fraud control.
- Review dialing classes so ordinary users can't reach premium or international routes they don't need.
- Enable the trunk allow-list once all your carriers are known-IP — inbound SIP from anywhere else is dropped.
- Turn on Secure SIP (Admin → Advanced → Secure SIP): TLS 1.2+ for signaling on 5061 and SRTP for media (optional per device, or mandatory if your whole fleet supports it).
- Restrict provisioning to your networks with the provisioning CIDR parameter if phones only ever provision from known ranges.
- Wire up alert emails — the security events (auto-bans, blocked countries, emergency dials) should reach a mailbox someone reads.
- Confirm backups are scheduled, off-box and passphrase-protected.
- Close unused firewall ports — the installation port table marks what's only needed for features you may not use (VPN, tunnel, TURN).
Ongoing
Watch the Event Log for anti-hacking activity after go-live week; review the IP blacklist occasionally; and keep the system updated — security fixes ride the same one-click update path as everything else.