Enterprise Security Documentation
This document provides comprehensive security documentation for VoIPmonitor, intended for Chief Information Security Officers (CISOs), security teams, and compliance auditors conducting security assessments.
Executive Summary
VoIPmonitor is an open-source network packet sniffer and call analyzer for SIP VoIP traffic. This document outlines security controls, architecture, compliance capabilities, and best practices for secure deployment.
| Category | Summary |
|---|---|
| Deployment Model | On-premises software (self-hosted) |
| Data Location | Customer-controlled infrastructure |
| Encryption | TLS for web GUI, optional database encryption, encrypted sensor communication |
| Authentication | Local accounts, LDAP, OAuth 2.0 (Google/Microsoft), 2FA |
Security Architecture
System Components
Network Ports
| Port | Protocol | Component | Security Recommendation |
|---|---|---|---|
| 80 | TCP | Web GUI (HTTP) | Redirect to HTTPS |
| 443 | TCP | Web GUI (HTTPS) | Required - Use valid TLS certificate |
| 3306 | TCP | MySQL Database | Internal only - Never expose publicly |
| 5029 | TCP | Manager API | Internal only - Restrict via firewall |
| 60024 | TCP | Sensor-to-Server | Encrypted with shared secret |
| 5060/5061 | UDP/TCP | SIP Monitoring | Passive monitoring interface |
⚠️ Warning: Ports 3306 (MySQL) and 5029 (Manager API) must NEVER be exposed to the public internet.
Authentication & Access Control
Supported Authentication Methods
| Method | Description | Documentation |
|---|---|---|
| Local Accounts | Built-in username/password with SHA-256 hashing | Default method |
| Two-Factor Authentication (2FA) | TOTP-based second factor | Settings > System Configuration |
| LDAP Integration | Authenticate against Active Directory/LDAP | Custom Login |
| Google Sign-In (OAuth 2.0) | Google Workspace SSO | Google_Sign_in_usage |
| Microsoft Sign-In (Entra ID) | Microsoft 365/Azure AD SSO | Microsoft_Sign_in_usage |
| REMOTE_USER | External authentication (SSO, Kerberos) | REMOTE_USER_Authentication |
Session Security
- Session ID Regeneration - Automatic regeneration on login (prevents session fixation attacks)
- Configurable Timeout - Set via PHP
session.gc_maxlifetime - Session IP Validation - Optional binding to client IP address
- Manual Invalidation - Administrators can terminate sessions
Role-Based Access Control
VoIPmonitor supports granular permissions:
- User-level access restrictions
- IP-based access restrictions (Users > Secure users tab)
- Group-based permissions
- Read-only vs. administrative access
Data Protection
Data Classification
| Data Type | Sensitivity | Storage | Protection Options |
|---|---|---|---|
| Call metadata (CDRs) | Medium-High | MySQL database | TDE, filesystem encryption |
| User credentials | High | MySQL database | SHA-256 hashed (or LDAP offload) |
| Call recordings | High | Filesystem | Filesystem encryption (LUKS) |
| Configuration files | Medium | Filesystem (/etc/voipmonitor.conf) |
File permissions (600) |
| Session data | Medium | PHP session storage | Secure session configuration |
Encryption Capabilities
Data in Transit:
- HTTPS/TLS for web GUI access
- Optional TLS for MySQL connections (SSL/TLS_connection_to_the_Mysql/MariaDB)
- Encrypted sensor-to-server communication (
server_password)
Data at Rest:
- Database: MySQL/MariaDB Transparent Data Encryption (TDE)
- Filesystem: LUKS, dm-crypt, or hardware encryption
- Note: VoIPmonitor does not encrypt data at rest natively - use infrastructure-level encryption
Privacy Features
- Data Retention Policies - Automated cleanup via
cleandatabasesettings - Audit Logging - File-based logging via
AUDIT_LOG_FILEin configuration.php
Compliance Framework
Audit Logging
Enable comprehensive audit logging:
// In /var/www/html/config/configuration.php
define('AUDIT_LOG_FILE', '/var/log/voipmonitor/audit.log');
Logged events include:
- User logins/logouts
- Configuration changes
- Data access
- Administrative actions
Vulnerability Management
Software Updates
- Subscribe to VoIPmonitor security announcements
- Regular update schedule recommended
- Test updates in staging environment before production deployment
Security Hardening Checklist
Web Server:
- [ ] HTTPS enabled with valid certificate
- [ ] HTTP redirected to HTTPS
- [ ] TLS 1.2+ only (disable older protocols)
- [ ] Strong cipher suites configured
- [ ] HTTP security headers (HSTS, X-Frame-Options, CSP)
Application:
- [ ] 2FA enabled for administrative accounts
- [ ] Strong password policy enforced
- [ ] Unused accounts disabled/removed
- [ ] IP restrictions configured where possible
- [ ] Audit logging enabled
Infrastructure:
- [ ] Firewall rules restricting access to management ports
- [ ] Database not exposed to public internet
- [ ] File permissions properly set (
/etc/voipmonitor.conf= 600) - [ ] Unnecessary services disabled
- [ ] Regular security updates applied
Monitoring:
- [ ] Log aggregation configured
- [ ] Alerting for failed login attempts
- [ ] Regular access reviews
System Hardening
Unnecessary Services
VoIPmonitor does not require the following services. Remove them to reduce attack surface:
| Service | Risk | Action |
|---|---|---|
| CUPS (printing) | Known vulnerabilities | Remove: apt remove cups
|
| Desktop environments | Large attack surface | Do not install on production servers |
| FTP servers | Insecure protocol | Use SFTP instead |
| Development tools | Potential exploit vector | Remove from production |
File Permissions
# Configuration file
chmod 600 /etc/voipmonitor.conf
chown root:root /etc/voipmonitor.conf
# Web files
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
# Recordings directory
chmod 750 /var/spool/voipmonitor
Incident Response
Log Locations
| Log Type | Location |
|---|---|
| VoIPmonitor sniffer | /var/log/voipmonitor.log
|
| Web server (Apache) | /var/log/apache2/
|
| Web server (Nginx) | /var/log/nginx/
|
| PHP errors | /var/log/php*.log
|
| MySQL | /var/log/mysql/
|
| Audit log | Configurable via AUDIT_LOG_FILE
|
| System authentication | /var/log/auth.log
|
Security Event Investigation
# Check recent failed logins
grep "Failed" /var/log/auth.log | tail -50
# Check web access logs for suspicious activity
grep -E "(POST|401|403)" /var/log/apache2/access.log | tail -100
# Review audit log
tail -100 /var/log/voipmonitor/audit.log
Vendor Security Information
Company Information
- Product: VoIPmonitor
- Type: Open-source software with commercial support options
- License: GPL (sniffer), proprietary (GUI)
- Support: https://www.voipmonitor.org/
Security Contact
For security vulnerabilities, contact VoIPmonitor support through official channels.
Third-Party Components
VoIPmonitor uses standard open-source components:
- Linux operating system
- Apache/Nginx web server
- PHP runtime
- MySQL/MariaDB database
- OpenSSL for encryption
Related Documentation
- Security_Policy_and_Posture - Security posture overview
- Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth - HTTPS and Basic Auth setup
- TLS and SRTP Decryption - Encrypted traffic handling
- SSL/TLS_connection_to_the_Mysql/MariaDB - Database encryption
- User_Management - Access control configuration
- GUI_Configuration_PHP - Audit logging setup
- CALEA_compliance - Law enforcement compliance
Document Control
| Version | Date | Description |
|---|---|---|
| 1.0 | January 2026 | Initial release |