Cloud Phone System For Modern Businesses

7 Best Practices for Securing VoIP PBX Phone System

VoIP PBX systems offer a number of business benefits including cost reduction, system flexibility and advanced features that can support your business as it grows. But they aren’t without risk. VoIP hacking and attacks can come from the internet or telephone lines, trying to exploit any number of different vulnerabilities, and eventually expose your organizations to toll fraud, theft of confidential information, and loss of revenue. PBX and VoIP security are without doubts under the core concern.

So how can you secure VoIP network and protect your business-crucial VoIP phone system from potential net threats and internal malfeasance? Here are some basic practices that you can perform.

PBX and VoIP Security Checklist

1. Use Strong Passwords

A weak password can leave a potential security gap which hackers can easily exploit. To that end, strong passwords should be used for every password required in your PBX. In general, a typical system will have passwords for: extension registrations, administration web interface, user web interfaces, and voicemails. It’s recommended that strong passwords of at least 8 characters, including a mix of the upper and lower case along with digits, be applied to wherever possible, and be changed periodically every 2-3 months at most.

2. Keep Your PBX Updated

A regular review and updating of your PBX firmware/software should be kept at the first line of your PBX security checklist. Typically, the most recent version is often the most secure with bugs and other potential vulnerabilities being found and fixed. In addition, certain critical security features or layers of protection are sometimes only supported by the latest version with technology evolving over time.

3. Separate Voice and Data Traffic

Separating voice and data traffic is commonly recognized as an effective method to counter VoIP security risks. For some VoIP ISPs, they provide dedicated SIP trunks that support NGN ports (Next Generation Network), which can separate data networks, voice networks and video networks or any combination of the three to form a converged network. But in case you lack the access of it, setting up VLAN (Virtual Local Networks) on your PBX system can be an alternative.

The voice traffic and data traffic can be logically separated by a VLAN switch. If one VLAN is penetrated, the other will remain secure. Also, limiting the rate of traffic to IP telephony, VLANs can slow down an outside attack.

4. Avoid Port Forwarding

In an attempt to offer remote access for mobile workers, some on-premises IP-PBX vendors will recommend doing port forwarding. But this is not a good idea at all. Port forwarding/port mapping risks potential attacks by opening a hole in your firewall. To do instead, deploying a VPN device at both ends or utilizing a secure cloud service can be a smart choice. The connected devices from both ends can form an encrypted secure “tunnel” over the public internet, keeping all of your traffic safe.

5. Secure the Trunks on PBX

One of the most noticeable purposes of PBX hacking is to kidnap the POTS lines or SIP trunks for expensive international calls. To prevent this, the easiest VoIP security practice is to restrict the use of outbound call from each vulnerable end-point and disallow anonymous incoming calls. This can be performed in the following 3 ways.

  • Set up outbound route permission: your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Considering setting different outbound routes for different trunks: local, long-distance and international, and assign outbound route permission only to the users that require the use of it. Limited access would bring a securer system.
  • Disallow anonymous incoming calls: the unknown calls may be charged to the bill of your trunks. Attackers can dial into a PBX system with anonymous numbers, then use the functionality of the PBX to generate an outbound call, and incur call charge. To prevent such attack in the first place, you can choose to disallow anonymous incoming calls through advanced SIP setting options of your PBX phone system.
  • Configure outbound restriction: if your PBX allows you to limit how many times a user can make outbound calls during a certain time period, remember to configure the settings. This will help minimize the losses caused by toll fraud if there is any.

6. Block Unauthorized Access with Firewall

Firewall rules are pre-configured rules to control and filter traffic that is sent to the PBX. You can create firewall rules on your PBX to filter specific source IP address/domain, ports, MAC address, and block dangerous (or suspicious) access that might contribute to attack fraud or calls loss. For example, you can manually add a rule to block untrusted web access with a specific range of IP addresses (IP Blocklisting), or define a few Accept Rules, or Allowlists, and drop all the packets and connections from other hosts to ensure system access.

To prevent massive connection attempts or brute force attacks, you can also utilize the incorporated anti-hacking auto-detection mechanisms (IP Auto Defense) of your PBX system. It can help you identify attackers per second, based on the packets sent within a specific time interval, and automatically block them.

7. Make Contingency Plan

Though anti-hacking measures can be taken to best protected your phone system, there is no absolute safety. If an attacker successfully infiltrated your PBX or forced your PBX to fail, you should have a contingency plan. Here are 3 tips you can perform.

  • Firstly, if your PBX has Event Notification feature, make sure to set it up properly to get informed of important happenings on your PBX system (i.e. the change of administrator password) just in time.
  • Secondly, schedule auto backup on your PBX. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure a fast recovery.
  • Thirdly, consider implementing a redundancy solution, which will help to keep your business’s phone system running as usual even when encountered with unexpected server failure.

Yeastar PBX: Revamped Security to Safeguard Your Phone System

Yeastar P-Series PBX System, S-Series VoIP PBX and Cloud PBX have strong built-in anti-hacking mechanisms and are kept revamped with new firmware releases. The robust incorporated firewall and IP Auto Defense system can block untrusted network access. Also, the advanced PBX setting options, for instance, SRTP, outbound call restriction, and event notification, provide ways to double layer your system and VoIP security.

Important: to upgrade your PBX security to next level, we recommend that you update your PBX firmware to the latest version where some system-critical potential vulnerabilities are found and fixed. You can download the latest firmware here or check for the update on your PBX web interface.

For more specific operations on how to secure your Yeastar PBX, please refer to our PBX security guide for P-Series PBX System here, S-Series VoIP PBX here, or for Yeastar Cloud PBX here.

Explore More Blogs

User Login

Instantaneously receive user login credentials via email once the extension has been deployed by the adminstrator.

Log in conveniently via any web browser for access to the user portal.

Event Center

Determine what events and logs are to be recorded and/or have notifications sent.

Specify particular notifications to be sent to respective authorized personnel.

User Login

Access and manage user settings for softphone application and voicemail.

Manage call routing and presence status for your individual extension.

Retrieve or download your personal call logs and recordings.

User Login

Receive your log-in credentials and set-up guide via email, sent by your admin.

Log-in on any web-browser to get started with PBX set-up.

Configure contacts and personal settings from the web portal.

Auto Provision

Add, remove, or modify IP phone settings from your web interface.

Upgrade IP phone firmware conveniently from your PBX.

Upload various default setting parameters specific to respective IP phone models for greater convenience during set-up.


Store, retrieve, and share company contact details easily on your PBX.

Have detailed contact information for your vendors and clients conveniently stored .

Bulk add a list of contacts instead of having to key details in individually.

PBX Monitor

Monitor the status extensions, whether they aren idle, in use, or unavailable.

Know whether your SIP Trunk running properly, or experiencing problems.

Monitor the number of call conferences currently running on your PBX, and their individual durations.


Check for and download firmware upgrades to ensure that your PBX is always up-to-date.

Perform back-ups to prevent data and settings from getting lost.

Perform troubleshooting on your own to debug.

Call Detailed Report

All call log activities are stored, with the option of having audio conversations recorded by default or for specific extensions.

Filter by date, time, or extension number to retrieve specific call logs or recordings

Playback call recordings directly from the PBX or download to store externally.

User Permission

Set up vaious groups of users for allocation to certain sets of access rules.

Determine what features a certain group of extensions can or cannot access.

Determine if users can access, play-back, or download call logs and recordings from the pbx.

Portal Login Page

Receive your administrator log-in credentials and set-up guide via email.

Log-in on any web-browser to get started with PBX set-up.

Installation Wizard will guide you through basic configurations.


Restrict a general group or specific IP addresses to prevent unauthorized access to your PBX.

Determine specific the range of SIP ports for connection between your PBX and endpoints.