Does The Spam Ever Stop?

R

random_nerd

New Member
Sep 30, 2025
1
0
0
48
Hi all. I'm new to freeswitch. I have some basic setup in place, including using mod_signalwire, mod_callcenter, routing calls with lua, connecting vagents via secure web sockets, etc. Overall I THINK everything is in a pretty good place...

HOWEVER, when I watch logs roll through in fscli, I see hundreds of malicious invites/sip connection attempts from random ip addresses around the World.

Nothing has gotten through (it's all just brute force/dialplans are set to auto hang up), but it does create quite a bit of clutter... is there some form of best practice out there that would lock things down a bit more?

PS. I considered locking the signaling ports to only allow incoming requests from signalwire servers, however their IP addresses don't seem to be publicly available, and they say they often rotate/check domain instead.

Thank You!
 
One thing you can do that will have a big impact immediately is to change your SIP ports to more obscure numbers. This makes it harder for SIP scanners to access you. You can also block unwanted traffic using tools like SBC, SIP proxy, or Fail2Ban.
 
  • Like
Reactions: lamabean
Another thing, if you are able to do it, is stop using UDP, if you can get rid of UDP you will see hardly anything.
 
  • Like
Reactions: lamabean
Just a PS to that.....

If I spin up a new server and it doesn't get hit within 20 minutes I start to check if everything is working correctly :)

A few years ago I did some testing with honeypot type of thing. I had about 13 random VPS around the world. They were effectively invisible from the sip side of things in that they did not respond at all to sip packets. They just grabbed them and logged them without reply.

The hackers infrastructure is huge.

I have seen EXACTLY the same invite hit 6 of those honeypots in the space of 5 seconds, I couldn't quite believe my eyes but it was true.
 
  • Like
Reactions: babak and lamabean
random_nerd said:
Hi all. I'm new to freeswitch. I have some basic setup in place, including using mod_signalwire, mod_callcenter, routing calls with lua, connecting vagents via secure web sockets, etc. Overall I THINK everything is in a pretty good place...

HOWEVER, when I watch logs roll through in fscli, I see hundreds of malicious invites/sip connection attempts from random ip addresses around the World.

Nothing has gotten through (it's all just brute force/dialplans are set to auto hang up), but it does create quite a bit of clutter... is there some form of best practice out there that would lock things down a bit more?

PS. I considered locking the signaling ports to only allow incoming requests from signalwire servers, however their IP addresses don't seem to be publicly available, and they say they often rotate/check domain instead.

Thank You!
Click to expand...
I solved this by using Telnyx for SIP trunking. They publish a small set of static IP addresses for both SIP signaling and RTP media (which is uncommon). That lets you lock down your PBX to accept traffic only from Telnyx’s IPs plus your phones’ static IPs. As long as your phones are on static IPs you can allowlist on the PBX, and you set your PBX admin dashboard to only be accessible from a static IP, you have no ports on the PBX accessible from the open internet. The logs are glorious.
 
Last edited:
Back in the day I tried all sorts to 'close' my pbx to the world, some of which were more successful than others.

One I had was were I ran a kamailio instance on a totally different ip, probably a small vps somewhere.

The main pbx had its ports 5060, 5080 etc closed to the world.

I had the carriers whitelisted.

On the ip phones I had a separate line configured that registered to the kamailio. When the kamailio received a valid registration it would then whitelist the source ip of the phone in iptables on the main pbx, the phone would suddenly appear registered on the main pbx now it was allowed in by iptables.

That worked quite well. It was much more sophisticated in that it would remove the whitelisting etc after a certain amount of time.
 
  • Like
Reactions: babak
DigitalDaz said:
Back in the day I tried all sorts to 'close' my pbx to the world, some of which were more successful than others.

One I had was were I ran a kamailio instance on a totally different ip, probably a small vps somewhere.

The main pbx had its ports 5060, 5080 etc closed to the world.

I had the carriers whitelisted.

On the ip phones I had a separate line configured that registered to the kamailio. When the kamailio received a valid registration it would then whitelist the source ip of the phone in iptables on the main pbx, the phone would suddenly appear registered on the main pbx now it was allowed in by iptables.

That worked quite well. It was much more sophisticated in that it would remove the whitelisting etc after a certain amount of time.
Click to expand...
That's impressive @DigitalDaz . You seem to refer to this in past tense - do you still carry it out this way? And if not, why not?
 
You must log in or register to reply here.
Top Bottom