VICIfast
All docs

Security best practices

How we lock down your server + the things you can do on top.

Your server ships hardened by default. Here's what's already done + what only you can do.

What we do at provision

  • Hardened Linux base image (security updates current as of bake)
  • TLS via Let's Encrypt, auto-renewing
  • Firewall on by default — only required ports open
  • fail2ban on SSH brute-force attempts
  • SSH password authentication disabled
  • No default passwords anywhere; admin password generated per-customer + sealed at rest
  • /etc/ssh/sshd_config set to PermitRootLogin prohibit-password

What you should do

1. Add your SSH key + remove the platform fallback

/dashboard/servers/[id]/ssh-keys — paste your public key. We sync it within seconds. Once you can SSH in with your key, you can be confident in your access.

2. Set a strong VICIdial admin password

The auto-generated one we ship is strong. If you change it (Admin → User Admin → 6666), pick a 16+ character random string and store it in your password manager.

3. Enable 2FA on your dashboard account

/dashboard/security → enable TOTP. Save the backup codes in 1Password / similar. If you're an owner, treat this as required, not optional.

4. Use sub-users instead of sharing your password

Add coworkers via /dashboard/team. Roles:

  • Billing — see invoices, manage payment methods
  • Operator — non-destructive operational access
  • Viewer — read-only

When someone leaves the company, revoke their sub-user. Your audit log shows everything they did.

5. Restrict your VICIdial admin URL

By default it's https://<fqdn>:<random-port>/<random-path>/admin.php. The random port + random path make it not-easily-discoverable, but they're not authentication. Use VICIdial's User Level + IP allowlist (Admin → Settings) to lock down admin access by IP.

6. Rotate carrier credentials on a schedule

SIP credentials don't expire. If you've had them for >6 months, rotate. Most carriers let you regenerate from their dashboard.

7. Subscribe to security advisories

Asterisk security advisories: issues.asterisk.org. Subscribe to their RSS feed.

VICIdial security: the project posts to vicidial.org/forums. Watch security categories.

We'll patch CVEs in the base image proactively, but if you need a same-day patch, open a ticket.

What we don't do

  • We don't run a WAF in front of your server. If your VICIdial admin URL gets DDoS'd, we'll help mitigate but we don't sit in the path by default.
  • We don't review your customer-data handling. PII residency, GDPR DSAR responses, CCPA — those are yours to operate.
  • We don't watch your call traffic for fraud. Carrier-side anti-fraud is on your SIP provider.

Reporting incidents

If you suspect compromise (account, server, data):

  1. Email security@<our-domain> with as much detail as you have.
  2. Don't shut down the server — we may need it for forensics. We can isolate it from the network instead.
  3. We respond within 24 hours, faster on weekdays.