# Extension Registration Security

Extension registration is a common target for attackers who try to hijack an account and place fraudulent calls. Cloud Voice treats the endpoint (the desk phone or app that signs in to an extension) as the third line of defense in a multi-layered security strategy, and it ships with default protection that watches for suspicious registration attempts. On top of those defaults, you can tighten who is allowed to register an extension by controlling the credentials, the number of simultaneous sessions, the client user agent, and the source IP address.

:::note
A few terms used throughout this page:

- **SIP** (Session Initiation Protocol) is the signaling protocol that phones and softphones use to register with the PBX and set up calls.
- **Registration** is the act of a device proving who it is and announcing that it is online and ready to make and receive calls on an extension.
- **IP address** (Internet Protocol address) is the network address a device uses on the internet or local network.

Endpoint security is the layer that decides which devices are even allowed to register, so it sits in front of everything else an extension can do.
:::

## Lock out accounts after repeated failed registrations

Cloud Voice enforces an account lockout policy out of the box, so no setup is required to turn the basic protection on. When it sees too many failed registration attempts coming from a single IP address, it treats that account as at risk and locks it automatically. The source IP is then blocked, added to the **Blocked IPs** list, and an **Extension Registration Blocked Out** event is raised so your team can react.

So that a lockout actually reaches someone, enable the matching event notification and choose who should receive it.

1. Go to **System > Event Notification**.
2. On the **Event Type** tab, turn on the **Extension Registration Blocked Out** notification.

   
   ![Cloud Voice, the Event Type list with the extension registration blocked out notification enabled](/images/pbx/extension-registration-blockout.png)
3. On the **Notification Contacts** tab, add the people who should be alerted.

   ![Adding contacts who receive event notifications](/images/pbx/add-notification-contacts.png)

Once you are notified of a lockout, review the specifics from the web portal under **Security > Security Rules > Blocked IPs**.

![The blocked IPs list showing an address barred after registration failures](/images/pbx/registration-block-pce.png)

:::caution
If a legitimate user is locked out (for example, after typing the wrong password too many times), their device will keep failing to register until you clear the block. Check **Security > Security Rules > Blocked IPs** and remove their address there before assuming the phone itself is broken.
:::

## Require complex SIP registration credentials

Weak registration names and passwords are one of the easiest gaps for an attacker to exploit. Close it by setting a system-wide minimum password length and by giving each extension strong, hard-to-guess credentials.

### Set a minimum registration password length

1. Go to **Security > Security Settings > Security Options**.
2. Under **Extension Password Rules**, set the minimum number of characters a registration password must contain.

   ![The extension password rules with a minimum length for registration passwords](/images/pbx/min-length-registration-psw.png)
3. Click **Save**, then **Apply**.

:::note
On Cloud Voice, **Save** stores your change but does not activate it. Nothing takes effect until you click **Apply**, which pushes the pending changes live. Get in the habit of doing both, or you may wonder why a setting is not working.
:::

### Strengthen an individual extension's credentials

1. Go to **Extension and Trunk > Extension** and open the extension you want to edit.
2. In the **Extension Information** section, enter a complex registration name and registration password.

   ![The extension information fields for registration name and password](/images/pbx/extension-information.png)

   :::tip
   For a credential that resists guessing:

   - Mix uppercase letters, lowercase letters, and numbers.
   - Steer clear of repeated or sequential digits.
   - Do not reuse the extension number or extension name.
   :::
3. Click **Save**, then **Apply**.

## Limit concurrent registrations on an extension

By default, an extension can register on a single IP phone and sign in once per Cloud Voice App client type. If a user genuinely needs more devices or sessions, raise the concurrent registration limits on that extension.

1. Go to **Extension and Trunk > Extension** and open the extension you want to edit.
2. In the **Extension Information** section, set the concurrent registration allowances you need.

   
   ![Cloud Voice, the concurrent registration settings for an extension](/images/pbx/concurrent-registrations.png)

   | Setting | Description |
   | --- | --- |
   | IP Phone Concurrent Registrations | Choose how many SIP endpoints may register with the extension at the same time. The maximum is 5. |
   | Cloud Voice App Web Client Concurrent Registrations | Choose how many web clients may be signed in to the extension at once. The maximum is 3. |
   | Cloud Voice App Desktop Client Concurrent Registrations | Choose how many desktop clients may be signed in to the extension at once. The maximum is 3. |
   | Cloud Voice App Mobile Client Concurrent Registrations | Choose how many mobile clients may be signed in to the extension at once. The maximum is 3. |
3. Click **Save**, then **Apply**.

:::caution
Every additional registration you allow is another door into the account. Raise these limits only for users who truly need extra devices, and set them back down when the need ends. Leaving the counts high "just in case" widens the attack surface with no benefit.
:::

## Restrict registration by user agent

A user agent is a short text label a device includes in its registration packets to identify what kind of phone or software it is. You can require that label to begin with a value you define; if the prefix does not match, the registration is rejected. This is a lightweight way to keep unexpected phone models or scanning tools from registering.

1. Go to **Extension and Trunk > Extension** and open the extension you want to edit.
2. On the **Security** tab, select **Enable User Agent Registration Authorization** and enter the user agent to allow.

   ![The security tab with user agent registration authorization enabled](/images/pbx/user-agent-restriction.png)
3. Click **Save**, then **Apply**.

:::caution
The prefix you enter must match the string the phone actually sends. If it is wrong (even a typo or wrong capitalization), the legitimate phone will fail to register and go offline. Confirm the exact user agent string of the device before you turn this on.
:::

## Restrict registration by IP address

You can also tie an extension to a set of trusted IP addresses. Registration requests from any other address are dropped automatically, which keeps unknown devices from registering.

1. Go to **Extension and Trunk > Extension** and open the extension you want to edit.
2. On the **Security** tab, select **Enable IP Restriction** and add the IP addresses that are allowed to register.

   ![The security tab with IP restriction enabled and an allowed address added](/images/pbx/sip-registration-ip-restriction-pce.png)
3. Click **Save**, then **Apply**.

:::caution
Only use this for devices with a stable address. Home and mobile users usually get a new public IP from time to time (their internet provider hands out dynamic addresses, and NAT (Network Address Translation) hides many devices behind one shared address). When their IP changes, the phone will suddenly be blocked. Prefer a fixed office IP or a known range, and document what you allow.
:::

:::danger
A phone that cannot register cannot place any calls, including emergency calls to 911. An overly strict user agent or IP restriction that blocks a legitimate device also removes its ability to reach emergency services. Double-check these settings before applying them, and verify the device can still register afterward.
:::
