Does The Spam Ever Stop?

R

random_nerd

New Member
Sep 30, 2025
1
0
0
48
Hi all. I'm new to freeswitch. I have some basic setup in place, including using mod_signalwire, mod_callcenter, routing calls with lua, connecting vagents via secure web sockets, etc. Overall I THINK everything is in a pretty good place...

HOWEVER, when I watch logs roll through in fscli, I see hundreds of malicious invites/sip connection attempts from random ip addresses around the World.

Nothing has gotten through (it's all just brute force/dialplans are set to auto hang up), but it does create quite a bit of clutter... is there some form of best practice out there that would lock things down a bit more?

PS. I considered locking the signaling ports to only allow incoming requests from signalwire servers, however their IP addresses don't seem to be publicly available, and they say they often rotate/check domain instead.

Thank You!
 
One thing you can do that will have a big impact immediately is to change your SIP ports to more obscure numbers. This makes it harder for SIP scanners to access you. You can also block unwanted traffic using tools like SBC, SIP proxy, or Fail2Ban.
 
  • Like
Reactions: lamabean
Another thing, if you are able to do it, is stop using UDP, if you can get rid of UDP you will see hardly anything.
 
  • Like
Reactions: lamabean
Just a PS to that.....

If I spin up a new server and it doesn't get hit within 20 minutes I start to check if everything is working correctly :)

A few years ago I did some testing with honeypot type of thing. I had about 13 random VPS around the world. They were effectively invisible from the sip side of things in that they did not respond at all to sip packets. They just grabbed them and logged them without reply.

The hackers infrastructure is huge.

I have seen EXACTLY the same invite hit 6 of those honeypots in the space of 5 seconds, I couldn't quite believe my eyes but it was true.
 
  • Like
Reactions: lamabean
random_nerd said:
Hi all. I'm new to freeswitch. I have some basic setup in place, including using mod_signalwire, mod_callcenter, routing calls with lua, connecting vagents via secure web sockets, etc. Overall I THINK everything is in a pretty good place...

HOWEVER, when I watch logs roll through in fscli, I see hundreds of malicious invites/sip connection attempts from random ip addresses around the World.

Nothing has gotten through (it's all just brute force/dialplans are set to auto hang up), but it does create quite a bit of clutter... is there some form of best practice out there that would lock things down a bit more?

PS. I considered locking the signaling ports to only allow incoming requests from signalwire servers, however their IP addresses don't seem to be publicly available, and they say they often rotate/check domain instead.

Thank You!
Click to expand...
I solved this by using Telnyx for SIP trunking. They publish a small set of static IP addresses for both SIP signaling and RTP media (which is uncommon). That lets you lock down your PBX to accept traffic only from Telnyx’s IPs plus your phones’ static IPs. As long as your phones are on static IPs you can allowlist on the PBX, and you set your PBX admin dashboard to only be accessible from a static IP, you have no ports on the PBX accessible from the open internet. The logs are glorious.
 
Last edited:
You must log in or register to reply here.
Top Bottom