Security Policy and Posture

From VoIPmonitor.org
Revision as of 19:31, 7 January 2026 by Admin (talk | contribs) (Add documentation about automatic session ID regeneration on login to prevent session fixation attacks)


This page provides an overview of VoIPmonitor's security posture, development practices, and internal security controls. This information is intended for security departments conducting assessments, audits, or compliance reviews.

Data Protection and Encryption

Database Encryption

  • User data in the database (CDRs, call metadata, configuration settings) is stored in plain text and is NOT encrypted at rest
  • Only user passwords are hashed (see Password Storage below)
  • For encryption of data in transit between components, see SSL/TLS_connection_to_the_Mysql/MariaDB

💡 Tip: For environments requiring database encryption at rest, use MySQL/MariaDB Transparent Data Encryption (TDE) or filesystem-level encryption (LUKS, dm-crypt).

Password Storage

  • User credentials (passwords) are stored using SHA-256 hashing
  • LDAP authentication is available, which offloads credential storage to an external LDAP server
  • For more details on authentication methods, see Custom Login documentation

Data Privacy Features

VoIPmonitor includes several features to assist with privacy compliance:

  • IP Address Anonymization - Database-level anonymization of IP addresses
  • Two-Factor Authentication (2FA) for enhanced user account security
  • Various compliance integrations (SIPREC, CALEA support, PCI-DSS features)

Authentication and Session Management

Supported Authentication Methods

VoIPmonitor supports multiple authentication approaches:

  • Local user accounts with username/password
  • Two-Factor Authentication (2FA)
  • LDAP authentication (username/password verification) - see Custom Login
  • Google Sign-In (OAuth 2.0)
  • Microsoft Sign-In (Azure AD/Entra ID) - scheduled for upcoming stable release
  • Custom login scripts for integration with external authentication systems - see Custom Login

Authentication Methods NOT Supported

The following methods are NOT currently supported:

  • Shibboleth SSO - not supported
  • SAML-based SSO (including JumpCloud, Okta, OneLogin) - not supported
  • LDAP SSO (click-through login without credentials) - only LDAP username/password verification is supported
  • Generic OIDC providers other than Google

Session Management

  • User sessions are managed using PHP sessions
  • The VoIPmonitor GUI automatically changes the session ID on every user login - This built-in behavior prevents session fixation attacks and does not require manual configuration
  • Session inactivity timeout is configurable via PHP configuration (session.gc_maxlifetime in php.ini)
  • Sessions can be invalidated manually by administrators

ℹ️ Note: The automatic session ID regeneration on login is a built-in security feature of the VoIPmonitor GUI that mitigates session fixation vulnerabilities. No additional PHP configuration changes are required for this protection.

Architecture and Network Security

The VoIPmonitor system architecture includes multiple security layers:

Key Security Features

Network Ports and Firewall

The following ports should be considered when configuring firewalls:

Port Protocol Service Notes
80, 443 TCP Web GUI HTTPS strongly recommended
5029 TCP Manager API Restrict to trusted internal IPs only
60024 TCP Sensor communication Used for distributed architecture
5060 UDP/TCP SIP monitoring Default SIP port

⚠️ Warning: The Manager API port (5029) should NEVER be exposed to the public internet. Restrict access to trusted internal networks only.

Recommendations for Security Assessments

When conducting a security assessment of VoIPmonitor, consider the following:

Configuration Review

  • Web server SSL/TLS configuration (certificate validity, cipher suites)
  • Database connection encryption (MySQL/MariaDB SSL)
  • Firewall rules for all VoIPmonitor ports
  • File permissions on configuration files (/etc/voipmonitor.conf)

Authentication Assessment

  • Validate that required authentication methods (LDAP, 2FA) are properly configured
  • Review user permissions and role assignments in GUI
  • Check IP restriction settings (Settings > Users & Audit > Users > Secure users)

Compliance Review

  • Review privacy features to ensure they meet your compliance requirements
  • Verify audit logging is enabled if required (AUDIT_LOG_FILE)
  • Check data retention policies (cleandatabase settings)

Infrastructure Security

  • Implement additional security layers (intrusion detection, network segmentation)
  • Consider deploying VoIPmonitor in an isolated network segment
  • Regular backup verification and disaster recovery testing

System Hardening and Service Minimization

💡 Tip: A fundamental security practice is to minimize the attack surface by removing unnecessary services and software that are not required for VoIPmonitor operation.

VoIPmonitor requires only the software components explicitly listed in the installation guides:

  • Sniffer dependencies: See Sniffer Installation
  • GUI dependencies: Database (MySQL/MariaDB), web server, PHP, tshark - see GUI Installation
  • Optional utilities: libpcap, netmap, DPDK, napatech drivers (for specific capture modes)

The following services are NOT required and should be removed if present:

  • CUPS (Common Unix Printing System) - Not used by VoIPmonitor and presents a security risk if vulnerable (e.g., CUPS_Evilsocket vulnerability)
  • Unnecessary desktop environments (GNOME, KDE) on production servers
  • Unused network services (FTP, SMTP servers not used for monitoring)
  • Development tools and compilers on production systems

⚠️ Warning: Before removing any service, ensure it is not required by other applications running on the server or by your organizational policies.

To check for and remove CUPS: 

# Check if CUPS is installed
dpkg -l cups 2>/dev/null || rpm -qa cups

# Stop CUPS service
systemctl stop cups

# Disable CUPS from starting on boot
systemctl disable cups

# Remove CUPS (Debian/Ubuntu)
apt remove --purge cups cups-browsed

# Remove CUPS (RHEL/CentOS/AlmaLinux)
yum remove cups

This principle applies broadly: security vulnerabilities in any unnecessary software can compromise the overall security posture, even if the vulnerable software is not directly related to VoIPmonitor functionality.

AI Summary for RAG

Summary: VoIPmonitor security posture documentation for security assessments and compliance reviews. Database: CDR and call metadata stored unencrypted at rest; passwords hashed with SHA-256. Authentication: local accounts, 2FA, LDAP (username/password only - NOT SSO), Google OAuth, Microsoft Sign-In (upcoming). NOT supported: Shibboleth, SAML SSO, LDAP SSO, generic OIDC. Sessions: PHP-based with automatic session ID regeneration on login (built-in feature prevents session fixation), configurable timeout. Network security: encrypted sensor communication (server_password on port 60024), TLS/SRTP decryption support, HTTPS for GUI. Critical ports: 80/443 (GUI), 5029 (Manager API - restrict to internal), 60024 (sensors), 5060 (SIP). Compliance features: SIPREC WORM storage, CALEA export, IP anonymization. Security assessment recommendations: review SSL/TLS config, database encryption, firewall rules, authentication setup, audit logging, data retention policies.

System hardening: Remove unnecessary services to minimize attack surface. CUPS (printing system) is NOT required by VoIPmonitor and should be removed due to security risks. Unnecessary services include CUPS, desktop environments, unused network services, development tools. Always verify other applications do not depend on a service before removal. Check and remove CUPS with: dpkg -l cups or rpm -qa cups; systemctl stop/disable cups; apt remove cups or yum remove cups. Security vulnerabilities in any unnecessary software compromise overall security posture even if unrelated to VoIPmonitor functionality.

Keywords: security posture, security assessment, compliance, encryption, database encryption, SHA-256, password hashing, authentication, 2FA, LDAP, SSO, Shibboleth, SAML, Google OAuth, Microsoft Sign-In, session management, session fixation, session ID regeneration, firewall ports, Manager API, port 5029, port 60024, SIPREC, CALEA, IP anonymization, audit logging, HIPAA, PCI-DSS, GDPR, system hardening, unnecessary services, CUPS, CUPS_Evilsocket, remove CUPS, security best practice, attack surface

Key Questions:

  • Is user data encrypted in the VoIPmonitor database?
  • How are passwords stored in VoIPmonitor?
  • What authentication methods does VoIPmonitor support?
  • Does VoIPmonitor support Shibboleth or SAML SSO?
  • Does VoIPmonitor support LDAP SSO?
  • What network ports does VoIPmonitor use?
  • Should the Manager API port (5029) be exposed to the internet?
  • How do I secure VoIPmonitor for compliance?
  • What security features does VoIPmonitor have for regulatory compliance?
  • How do I enable audit logging in VoIPmonitor?
  • Is CUPS required for VoIPmonitor?
  • Should I remove CUPS from VoIPmonitor servers?
  • What unnecessary services should be removed for system hardening?
  • How do I remove CUPS from Linux for security?
  • What security risk does CUPS_Evilsocket pose to VoIPmonitor?
  • Does VoIPmonitor session ID change on login?
  • Is VoIPmonitor vulnerable to session fixation attacks?
  • How does VoIPmonitor prevent session fixation?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Security_Policy_and_Posture&oldid=9751"