# Security Overview

Cloud Voice ships with several layers of protection you can combine to keep your phone system (the PBX, short for Private Branch Exchange) safe and your calls reliable. This page introduces each safeguard and points you to the detailed setup instructions.

A quick note on one term you will see throughout: **toll fraud** is when an attacker gains access to your system and places expensive calls (usually international or premium-rate) at your expense. Several of the controls below exist specifically to shut that down.

:::tip[Where to start]
If you only have time to turn on a few controls, prioritize the ones that limit outbound calling: **Outbound Call Frequency Restriction** and **Allowed Country Codes**. These are your first line of defense against toll fraud, which is the most common and most expensive attack on a phone system.
:::

## IP allowlists and blocklists

An IP (Internet Protocol) address is the numeric identifier a device uses on a network. Cloud Voice can treat individual addresses as always-trusted or block them automatically when they behave like an attacker.

### Allowed IPs

Add trusted IP addresses or domain names to the allowlist so the system never blocks them, even if their traffic pattern would otherwise trigger a defense rule. See [Add an Allowed IP Address](/pbx/administrator-guide/add-an-allowed-ip-address/) and [Manage Allowed IP Addresses](/pbx/administrator-guide/manage-allowed-ip-addresses/).

:::caution
An allowlisted address is exempt from the automatic blocking rules. If an attacker ever operated from that address, the system would not stop them. Only add addresses you fully control or fully trust, such as your office network or your service provider.
:::

### Blocked IPs

When the system blocks an address, it appears in the **Blocked IPs** list. If a legitimate address was blocked by mistake, remove it from that list to restore access. See [Manage Blocked IP Addresses](/pbx/administrator-guide/manage-blocked-ip-addresses/).

:::tip
This is the first place to look when a real user or device suddenly cannot connect. A common cause is repeated failed logins, which the system reads as an attack and blocks. Delete the entry to let them back in.
:::

## Outbound Call Frequency Restriction

This safeguard caps how many outbound calls may be placed within a given window of time, which helps shut down toll-fraud attempts. Out of the box, a default rule limits each extension to a maximum of 5 outbound calls per second. You can add your own rules on top of this to match how your business places calls. See [Add an 'Outbound Call Frequency Restriction' Rule](/pbx/administrator-guide/add-an-outbound-call-frequency-restriction-rule/).

:::danger
Do not remove or loosen the default limit unless you have a proven reason. A compromised extension can dial hundreds of premium-rate numbers per minute, and the resulting charges can be large and are usually not refundable. If anything, tighten this rule rather than relax it.
:::

## Account and login security

Cloud Voice includes several options you can mix and match to tighten access control.

### Passwordless Login

If your service provider needs to reach your system for remote support but you would rather not hand over the administrator credentials, enable passwordless login so they can connect without a password. See [Allow Passwordless Login to Cloud Voice](/pbx/administrator-guide/allow-passwordless-login-to-cloud-voice-p-series-cloud-edition/).

:::caution
Passwordless login is meant to be temporary. Leaving it on after a support session widens the ways someone can reach the administrator account. Turn it back off once the provider has finished.
:::

### Allowed Client Public IP Address

When your company reaches the internet through more than one public IP address, list the exact addresses your staff's Cloud Voice App (Web and Desktop) may connect from. The system then recognizes every authorized connection and accepts it, avoiding call failures or one-way audio caused by unexpected IP changes. See [Add Allowed Client Public IP Addresses](/pbx/administrator-guide/add-allowed-client-public-ip-addresses/).

:::caution
The list must include every public IP your users actually connect from. If one is missing, those clients can be rejected, which shows up as failed connections or one-way audio. Confirm the full set of addresses with your network team before you enable this.
:::

### Call Encryption Tunnel

For mobile calls, Cloud Voice can route all SIP (Session Initiation Protocol, the signaling that sets up a call) and RTP (Real-time Transport Protocol, the audio itself) of the Cloud Voice App through an encrypted tunnel to the system. This strengthens call privacy and helps sidestep carrier-level SIP blocking, so extensions stay registered and calls stay stable even on restrictive networks. See [Enable Encryption Tunnel for Cloud Voice App Mobile Calls](/pbx/administrator-guide/enable-encryption-tunnel-for-cloud-voice-app-mobile-calls/).

:::note
Reach for this option when mobile users on cellular data have trouble staying registered or report dropped and one-way calls. Some mobile carriers inspect and block plain SIP traffic, and the tunnel hides that traffic so it passes through.
:::

### Two-Factor Authentication

Turn on two-factor authentication (2FA) for the administrator account so that logging in requires both the account password and an additional verification code. See [Two-factor Authentication (2FA) Overview](/pbx/administrator-guide/two-factor-authentication-2fa-overview/).

:::tip
Enabling 2FA on the administrator account is one of the highest-value changes you can make, because that account controls the whole system. Make sure you keep a backup way to generate the code (for example, save the recovery details) so you do not lock yourself out if you lose your phone.
:::

### Extension Password Rule

Enforce password policies for both the registration password and the user password of extensions, raising the bar for extension account security. The registration password is what a phone or app uses to sign in as the extension, while the user password is what the person uses to sign in to the Cloud Voice App. See [Enforce Password Policy for Extensions](/pbx/administrator-guide/enforce-password-policy-for-extensions/).

### IP restriction for administrator login

Limit which IP addresses may be used to reach the administrator portal. See [Restrict Access to Administrator Portal by IP Addresses](/pbx/administrator-guide/restrict-access-to-administrator-portal-by-ip-addresses/).

:::caution
Only add addresses you are certain you will keep access to. If you restrict logins to an IP address that later changes, you can lock yourself out of the administrator portal and will need your service provider to restore access. Include a reliable address, such as a static office IP, and double-check it before saving.
:::

## Console / SSH access

Cloud Voice supports SSH (Secure Shell, a way to open a secure command-line connection to the system) so support engineers can open a temporary connection to inspect logs and troubleshoot the system. See [Access the System via SSH](/pbx/administrator-guide/access-the-system-via-ssh/).

:::caution
SSH grants deep, low-level access to the system. Enable it only while a trusted engineer needs it, and disable it again when the work is done. Leaving SSH open longer than necessary increases your exposure.
:::

## Country-based restrictions

### Allowed Country IPs

Restrict access to your phone system so that only the countries or regions you choose can connect. This closes off a common attack path where intruders reach your system from abroad to place international or long-distance calls, listen in on conversations, or otherwise tamper with it. By default, every country and region is allowed. See [Restrict Specific Countries or Regions from Accessing Cloud Voice](/pbx/administrator-guide/restrict-specific-countries-or-regions-from-accessing-cloud-voice-pbx/).

:::caution
Before you narrow this list, account for everywhere your legitimate users connect from, including remote staff, travelers, and any offices abroad. Blocking a region your own people rely on will cut off their access to the phone system.
:::

### Allowed Country Codes

Block outbound international calls to specific countries or regions, an effective way to contain toll fraud even when an outbound route permits international dialing. See [Restrict International Calls to Specific Countries or Regions](/pbx/administrator-guide/restrict-international-calls-to-specific-countries-or-regions/).

:::tip
A practical approach is to allow only the countries your business actually calls and block the rest. Attackers most often dial destinations you would never legitimately call, so limiting the list of permitted country codes removes their target while leaving your normal calling untouched.
:::
