Docs navigation

Security hardening checklist

A phone system on the internet is attacked from hour one — SIP scanners probing for extensions, brute-forcing registrations, hunting for toll-fraud routes. Exovo ships with the important defenses on by default; this page is the checklist of what's already protecting you and the handful of decisions worth making deliberately.

On by default

  • Abuse control — brute-force detection with automatic IP blacklisting and SIP rate limiting.
  • Strong generated credentials — SIP passwords, phone web passwords and provisioning tokens are random and per-device; nothing ships with a default password.
  • Encrypted secrets at rest — trunk, CRM and integration credentials are encrypted in the database.
  • Container hardening — services run with dropped privileges, the web app has no Docker socket, and internet-facing components hold no keys (see the architecture overview).
  • HTTPS everywhere — Traefik redirects HTTP and maintains certificates.

Day-one checklist

  1. Restrict the admin consoleAdmin → Advanced → Console Restrictions limits console access to specific IPs/ranges (private ranges stay allowed so you can't lock yourself out of the LAN).
  2. Turn on 2FA for every admin-role account — each admin enrolls under Settings → Security, and you can Require it from Admin → Users so it can't be switched back off (details). When you require 2FA for a user who hasn't set it up yet, their next sign-in walks them through enrolling before they reach the app — password alone won't get them in.
  3. Tune allowed country codes — deny-by-default international dialing is the single biggest toll-fraud control.
  4. Review dialing classes so ordinary users can't reach premium or international routes they don't need.
  5. Enable the trunk allow-list once all your carriers are known-IP — inbound SIP from anywhere else is dropped.
  6. Turn on Secure SIP (Admin → Advanced → Secure SIP): TLS 1.2+ for signaling on 5061 and SRTP for media (optional per device, or mandatory if your whole fleet supports it).
  7. Restrict provisioning to your networks with the provisioning CIDR parameter if phones only ever provision from known ranges.
  8. Wire up alert emails — the security events (auto-bans, blocked countries, emergency dials) should reach a mailbox someone reads.
  9. Confirm backups are scheduled, off-box and passphrase-protected.
  10. Close unused firewall ports — the installation port table marks what's only needed for features you may not use (VPN, tunnel, TURN).

Ongoing

Watch the Event Log for anti-hacking activity after go-live week; review the IP blacklist occasionally; and keep the system updated — security fixes ride the same one-click update path as everything else.