Detecting the security risks
This section describes how to detect the security risks and take actions to secure the FortiVoice phone system.
Monitor > Log > Voice provides the window to investigate the security risks. It displays the phone call activities between your FortiVoice unit and other PBXes. The "sip authentication fails" messages shows the IP addresses that have failed to obtain the authentication from your FortiVoice unit and some of these IP addresses might be security risks. Depending on the configured threshold, the FortiVoice unit will block the IP addresses if their number of attempted logins have reached the set threshold. Meanwhile, the alert email is sent out. See Setting the authentication failure parameters.
Voice log example:
To send alert emails, enter the email address in Log & Report > Alert > Configuration and enable the Massive SIP authentication failure option in Log & Report > Alert > Category.
You may take actions after receiving an alert email. See Reviewing blocked SIP device IP addresses.
Alert email example
Setting the authentication failure parameters
You can use the CLI to set the authentication failure parameters.
config security sip-authentication-failure
set threshold
set interval
set max-notification
end
CLI command |
Description |
---|---|
config security sip-authentication-failure |
Use this command to configure SIP authentication failure parameters. |
set threshold |
Set the threshold for blocking IP addresses from logging in to the FortiVoice Phone System and sending an alert email. The default is 50 attempted logins per minute. |
set interval |
Set the time interval to check the phone call activities. The default is 60 seconds. |
set max-notification |
Set the maximum notification emails to send after the threshold is reached. The default is 100. |
Reviewing blocked SIP device IP addresses
The FortiVoice unit automatically blocks IP addresses of the SIP devices that initiate the attacks against any extensions based on the thresholds and parameters set.
For blocked IP addresses, you may select an IP address to delete it, add it to the exempt list if it is wrongly blocked, and view its blocked history.
For auto exempt IP addresses, you may select an IP address to delete it if you find it suspicious.
To view the blocked IP addresses, go to Monitor > Security > Blocked IP.
To view the exempted IP addresses, go to Monitor > Security > Auto Exempt IP.