VOS3000 Call Authentication Mode: Comprehensive IP Port Password Selection
๐ Every call that enters your VOS3000 softswitch through a mapping gateway must be authenticated โ but the method of authentication directly affects both security and ease of deployment. The VOS3000 call authentication mode offers three distinct options โ IP only, IP+Port, and Password โ each with different security trade-offs, configuration requirements, and use cases that every VoIP engineer must understand. ๐ก๏ธ
โ๏ธ The mapping gateway is where external SIP traffic enters your VOS3000 system. When an INVITE or REGISTER arrives from a mapping gateway, VOS3000 must verify that the source is authorized before processing the call. The VOS3000 call authentication mode determines how this verification works: IP-only mode simply checks the source IP address, IP+Port mode checks both the IP and source port, and Password mode requires SIP digest authentication with a username and password. The choice between these modes is one of the most fundamental security decisions in any VOS3000 deployment. ๐ง
๐ฏ This guide covers all three VOS3000 call authentication mode options from the VOS3000 2.1.9.07 manual ยง4.3.5.2, including how each mode works, security trade-offs, when to use each, and step-by-step configuration in the mapping gateway settings panel. Need help? WhatsApp us at +8801911119966 for professional VOS3000 configuration. ๐
Table of Contents
๐ What Is the VOS3000 Call Authentication Mode?
โฑ๏ธ The VOS3000 call authentication mode defines how VOS3000 verifies the identity of SIP traffic arriving through mapping gateways. According to the official VOS3000 2.1.9.07 manual ยง4.3.5.2, the mapping gateway settings panel provides three authentication mode options: IP (verify IP Address only), IP Address and Port (verify both IP and port), and Password authentication (using password authentication method). This setting is configured per mapping gateway, allowing you to use different authentication modes for different gateway connections. ๐
๐ก Why authentication mode selection matters: The authentication mode directly determines how difficult it is for an attacker to impersonate a legitimate gateway. IP-only authentication can be spoofed, IP+Port is slightly harder to spoof, and password authentication provides the strongest protection but requires credential management. Choosing the wrong mode for your deployment can leave your system vulnerable to toll fraud, unauthorized call routing, and revenue loss.
๐ก Three modes: IP, IP+Port, Password
๐ Configured per mapping gateway for flexible security
๐ Each mode offers different security and convenience trade-offs
๐ก๏ธ Password mode provides strongest protection; IP mode is simplest
๐ฏ Must balance security requirements with operational practicality
โ๏ธ Mode 1: IP Authentication โ Verify IP Address Only
๐ง IP authentication is the simplest VOS3000 call authentication mode. VOS3000 checks only the source IP address of incoming SIP messages against the mapping gateway’s configured IP address. If the source IP matches, the call is accepted without any further verification. This mode requires no credentials โ the IP address itself serves as the authentication token.
๐ก When to use IP authentication: IP-only mode is appropriate for trusted private networks where you control the entire infrastructure and can guarantee that only authorized devices use the configured IP addresses. It is commonly used for internal gateway connections within a data center, where all traffic flows over a secure management network that is isolated from the internet.
โ ๏ธ Security limitation: IP addresses can be spoofed by attackers with access to the network path between the gateway and VOS3000. If an attacker can send packets with a forged source IP that matches a configured mapping gateway, they can make calls through your system without knowing any credentials. This is why IP-only mode should never be used for internet-facing gateways.
โ๏ธ Mode 2: IP + Port Authentication โ Verify Address and Port
๐ง IP+Port authentication adds the source port to the verification check. In addition to matching the source IP address, VOS3000 also verifies that the source port matches the configured port in the mapping gateway settings. This provides a modest security improvement over IP-only mode, as the attacker would need to both spoof the IP address and use the correct source port.
๐ก When to use IP+Port authentication: IP+Port mode is useful in semi-trusted environments where you want an additional verification layer beyond IP alone. It can help detect misconfigured gateways that are sending from unexpected ports. However, it has a significant limitation: NAT devices often change the source port of SIP packets, causing authentication failures when the gateway is behind NAT.
โ ๏ธ NAT limitation: When a SIP gateway sends packets through a NAT device, the NAT typically rewrites the source port to an arbitrary value. This means the source port that VOS3000 sees will not match the port configured in the mapping gateway, causing authentication to fail. For NAT-traversed gateways, use IP-only or Password mode instead.
โ๏ธ Mode 3: Password Authentication โ Full SIP Digest Auth
๐ง Password authentication is the most secure VOS3000 call authentication mode. It requires the mapping gateway to complete a full SIP digest authentication challenge-response cycle before calls are accepted. VOS3000 sends a 401 Unauthorized challenge, and the gateway must respond with the correct digest calculated using its configured username and password. This provides the same level of authentication used for SIP phone registrations. ๐ง
๐ก When to use Password authentication: Password mode is strongly recommended for any gateway that connects over the public internet, connects to an upstream SIP trunk provider, or operates in an untrusted network environment. It is also the correct choice for NAT-traversed gateways, since digest authentication works correctly regardless of NAT-induced IP and port changes. While it requires more configuration (setting up credentials on both VOS3000 and the gateway), the security benefit is substantial.
โ Problem 2: Password Auth Creates High CPU Load
๐ Symptom: After switching to Password mode, VOS3000 CPU usage increases significantly.
๐ก Cause: Digest authentication requires cryptographic calculations (MD5 hashing) for every call attempt, which is more CPU-intensive than simple IP matching.
โ Solutions:
๐ง This is expected โ Password mode requires more processing than IP mode
๐ Ensure your server has adequate CPU capacity for the call volume
๐ For extremely high CPS, use IP mode on trusted internal gateways and Password only on external ones
โ Problem 3: Gateway Sends Credentials But Auth Still Fails
๐ Symptom: The gateway is configured with the correct username and password, but VOS3000 still rejects the authentication.
๐ก Cause: Common causes include mismatched SIP realm, incorrect authentication algorithm, or clock skew affecting nonce validation.
โ Solutions:
๐ง Verify the SIP realm/domain matches between VOS3000 and the gateway
๐ Check that both sides use the same digest algorithm (typically MD5)
๐ Ensure NTP is configured on both systems for clock synchronization
โ Frequently Asked Questions
โ What is the VOS3000 call authentication mode?
โฑ๏ธ The VOS3000 call authentication mode defines how mapping gateways are authenticated when sending SIP traffic to VOS3000. There are three modes: IP (verify source IP address only), IP Address and Port (verify source IP and source port), and Password (full SIP digest authentication with username and password). Each mode provides a different balance of security and convenience. The setting is configured per mapping gateway in the Additional settings โ Protocol โ SIP section. It is documented in the VOS3000 2.1.9.07 manual ยง4.3.5.2.
โ Which authentication mode should I use?
๐ง For internet-facing or untrusted network connections, always use Password authentication mode. This provides the strongest protection against unauthorized access and works correctly through NAT. For internal gateway connections on a trusted private network, IP-only mode is acceptable and simpler to configure. IP+Port mode offers moderate security improvement over IP-only but often fails with NAT-traversed gateways. When in doubt, use Password mode โ the additional configuration effort is minimal compared to the security benefit.
โ Can I use different authentication modes for different gateways?
๐ Yes, the VOS3000 call authentication mode is configured per mapping gateway. This means you can use Password authentication for internet-facing SIP trunk gateways while using IP-only authentication for internal gateways on your trusted LAN. This flexibility lets you apply appropriate security levels based on each gateway’s network environment and risk profile without forcing a one-size-fits-all approach.
โ Does Password authentication work with NAT?
๐ Yes, Password authentication works correctly through NAT. Unlike IP+Port mode, which fails when the NAT device changes the source port, Password authentication relies on the SIP digest challenge-response mechanism that is independent of the source IP and port. The credentials are validated based on the content of the SIP headers, not the transport layer addresses. This makes Password mode the recommended choice for any gateway that is behind NAT. For more on NAT configuration, see our NAT keepalive guide.
โ How does IP spoofing affect IP-only authentication?
๐ก๏ธ With IP-only authentication, an attacker who can send packets with a forged source IP address matching your mapping gateway’s configured IP can bypass authentication entirely. This is known as IP spoofing and is possible when the attacker has access to the network path between their location and your VOS3000 server. While modern networks make IP spoofing more difficult through ingress filtering, it remains a risk โ especially on public networks. This is why IP-only mode should be restricted to trusted private networks and never used for internet-facing gateways.
โ What happens when authentication fails?
๐ When a mapping gateway fails authentication, VOS3000 rejects the SIP request with an appropriate error response. For Password mode, this is typically a SIP 401 Unauthorized or 403 Forbidden response. For IP/IP+Port mode, the request may be silently dropped or rejected depending on the SS_REPLY_UNAUTHORIZED setting. The failed call is logged in the CDR with the appropriate termination reason. For detailed error analysis, see our call termination reasons guide. WhatsApp us at +8801911119966 for expert help. ๐
๐ Need Expert Help with VOS3000 Call Authentication Mode?
๐ง Proper VOS3000 call authentication mode configuration is essential for securing your SIP gateway connections and preventing unauthorized call routing. Whether you need help selecting the right authentication mode, configuring digest authentication, or troubleshooting gateway connectivity issues, our team is ready to assist. Reach us on WhatsApp at +8801911119966 for professional VOS3000 configuration services. ๐
๐ Need Professional VOS3000 Setup Support?
For professional VOS3000 installations and deployment, VOS3000 Server Rental Solution:
VOS3000 iptables SIP Scanner: Block OPTIONS Floods Without Fail2Ban
Every VOS3000 operator who exposes SIP port 5060 to the internet has experienced the relentless pounding of SIP scanners. These automated tools send thousands of SIP OPTIONS requests per second, probing your server for open accounts, valid extensions, and authentication weaknesses. A VOS3000 iptables SIP scanner defense strategy using pure iptables rules โ without the overhead of Fail2Ban โ is the most efficient and reliable way to stop these attacks at the network level before they consume your server resources. This guide provides complete, production-tested iptables rules and VOS3000 native security configurations that will protect your softswitch from SIP OPTIONS floods and scanner probes.
The problem with relying on Fail2Ban for VOS3000 SIP scanner protection is that Fail2Ban parses log files reactively โ it only blocks an IP after the attack has already reached your application layer and consumed CPU processing those requests. Pure iptables rules, on the other hand, drop malicious packets at the kernel level before they ever reach VOS3000, resulting in zero resource waste. When you combine kernel-level packet filtering with VOS3000 native features like IP whitelist authentication, Web Access Control (Manual Section 2.14.1), and mapping gateway rate limiting, you create an impenetrable defense that stops SIP scanners dead in their tracks.
In this comprehensive guide, we cover every aspect of building a VOS3000 iptables SIP scanner defense system: from understanding how SIP scanners operate and identifying attacks in your logs, to implementing iptables string-match rules, connlimit connection tracking, recent module rate limiting, and VOS3000 native security features. All configurations reference the VOS3000 V2.1.9.07 Manual and have been verified in production environments. For expert assistance with your VOS3000 security, contact us on WhatsApp at +8801911119966.
Table of Contents
How VOS3000 iptables SIP Scanner Attacks Waste Server Resources
SIP scanners are automated tools that systematically probe VoIP servers on port 5060 (UDP and TCP). They send SIP OPTIONS requests, REGISTER attempts, and INVITE probes to discover valid accounts and weak passwords. Understanding exactly how these attacks affect your VOS3000 server is the first step toward building an effective defense.
The SIP OPTIONS Flood Mechanism
A SIP OPTIONS request is a legitimate SIP method used to query a server or user agent about its capabilities. However, SIP scanners abuse this method by sending thousands of OPTIONS requests per minute from a single IP address or from distributed sources. Each OPTIONS request that reaches VOS3000 must be processed by the SIP stack, which allocates memory, parses the SIP message, generates a response, and sends it back. At high volumes, this processing consumes significant CPU and memory resources that should be serving your legitimate call traffic.
The impact of a SIP OPTIONS flood on an unprotected VOS3000 server includes elevated CPU usage on the SIP processing threads, increased memory consumption for tracking thousands of short-lived SIP dialogs, degraded call setup times for legitimate calls, potential SIP socket buffer overflow causing dropped legitimate SIP messages, and inflated log files that make it difficult to identify real problems. A severe SIP OPTIONS flood can effectively create a denial-of-service condition where your VOS3000 server is too busy responding to scanner probes to process real calls.
โ ๏ธ Resource
๐ฌ Normal Load
๐ฅ Under SIP Scanner Flood
๐ Impact on Service
CPU Usage
15-30%
70-99%
Delayed call setup, audio issues
Memory
Steady state
Rapidly increasing
Potential OOM kill of processes
SIP Socket Buffer
Normal queue
Overflow / packet drop
Lost legitimate SIP messages
Log Files
Manageable size
GBs per hour
Disk space exhaustion
Call Setup Time
1-3 seconds
5-30+ seconds
Customer complaints, lost revenue
Network Bandwidth
Normal SIP traffic
Saturated with probe traffic
Increased latency, jitter
Common VOS3000 iptables SIP Scanner Attack Patterns
SIP scanners targeting VOS3000 servers typically follow predictable patterns that can be identified and blocked with iptables rules. The most common attack patterns include rapid-fire SIP OPTIONS probes used to check if your server is alive and responding, brute-force REGISTER attempts with common username/password combinations, SIP INVITE probes to discover valid extension numbers, scanning from multiple IP addresses in the same subnet (distributed scanning), and scanning with spoofed or randomized User-Agent headers to avoid simple pattern matching. Each of these patterns has a distinctive signature that iptables can detect and block at the kernel level, before VOS3000 ever processes the malicious request.
The key insight for building an effective VOS3000 iptables SIP scanner defense is that legitimate SIP traffic and scanner traffic have fundamentally different behavioral signatures. Legitimate SIP clients send a small number of requests per minute, maintain established dialog states, and follow the SIP protocol flow. Scanners, on the other hand, send high volumes of stateless requests, often with identical or semi-random content, and never complete legitimate call flows. By targeting these behavioral differences, your iptables rules can block scanners with minimal risk of blocking legitimate traffic.
Identifying VOS3000 iptables SIP Scanner Attacks from Logs
Before implementing iptables rules, you need to confirm that your VOS3000 server is actually under a SIP scanner attack. VOS3000 provides several logging mechanisms that reveal scanner activity, and knowing how to read these logs is essential for both detection and for calibrating your iptables rules appropriately.
Checking VOS3000 SIP Logs for Scanner Activity
The VOS3000 SIP logs are located in the /home/vos3000/log/ directory. The key log files to monitor include sipproxy.log for SIP proxy activity, mbx.log for media box and call processing, and the system-level /var/log/messages for kernel-level network information. When a SIP scanner is active, you will see repetitive patterns of unauthenticated SIP requests from the same or similar IP addresses.
# Check VOS3000 SIP logs for scanner patterns
# Look for repeated OPTIONS from same IP
rg "OPTIONS" /home/vos3000/log/sipproxy.log | tail -100
# Count requests per source IP (identify top scanners)
rg "OPTIONS" /home/vos3000/log/sipproxy.log | \
awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# Check for failed registration attempts
rg "401 Unauthorized|403 Forbidden" /home/vos3000/log/sipproxy.log | \
tail -50
# Monitor real-time SIP traffic on port 5060
tcpdump -n port 5060 -A -s 0 | rg "OPTIONS"
Using tcpdump to Detect SIP Scanner Floods
When you suspect a SIP scanner attack, tcpdump provides the most immediate and detailed view of the traffic hitting your server. The following tcpdump commands help you identify the source, volume, and pattern of SIP scanner traffic targeting your VOS3000 server.
# Real-time SIP packet count per source IP
tcpdump -n -l port 5060 | \
awk '{print $3}' | cut -d. -f1-4 | \
sort | uniq -c | sort -rn
# Count SIP OPTIONS per second
tcpdump -n port 5060 -l 2>/dev/null | \
rg -c "OPTIONS"
# Capture and display full SIP OPTIONS packets
tcpdump -n port 5060 -A -s 0 -c 50 | \
rg -A 20 "OPTIONS sip:"
# Check UDP connection rate from specific IP
tcpdump -n src host SUSPICIOUS_IP and port 5060 -l | \
awk '{print NR}'
๐ Detection Method
๐ป Command
๐ฏ What It Reveals
โก Action Threshold
Log analysis
rg “OPTIONS” sipproxy.log
Scanner IP addresses
50+ OPTIONS/min from one IP
Real-time capture
tcpdump -n port 5060
Packet volume and rate
100+ packets/sec from one IP
Connection tracking
conntrack -L | wc -l
Total connection count
Exceeds nf_conntrack_max
Netstat analysis
netstat -anup | grep 5060
Active UDP connections
Thousands from few IPs
System load
top / htop
CPU and memory pressure
Sustained CPU > 70%
Disk I/O
iostat -x 1
Log write rate
Disk I/O > 80%
Why Pure iptables Beats Fail2Ban for VOS3000 iptables SIP Scanner Defense
Many VOS3000 operators initially turn to Fail2Ban for SIP scanner protection because it is well-documented and widely recommended in general VoIP security guides. However, Fail2Ban has significant drawbacks when used as a VOS3000 iptables SIP scanner defense mechanism, and pure iptables rules provide superior protection in every measurable way.
The Fail2Ban Reactive Approach vs. iptables Proactive Approach
Fail2Ban operates by monitoring log files for patterns that indicate malicious activity, then dynamically creating iptables rules to block the offending IP addresses. This reactive approach means that the attack traffic must first reach VOS3000, be processed by the SIP stack, generate log entries, and then be parsed by Fail2Ban before any blocking occurs. The time delay between the start of an attack and Fail2Ban’s response can be several minutes, during which your VOS3000 server is processing thousands of malicious SIP requests.
Pure iptables rules, by contrast, operate at the kernel packet filtering level. When a packet arrives on the network interface, iptables evaluates it against your rules before it is delivered to any user-space process, including VOS3000. A malicious SIP OPTIONS packet that matches a rate-limiting rule is dropped instantly at the kernel level, consuming only the minimal CPU cycles needed for rule evaluation. VOS3000 never sees the packet, never processes it, and never writes a log entry for it. This proactive approach provides zero-latency protection with zero application-layer overhead.
โ๏ธ Comparison
๐ด Fail2Ban
๐ข Pure iptables
Blocking level
Application (reactive)
Kernel (proactive)
Response time
Seconds to minutes delay
Instant (packet-level)
Resource usage
High (Python process + log parsing)
Minimal (kernel only)
VOS3000 load
Processes all packets first
Drops malicious packets before VOS3000
Dependencies
Python, Fail2Ban, log config
None (iptables is built-in)
Log pollution
High (all attacks logged before block)
None (dropped packets not logged)
Rate limiting
Indirect (via jail config)
Direct (connlimit, recent, hashlimit)
String matching
Not available
Yes (string module)
Maintenance
Regular filter updates needed
Set once, works forever
The pure iptables approach for your VOS3000 iptables SIP scanner defense also eliminates the risk of Fail2Ban itself becoming a performance problem. Fail2Ban runs as a Python daemon that continuously reads log files, which adds its own CPU and I/O overhead. On a server under heavy SIP scanner attack, the log files grow rapidly, and Fail2Ban’s log parsing can consume significant resources โ ironically adding to the very load you are trying to reduce. Pure iptables rules have no daemon, no log parsing, and no Python overhead; they run as part of the Linux kernel’s network stack.
Essential VOS3000 iptables SIP Scanner Rules: String Drop for OPTIONS
The most powerful weapon in your VOS3000 iptables SIP scanner defense arsenal is the iptables string match module. This module allows you to inspect the content of network packets and drop those that contain specific SIP method strings. By dropping packets that contain the SIP OPTIONS method string, you can instantly block the most common type of SIP scanner probe without affecting legitimate INVITE, REGISTER, ACK, BYE, and CANCEL messages that your VOS3000 server needs to process.
iptables String-Match Rule to Drop SIP OPTIONS
The following iptables rule uses the string module to inspect UDP packets destined for port 5060 and drop any that contain the text “OPTIONS sip:” in their payload. This is the most effective single rule for blocking SIP scanners because the vast majority of scanner probes use the OPTIONS method.
# ============================================
# VOS3000 iptables SIP Scanner: String Drop Rules
# ============================================
# Drop SIP OPTIONS probes from unknown sources
# This single rule blocks 90%+ of SIP scanner traffic
iptables -I INPUT -p udp --dport 5060 -m string \
--string "OPTIONS sip:" \
--algo bm -j DROP
# Also drop SIP OPTIONS on TCP port 5060
iptables -I INPUT -p tcp --dport 5060 -m string \
--string "OPTIONS sip:" \
--algo bm -j DROP
# Drop known SIP scanner User-Agent strings
iptables -I INPUT -p udp --dport 5060 -m string \
--string "friendly-scanner" \
--algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string \
--string "VaxSIPUserAgent" \
--algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string \
--string "sipvicious" \
--algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string \
--string "SIPScan" \
--algo bm -j DROP
# Save rules permanently
service iptables save
The --algo bm parameter specifies the Boyer-Moore string search algorithm, which is fast and efficient for fixed-string matching. An alternative is --algo kmp (Knuth-Morris-Pratt), which uses less memory but is slightly slower for most patterns. For VOS3000 iptables SIP scanner defense, Boyer-Moore is the recommended choice because the patterns are fixed strings and speed is critical.
Allowing Legitimate SIP OPTIONS from Trusted IPs
Before applying the blanket OPTIONS drop rule, you should insert accept rules for your trusted SIP peers and gateway IPs. iptables processes rules in order, so placing accept rules before the drop rule ensures that legitimate OPTIONS requests from known peers are allowed through while scanner OPTIONS from unknown IPs are dropped.
# ============================================
# Allow trusted SIP peers before dropping OPTIONS
# ============================================
# Allow SIP from trusted gateway IP #1
iptables -I INPUT -p udp -s 203.0.113.10 --dport 5060 -j ACCEPT
# Allow SIP from trusted gateway IP #2
iptables -I INPUT -p udp -s 203.0.113.20 --dport 5060 -j ACCEPT
# Allow SIP from entire trusted subnet
iptables -I INPUT -p udp -s 198.51.100.0/24 --dport 5060 -j ACCEPT
# THEN drop SIP OPTIONS from all other sources
iptables -A INPUT -p udp --dport 5060 -m string \
--string "OPTIONS sip:" \
--algo bm -j DROP
# Save rules permanently
service iptables save
๐ก๏ธ Rule Type
๐ iptables Match
๐ฏ Blocks
โก Priority
Trusted IP accept
-s TRUSTED_IP –dport 5060 -j ACCEPT
Nothing (allows traffic)
First (highest)
OPTIONS string drop
-m string –string “OPTIONS sip:”
All SIP OPTIONS probes
Second
Scanner UA drop
-m string –string “friendly-scanner”
Known scanner User-Agents
Third
SIPVicious drop
-m string –string “sipvicious”
SIPVicious tool probes
Third
Rate limit (general)
-m recent –hitcount 20 –seconds 60
Any IP exceeding rate
Fourth
Limiting UDP Connections Per IP with VOS3000 iptables SIP Scanner Rules
Beyond string matching, the iptables connlimit module provides another powerful tool for your VOS3000 iptables SIP scanner defense. The connlimit module allows you to restrict the number of parallel connections a single IP address can make to your server. Since SIP scanners typically open many simultaneous connections to probe multiple extensions or accounts, connlimit rules can effectively cap the number of concurrent SIP connections from any single source IP.
The connlimit module matches when the number of concurrent connections from a single IP address exceeds a specified limit. For VOS3000, a legitimate SIP peer typically maintains 1-5 concurrent connections for signaling, while a scanner may open dozens or hundreds. Setting a reasonable connlimit threshold allows normal SIP operation while blocking scanner floods.
# ============================================
# VOS3000 iptables SIP Scanner: connlimit Rules
# ============================================
# Limit concurrent UDP connections to port 5060 per source IP
# Allow maximum 10 concurrent SIP connections per IP
iptables -A INPUT -p udp --dport 5060 \
-m connlimit --connlimit-above 10 \
-j REJECT --reject-with icmp-port-unreachable
# More aggressive limit for non-trusted IPs
# Allow maximum 5 concurrent SIP connections per IP
# Insert BEFORE trusted IP accept rules do not match this
iptables -I INPUT 3 -p udp --dport 5060 \
-m connlimit --connlimit-above 5 \
--connlimit-mask 32 \
-j DROP
# Limit per /24 subnet (blocks distributed scanners)
iptables -A INPUT -p udp --dport 5060 \
-m connlimit --connlimit-above 30 \
--connlimit-mask 24 \
-j DROP
# Save rules permanently
service iptables save
The --connlimit-mask 32 parameter applies the limit per individual IP address (a /32 mask covers exactly one IP). Using --connlimit-mask 24 applies the limit per /24 subnet, which catches distributed scanners that use multiple IPs within the same subnet range. For a comprehensive VOS3000 iptables SIP scanner defense, use both per-IP and per-subnet limits to catch both concentrated and distributed scanning patterns.
Recent Module: Rate Limiting SIP Requests Without Fail2Ban
The iptables recent module maintains a dynamic list of source IP addresses and can match based on how many times an IP has appeared in the list within a specified time window. This is the most versatile rate-limiting tool for your VOS3000 iptables SIP scanner defense because it can track request rates over time, not just concurrent connections.
# ============================================
# VOS3000 iptables SIP Scanner: Recent Module Rules
# ============================================
# Create a rate-limiting chain for SIP traffic
iptables -N SIP_RATE_LIMIT
# Add source IP to the recent list
iptables -A SIP_RATE_LIMIT -m recent --set --name sip_scanner
# Check if IP exceeded 20 requests in 60 seconds
iptables -A SIP_RATE_LIMIT -m recent --update \
--seconds 60 --hitcount 20 \
--name sip_scanner \
-j LOG --log-prefix "SIP-RATE-LIMIT: "
# Drop if exceeded threshold
iptables -A SIP_RATE_LIMIT -m recent --update \
--seconds 60 --hitcount 20 \
--name sip_scanner \
-j DROP
# Accept if under threshold
iptables -A SIP_RATE_LIMIT -j ACCEPT
# Direct SIP traffic to the rate-limiting chain
iptables -A INPUT -p udp --dport 5060 -j SIP_RATE_LIMIT
# Save rules permanently
service iptables save
This rate-limiting approach is superior to Fail2Ban for VOS3000 iptables SIP scanner defense because it operates in real-time at the kernel level. A scanner that sends 20 or more SIP requests within 60 seconds is automatically dropped, with no log file parsing delay and no Python daemon overhead. You can adjust the --hitcount and --seconds parameters to match your legitimate traffic patterns โ if your real SIP peers send more frequent keepalive OPTIONS requests, increase the hitcount threshold accordingly.
The following comprehensive iptables script combines all the techniques discussed above into a single, production-ready firewall configuration for your VOS3000 server. This script implements the full VOS3000 iptables SIP scanner defense strategy with trusted IP whitelisting, string-match dropping, connlimit restrictions, and recent module rate limiting.
#!/bin/bash
# ============================================
# VOS3000 iptables SIP Scanner: Complete Firewall Script
# Version: 1.0 | Date: April 2026
# ============================================
# Define trusted SIP peer IPs (space-separated)
TRUSTED_SIP_IPS="203.0.113.10 203.0.113.20 198.51.100.0/24"
# Flush existing rules (CAUTION: run from console only)
iptables -F
iptables -X
# Create custom chains
iptables -N SIP_TRUSTED
iptables -N SIP_SCANNER_BLOCK
iptables -N SIP_RATE_LIMIT
# ---- LOOPBACK ----
iptables -A INPUT -i lo -j ACCEPT
# ---- ESTABLISHED CONNECTIONS ----
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ---- SSH ACCESS (restrict to your IP) ----
iptables -A INPUT -p tcp -s YOUR_ADMIN_IP --dport 22 -j ACCEPT
# ---- VOS3000 WEB INTERFACE ----
iptables -A INPUT -p tcp --dport 80 -s YOUR_ADMIN_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s YOUR_ADMIN_IP -j ACCEPT
# ---- TRUSTED SIP PEERS ----
for IP in $TRUSTED_SIP_IPS; do
iptables -A SIP_TRUSTED -s $IP -j ACCEPT
done
# Route port 5060 UDP through trusted chain first
iptables -A INPUT -p udp --dport 5060 -j SIP_TRUSTED
# ---- SIP SCANNER BLOCK CHAIN ----
# Drop SIP OPTIONS from unknown sources
iptables -A SIP_SCANNER_BLOCK -m string \
--string "OPTIONS sip:" \
--algo bm -j DROP
# Drop known scanner User-Agent strings
iptables -A SIP_SCANNER_BLOCK -m string \
--string "friendly-scanner" \
--algo bm -j DROP
iptables -A SIP_SCANNER_BLOCK -m string \
--string "VaxSIPUserAgent" \
--algo bm -j DROP
iptables -A SIP_SCANNER_BLOCK -m string \
--string "sipvicious" \
--algo bm -j DROP
iptables -A SIP_SCANNER_BLOCK -m string \
--string "SIPScan" \
--algo bm -j DROP
iptables -A SIP_SCANNER_BLOCK -m string \
--string "sipcli" \
--algo bm -j DROP
# Route port 5060 UDP through scanner block chain
iptables -A INPUT -p udp --dport 5060 -j SIP_SCANNER_BLOCK
# ---- RATE LIMIT CHAIN ----
# Limit concurrent connections per IP (max 10)
iptables -A SIP_RATE_LIMIT -p udp --dport 5060 \
-m connlimit --connlimit-above 10 \
--connlimit-mask 32 \
-j DROP
# Rate limit: max 20 requests per 60 seconds per IP
iptables -A SIP_RATE_LIMIT -m recent --set --name sip_rate
iptables -A SIP_RATE_LIMIT -m recent --update \
--seconds 60 --hitcount 20 \
--name sip_rate -j DROP
# Accept legitimate SIP traffic
iptables -A SIP_RATE_LIMIT -j ACCEPT
# Route port 5060 UDP through rate limit chain
iptables -A INPUT -p udp --dport 5060 -j SIP_RATE_LIMIT
# ---- MEDIA PORTS (RTP) ----
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
# ---- DEFAULT DROP ----
iptables -A INPUT -j DROP
# ---- SAVE ----
service iptables save
echo "VOS3000 iptables SIP scanner firewall applied successfully!"
The firewall script processes SIP traffic through four chains in order: first the SIP_TRUSTED chain (allowing known peer IPs), then the SIP_SCANNER_BLOCK chain (dropping packets with scanner signatures via string-match), then the SIP_RATE_LIMIT chain (enforcing connlimit and recent module rate limits), and finally the INPUT default policy (DROP all other traffic). This ordered processing ensures that trusted peers bypass all restrictions while unknown traffic is progressively filtered through increasingly strict rules.
For more advanced firewall configurations including extended iptables rules and kernel tuning, refer to our VOS3000 extended firewall guide which provides additional hardening techniques for CentOS servers running VOS3000.
VOS3000 Native IP Whitelist: Web Access Control (Section 2.14.1)
While iptables provides kernel-level packet filtering, VOS3000 also includes native IP whitelist functionality through the Web Access Control feature. This feature, documented in VOS3000 Manual Section 2.14.1 (Interface Management > Web Access Control), allows you to restrict access to the VOS3000 web management interface based on source IP addresses. Combined with your VOS3000 iptables SIP scanner rules, the Web Access Control feature adds another layer of defense by ensuring that only authorized administrators can access the management interface.
Configuring VOS3000 Web Access Control
The Web Access Control feature in VOS3000 limits which IP addresses can access the web management portal. This is critically important because SIP scanners and attackers often target the web interface as well as the SIP port. If an attacker gains access to your VOS3000 web interface, they can modify routing, create fraudulent accounts, and compromise your entire platform.
To configure Web Access Control in VOS3000, follow these steps as documented in the VOS3000 Manual Section 2.14.1:
Navigate to Interface Management: In the VOS3000 client, go to Operation Management > Interface Management > Web Access Control
Access the configuration panel: Double-click “Web Access Control” to open the IP whitelist editor
Add allowed IP addresses: Enter the IP addresses or CIDR ranges that should be permitted to access the web interface
Apply the configuration: Click Apply to activate the whitelist
Verify access: Test that you can still access the web interface from your authorized IP
๐ Setting
๐ Value
๐ Manual Reference
๐ก Recommendation
Feature
Web Access Control
Section 2.14.1
Always enable in production
Navigation
Interface Management > Web Access Control
Page 210
Add all admin IPs
IP Format
Single IP or CIDR range
Section 2.14.1
Use CIDR for admin subnets
Default Policy
Deny all not in whitelist
Section 2.14.1
Keep default deny policy
Scope
Web management interface only
Page 210
Pair with iptables for SIP
It is important to understand that the VOS3000 Web Access Control feature only protects the web management interface โ it does not protect the SIP signaling port 5060. This is why you must combine Web Access Control with the VOS3000 iptables SIP scanner rules described earlier in this guide. The Web Access Control feature protects the management plane, while iptables rules protect the signaling plane. Together, they provide complete coverage for your VOS3000 server.
The VOS3000 mapping gateway configuration includes authentication mode settings that directly affect your vulnerability to SIP scanner attacks. Understanding and properly configuring these authentication modes is an essential component of your VOS3000 iptables SIP scanner defense strategy, as the authentication mode determines how VOS3000 validates incoming SIP traffic from mapping gateways (your customer-facing gateways).
Understanding the Three Authentication Modes
VOS3000 supports three authentication modes for mapping gateways, each providing a different balance between security and flexibility. These modes are configured in the mapping gateway additional settings and determine how VOS3000 authenticates SIP requests arriving from customer endpoints.
IP Authentication Mode: In IP authentication mode, VOS3000 accepts SIP requests only from pre-configured IP addresses. Any SIP request from an IP address not listed in the mapping gateway configuration is rejected, regardless of the username or password provided. This is the most secure authentication mode for your VOS3000 iptables SIP scanner defense because SIP scanners cannot authenticate from arbitrary IP addresses. However, it requires that all your customers have static IP addresses, which may not be practical for all deployments.
IP+Port Authentication Mode: This mode extends IP authentication by also requiring the correct source port. VOS3000 validates both the source IP address and the source port of incoming SIP requests. This provides even stronger security than IP-only authentication because it prevents IP spoofing attacks where an attacker might forge packets from a trusted IP address. However, IP+Port authentication can cause issues with NAT environments where source ports may change during a session.
Password Authentication Mode: In password authentication mode, VOS3000 authenticates SIP requests based on username and password credentials. This mode is the most flexible because it works with customers who have dynamic IP addresses, but it is also the most vulnerable to SIP scanner brute-force attacks. If you use password authentication, your VOS3000 iptables SIP scanner rules become even more critical because scanners will attempt to guess credentials.
๐ Auth Mode
๐ก๏ธ Security Level
๐ฏ Validates
โ ๏ธ Vulnerability
๐ก Best For
IP
๐ข High
Source IP only
IP spoofing (rare)
Static IP customers
IP+Port
๐ข Very High
Source IP + Port
NAT issues
Dedicated SIP trunks
Password
๐ก Medium
Username + Password
Brute force attacks
Dynamic IP customers
Configuring Mapping Gateway Authentication for Maximum Security
To configure the authentication mode on a VOS3000 mapping gateway, follow these steps:
Open gateway properties: Double-click the mapping gateway to open its configuration
Set authentication mode: In the main configuration tab, select the desired authentication mode from the dropdown (IP / IP+Port / Password)
Configure authentication details: If IP mode, add the customer’s IP address in the gateway prefix or additional settings. If Password mode, ensure strong passwords are set
Apply changes: Click Apply to save the configuration
For the strongest VOS3000 iptables SIP scanner defense, use IP authentication mode whenever possible. This mode inherently blocks SIP scanners because scanner traffic originates from IP addresses not configured in your mapping gateways. When IP authentication is combined with iptables string-drop rules, your VOS3000 server becomes virtually immune to SIP scanner probes โ the iptables rules block the scanner traffic at the kernel level, and the IP authentication mode blocks any traffic that somehow passes through iptables.
Rate Limit Setting on Mapping Gateway for CPS Control
VOS3000 includes built-in rate limiting on mapping gateways that provides call-per-second (CPS) control at the application level. This feature complements your VOS3000 iptables SIP scanner defense by adding a secondary rate limit that operates even if some scanner traffic passes through your iptables rules. The rate limit setting on mapping gateways restricts the maximum number of calls that can be initiated through the gateway per second, preventing any single customer or gateway from overwhelming your server with call attempts.
Configuring Mapping Gateway Rate Limits
The rate limit setting is found in the mapping gateway additional settings. This feature allows you to specify the maximum number of calls per second (CPS) that the gateway will accept. When the call rate exceeds this limit, VOS3000 rejects additional calls with a SIP 503 Service Unavailable response, protecting your server resources from overload.
# ============================================
# VOS3000 Mapping Gateway Rate Limit Configuration
# ============================================
# Navigate to: Operation Management > Gateway Operation > Mapping Gateway
# Right-click the mapping gateway > Additional Settings
#
# Configure these rate-limiting parameters:
#
# 1. Rate Limit (CPS): Maximum calls per second
# Recommended values:
# - Small customer: 5-10 CPS
# - Medium customer: 10-30 CPS
# - Large customer: 30-100 CPS
# - Premium customer: 100-200 CPS
#
# 2. Max Concurrent Calls: Maximum simultaneous calls
# Recommended values:
# - Small customer: 30-50 channels
# - Medium customer: 50-200 channels
# - Large customer: 200-500 channels
# - Premium customer: 500-2000 channels
#
# 3. Conversation Limitation (seconds): Max call duration
# Recommended: 3600 seconds (1 hour) for most customers
#
# Apply the settings and restart the gateway if required.
๐ Customer Tier
โก CPS Limit
๐ Max Concurrent
โฑ๏ธ Max Duration (s)
๐ก๏ธ Scanner Risk
Small / Basic
5-10
30-50
1800
๐ข Low (tight limits)
Medium
10-30
50-200
3600
๐ก Medium
Large
30-100
200-500
3600
๐ Higher (needs monitoring)
Premium / Wholesale
100-200
500-2000
7200
๐ด High (strict iptables needed)
The mapping gateway rate limit works in conjunction with your VOS3000 iptables SIP scanner rules to provide multi-layered protection. The iptables rules block the initial scanner probes and floods at the kernel level, preventing the traffic from reaching VOS3000 at all. The mapping gateway rate limit acts as a safety net, catching any excessive call attempts that might pass through the iptables rules โ for example, a sophisticated attacker who has somehow obtained valid credentials but is using them to flood your server with calls. This layered approach ensures that your server remains protected even if one layer is bypassed.
Advanced VOS3000 iptables SIP Scanner Techniques: hashlimit and conntrack
For operators who need even more granular control over their VOS3000 iptables SIP scanner defense, the hashlimit and conntrack modules provide advanced rate-limiting and connection-tracking capabilities. These modules are particularly useful in high-traffic environments where you need to distinguish between legitimate high-volume traffic from trusted peers and malicious scanner floods from unknown sources.
hashlimit Module: Per-Destination Rate Limiting
The hashlimit module is the most sophisticated rate-limiting module available in iptables. Unlike the recent module, which maintains a simple list of source IPs, hashlimit uses a hash table to track rates per destination, per source-destination pair, or per any combination of packet parameters. This allows you to create rate limits that account for both the source and destination of SIP traffic, providing more precise control than simple per-IP rate limiting.
# ============================================
# VOS3000 iptables SIP Scanner: hashlimit Rules
# ============================================
# Limit SIP requests to 10 per second per source IP
# with a burst allowance of 20 packets
iptables -A INPUT -p udp --dport 5060 \
-m hashlimit \
--hashlimit 10/s \
--hashlimit-burst 20 \
--hashlimit-mode srcip \
--hashlimit-name sip_limit \
--hashlimit-htable-expire 30000 \
-j ACCEPT
# Drop all SIP traffic that exceeds the hash limit
iptables -A INPUT -p udp --dport 5060 -j DROP
# View hashlimit statistics
cat /proc/net/ipt_hashlimit/sip_limit
# Save rules permanently
service iptables save
The --hashlimit-mode srcip parameter creates a separate rate limit for each source IP address. The --hashlimit-htable-expire 30000 parameter sets the hash table entry expiration to 30 seconds, meaning that an IP address that stops sending traffic will be removed from the rate-limiting table after 30 seconds. The burst parameter (--hashlimit-burst 20) allows a short burst of up to 20 packets above the rate limit before enforcing the cap, which accommodates the natural burstiness of legitimate SIP traffic.
conntrack Module: Connection Tracking Tuning
The Linux connection tracking system (conntrack) is essential for iptables stateful filtering, but its default parameters may be insufficient for a VOS3000 server under SIP scanner attack. When a scanner floods your server with SIP requests, each request creates a conntrack entry, and the conntrack table can fill up quickly. Once the conntrack table is full, new connections (including legitimate ones) are dropped. Tuning conntrack parameters is therefore an important part of your VOS3000 iptables SIP scanner defense.
# ============================================
# VOS3000 iptables SIP Scanner: conntrack Tuning
# ============================================
# Check current conntrack maximum
cat /proc/sys/net/nf_conntrack_max
# Check current conntrack count
cat /proc/sys/net/netfilter/nf_conntrack_count
# Increase conntrack maximum for VOS3000 under attack
echo 1048576 > /proc/sys/net/nf_conntrack_max
# Reduce UDP timeout to free entries faster
echo 30 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout
echo 60 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream
# Make changes permanent across reboots
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.conf
echo "net.netfilter.nf_conntrack_udp_timeout = 30" >> /etc/sysctl.conf
echo "net.netfilter.nf_conntrack_udp_timeout_stream = 60" >> /etc/sysctl.conf
# Apply sysctl changes
sysctl -p
โ๏ธ Parameter
๐ข Default
โ Recommended
๐ก Reason
nf_conntrack_max
65536
1048576
Prevent table overflow under attack
nf_conntrack_udp_timeout
30s
30s
Quick cleanup of scanner entries
nf_conntrack_udp_timeout_stream
180s
60s
Free entries faster for stopped flows
nf_conntrack_tcp_timeout_established
432000s
7200s
Reduce stale TCP connections
Proper conntrack tuning ensures that your VOS3000 server can handle the increased connection table entries created by SIP scanner attacks without dropping legitimate traffic. The reduced UDP timeouts are particularly important because SIP uses UDP, and shorter timeouts mean that scanner connection entries are cleaned up faster, freeing space for legitimate connections.
Monitoring and Verifying Your VOS3000 iptables SIP Scanner Defense
After implementing your VOS3000 iptables SIP scanner rules, you need to verify that they are working correctly and monitor their ongoing effectiveness. Regular monitoring ensures that your rules are blocking scanner traffic as expected and that legitimate traffic is not being affected.
Verifying iptables Rules Are Active
# ============================================
# VOS3000 iptables SIP Scanner: Verification Commands
# ============================================
# List all iptables rules with line numbers
iptables -L -n -v --line-numbers
# List only SIP-related rules
iptables -L SIP_SCANNER_BLOCK -n -v
iptables -L SIP_RATE_LIMIT -n -v
iptables -L SIP_TRUSTED -n -v
# Check recent module lists
cat /proc/net/xt_recent/sip_scanner
cat /proc/net/xt_recent/sip_rate
# Monitor iptables rule hit counters in real-time
watch -n 1 'iptables -L SIP_SCANNER_BLOCK -n -v'
# Check if specific IP is being blocked
iptables -C INPUT -s SUSPICIOUS_IP -j DROP
# View dropped packets count per rule
iptables -L INPUT -n -v | rg "DROP"
Testing Your VOS3000 iptables SIP Scanner Rules
Before relying on your iptables rules in production, test them to ensure they block scanner traffic without affecting legitimate SIP calls. The following test procedures verify each component of your VOS3000 iptables SIP scanner defense.
# ============================================
# VOS3000 iptables SIP Scanner: Testing Commands
# ============================================
# Test 1: Send SIP OPTIONS from external IP (should be dropped)
# From a test machine (NOT a trusted IP):
sipsak -s sip:YOUR_SERVER_IP:5060 OPTIONS
# Test 2: Verify OPTIONS are dropped (check counter)
iptables -L SIP_SCANNER_BLOCK -n -v | rg "OPTIONS"
# Test 3: Verify legitimate SIP call still works
# Make a test call through VOS3000 from a trusted peer
# Check VOS3000 CDR for the test call
# Test 4: Verify rate limiting works
# Send rapid SIP requests and verify blocking
for i in $(seq 1 30); do
sipsak -s sip:YOUR_SERVER_IP:5060 OPTIONS &
done
# Test 5: Check that trusted IPs bypass rate limits
# Verify that trusted IP accept rules have higher packet counts
iptables -L SIP_TRUSTED -n -v
# Test 6: Monitor server performance under simulated attack
top -b -n 5 | rg "vos3000|mbx|sip"
After completing these tests, review the iptables rule hit counters to confirm that your VOS3000 iptables SIP scanner rules are actively dropping malicious traffic. The packet and byte counters next to each rule show how many packets have been matched and dropped. If the OPTIONS string-drop rule shows a high hit count, your rules are working correctly to block SIP scanner probes.
VOS3000 iptables SIP Scanner Defense: Putting It All Together
A successful VOS3000 iptables SIP scanner defense requires integrating multiple layers of protection. Each layer addresses a different aspect of the SIP scanner threat, and together they create a comprehensive defense that is far stronger than any single measure alone.
The Five-Layer Defense Model
Your complete VOS3000 iptables SIP scanner defense should consist of five layers, each operating at a different level of the network and application stack:
Layer 1 โ iptables Trusted IP Whitelist: Allow SIP traffic only from known, trusted IP addresses. All traffic from trusted IPs bypasses the scanner detection rules. This is your first line of defense and should be configured with the IP addresses of all your SIP peers and customers who use static IPs.
Layer 2 โ iptables String-Match Dropping: Drop packets containing known scanner signatures including SIP OPTIONS requests from unknown sources, known scanner User-Agent strings, and other malicious patterns. This layer catches the vast majority of automated scanner traffic before it reaches VOS3000.
Layer 3 โ iptables Rate Limiting: Use the connlimit, recent, and hashlimit modules to restrict the rate of SIP requests from any single IP address. This layer catches sophisticated scanners that avoid the string-match rules by using legitimate SIP methods like REGISTER or INVITE instead of OPTIONS.
Layer 4 โ VOS3000 Native Security: Configure VOS3000 mapping gateway authentication mode (IP or IP+Port), rate limiting (CPS control), Web Access Control (Section 2.14.1), and dynamic blacklist features. These application-level protections catch any threats that pass through the iptables layers.
Layer 5 โ Monitoring and Response: Regularly monitor iptables hit counters, VOS3000 logs, conntrack table usage, and server performance metrics. Set up automated alerts for abnormal conditions and review your security configuration regularly to adapt to new threats.
๐ก๏ธ Layer
โ๏ธ Mechanism
๐ฏ What It Blocks
๐ Where
1 – Whitelist
iptables IP accept rules
All unknown IPs (by exclusion)
Kernel / Network
2 – String Match
iptables string module
OPTIONS probes, scanner UAs
Kernel / Network
3 – Rate Limit
connlimit + recent + hashlimit
Flood attacks, brute force
Kernel / Network
4 – VOS3000 Native
Auth mode + Rate limit + WAC
Unauthenticated calls, credential attacks
Application
5 – Monitoring
Log analysis + conntrack + alerts
New and evolving threats
Operations
For a broader overview of VOS3000 security practices, see our VOS3000 security guide which covers the complete security hardening process for your softswitch platform.
๐ Related Resources – VOS3000 iptables SIP Scanner
Frequently Asked Questions About VOS3000 iptables SIP Scanner
โ What is a VOS3000 iptables SIP scanner and why does it target my server?
A VOS3000 iptables SIP scanner refers to the category of automated tools that systematically probe VOS3000 VoIP servers by sending SIP OPTIONS, REGISTER, and INVITE requests on port 5060. These scanners target your server because VOS3000 platforms are widely deployed in the VoIP industry, and attackers know that many operators leave their SIP ports exposed without proper firewall protection. The scanners are looking for open SIP accounts, weak passwords, and exploitable configurations that they can use for toll fraud, call spoofing, or service theft. The iptables firewall on your CentOS server is the primary tool for blocking these scanners at the network level before they can interact with VOS3000.
โ How do I know if my VOS3000 server is under a SIP scanner attack?
You can identify a SIP scanner attack by checking your VOS3000 logs for repetitive unauthenticated SIP requests from the same or similar IP addresses. Use the command rg "OPTIONS" /home/vos3000/log/sipproxy.log | tail -100 to look for a high volume of OPTIONS requests. You can also use tcpdump to monitor real-time SIP traffic on port 5060 with tcpdump -n port 5060 -A -s 0 | rg "OPTIONS". If you see dozens or hundreds of SIP requests per minute from IPs that are not your known SIP peers, your server is likely under a scanner attack. Elevated CPU usage and slow call setup times are also indicators of a SIP scanner flood affecting your VOS3000 server.
โ Why should I use pure iptables instead of Fail2Ban for VOS3000 iptables SIP scanner defense?
Pure iptables is superior to Fail2Ban for VOS3000 iptables SIP scanner defense because iptables operates at the Linux kernel level, dropping malicious packets before they reach VOS3000, while Fail2Ban works reactively by parsing log files after the attack traffic has already been processed by VOS3000. This means Fail2Ban allows the first wave of attack traffic to consume your server resources before it can respond, whereas iptables blocks the attack from the very first packet. Additionally, iptables has no daemon overhead (Fail2Ban runs as a Python process), supports string matching to drop packets based on SIP method content, and provides direct rate limiting through connlimit, recent, and hashlimit modules that Fail2Ban cannot match.
โ What VOS3000 native features complement iptables for SIP scanner protection?
Several VOS3000 native features complement your iptables SIP scanner defense. The Web Access Control feature (Manual Section 2.14.1) restricts web management access to authorized IPs. The mapping gateway authentication modes (IP / IP+Port / Password) control how SIP endpoints authenticate, with IP authentication being the most secure against scanners. The rate limit setting on mapping gateways provides CPS control that prevents excessive call attempts even if some scanner traffic passes through iptables. The dynamic blacklist feature automatically blocks numbers exhibiting suspicious calling patterns. Together with iptables, these features create a comprehensive, multi-layered defense against SIP scanner attacks.
โ Can iptables string-match rules block legitimate SIP OPTIONS from my peers?
Yes, a blanket iptables string-match rule that drops all SIP OPTIONS packets will also block legitimate OPTIONS requests from your SIP peers. This is why you must insert accept rules for trusted IP addresses BEFORE the string-match drop rules in your iptables chain. iptables processes rules in order, so if a trusted IP accept rule matches first, the traffic is accepted and the string-drop rule is never evaluated. Always configure your trusted SIP peer IPs at the top of your INPUT chain, then add the scanner-blocking rules below them. This ensures that your legitimate peers can send OPTIONS requests for keepalive and capability queries while unknown IPs are blocked.
โ How do I configure mapping gateway rate limiting in VOS3000 to complement iptables?
To configure mapping gateway rate limiting in VOS3000, navigate to Operation Management > Gateway Operation > Mapping Gateway, right-click the gateway, and select Additional Settings. In the rate limit field, set the maximum calls per second (CPS) appropriate for the customer tier โ typically 5-10 CPS for small customers and up to 100-200 CPS for premium wholesale customers. Also configure the maximum concurrent calls and conversation limitation settings. These VOS3000 rate limits complement your iptables rules by providing application-level protection against any excessive call attempts that might pass through the network-level iptables filtering, ensuring that even a compromised account cannot overwhelm your server.
โ What conntrack tuning is needed for VOS3000 under SIP scanner attack?
Under a SIP scanner attack, the Linux conntrack table can fill up quickly because each SIP request creates a connection tracking entry. You should increase nf_conntrack_max to at least 1048576 (1 million entries) and reduce the UDP timeouts to free entries faster. Set nf_conntrack_udp_timeout to 30 seconds and nf_conntrack_udp_timeout_stream to 60 seconds. These changes can be made live via the /proc filesystem and made permanent by adding them to /etc/sysctl.conf. Without these tuning adjustments, a severe SIP scanner attack can fill the conntrack table and cause Linux to drop all new connections, including legitimate SIP calls.
Protect Your VOS3000 from SIP Scanners
Implementing a robust VOS3000 iptables SIP scanner defense is not optional โ it is a fundamental requirement for any VOS3000 operator who exposes SIP services to the internet. The pure iptables approach described in this guide provides the most efficient, lowest-overhead protection available, blocking scanner traffic at the kernel level before it can consume your server resources. By combining iptables trusted IP whitelisting, string-match dropping, connlimit connection tracking, recent module rate limiting, and hashlimit per-IP rate control with VOS3000 native features like IP authentication, Web Access Control, and mapping gateway rate limiting, you create a defense-in-depth system that stops SIP scanners at every level.
Remember that security is an ongoing process, not a one-time configuration. Regularly review your iptables rule hit counters, monitor your VOS3000 logs for new attack patterns, update your scanner User-Agent block list as new tools emerge, and verify that your trusted IP list is current. The VOS3000 iptables SIP scanner defense you implement today may need adjustments tomorrow as attackers develop new techniques.
๐ฑ Contact us on WhatsApp: +8801911119966
Our VOS3000 security specialists can help you implement the complete iptables SIP scanner defense described in this guide, audit your existing configuration for vulnerabilities, and provide ongoing monitoring and support. Whether you need help with iptables rules, VOS3000 authentication configuration, mapping gateway rate limiting, or a comprehensive security overhaul, our team has the expertise to protect your VoIP platform. For professional VOS3000 security assistance, reach out to us on WhatsApp at +8801911119966.
๐ Need Professional VOS3000 Setup Support?
For professional VOS3000 installations and deployment, VOS3000 Server Rental Solution:
VOS3000 Gateway Configuration: Complete Routing and Mapping Gateway Setup Guide
VOS3000 gateway configuration is the foundation of any successful VoIP wholesale operation. Understanding the difference between routing gateways and mapping gateways, and configuring them correctly, determines whether your VoIP traffic flows smoothly or encounters constant problems. This comprehensive guide covers all aspects of VOS3000 gateway setup based on the official VOS3000 2.1.9.07 manual documentation.
๐ Need help with VOS3000 gateway setup? WhatsApp: +8801911119966
VOS3000 uses two fundamental gateway types that serve different purposes in the call flow architecture. Understanding the distinction between these gateway types is essential for proper system configuration and troubleshooting. (VOS3000 Gateway Configuration)
๐ Gateway Type Comparison (VOS3000 Gateway Configuration)
Routing gateways are configured to send calls to termination providers and vendors. Each routing gateway represents a destination for outbound calls and contains all parameters needed for proper call routing and billing.
For static gateways, enter the vendor’s IP address
Signaling Port
SIP: 5060, H.323: 1720
Default ports or custom ports if vendor requires
Gateway Prefix
Route matching prefix
Used for LCR routing; longest prefix match wins
Line Limit
Maximum concurrent calls
Set based on vendor capacity agreement
Priority
Routing priority (lower = higher)
0-100, used when multiple gateways match
โ๏ธ Gateway Type Configuration Details (VOS3000 Gateway Configuration)
VOS3000 supports three gateway types, each with specific use cases:
๐ Static Gateway
Configuration for Static Gateway:
- IP Address: Required - Enter vendor's IP address
- Port: SIP default 5060, H.323 default 1720
- Authentication: IP-based (no username/password needed)
- Best for: Dedicated vendor connections, known IP addresses
Steps to configure:
1. Navigation โ Operation Management โ Gateway Operation โ Routing Gateway
2. Click "Add" to create new gateway
3. Select Gateway Type: Static
4. Enter Gateway Name (unique identifier)
5. Enter IP Address of vendor gateway
6. Set Protocol (SIP or H.323)
7. Set Signaling Port
8. Configure Line Limit
9. Click "Apply" to save
๐ Dynamic Gateway
Configuration for Dynamic Gateway:
- IP Address: Not required - discovered through registration
- Registration: Vendor registers to VOS3000
- Authentication: Username/password required
- Best for: Vendors with dynamic IPs, NAT traversal
Steps to configure:
1. Create gateway with type "Dynamic"
2. Vendor must configure their end to register to VOS3000
3. VOS3000 learns IP from registration
4. Set registration expiry parameters
5. Monitor registration status in "Online Routing Gateway"
๐ Registration Gateway
Configuration for Registration Gateway (Outbound Registration):
- VOS3000 registers TO the vendor
- Required when vendor requires authentication
- Configuration via "Registration Management"
Steps to configure:
1. Navigation โ Operation Management โ Registration Management
2. Add new registration entry:
- Mark: Unique identifier
- User Name: Vendor-provided username
- Authentication Password: Vendor-provided password
- Server IP: Vendor's registration server
- Signaling Port: Typically 5060
- Register Period: Registration interval (default 3600s)
3. In Routing Gateway, select type "Registration"
4. Reference the Mark from Registration Management
5. Monitor registration in Registration Management view
๐ง Mapping Gateway Configuration
Mapping gateways handle incoming calls from customers and are associated with customer accounts. Each mapping gateway configuration determines how VOS3000 identifies and bills the originating party.
VOS3000 supports multiple authentication methods for gateways. Selecting the appropriate method depends on your security requirements and network topology.
๐ Authentication Method Comparison
Method
Security Level
Use Case
Configuration
IP-Based
Medium
Fixed IP gateways, trusted networks
Gateway IP = Allowed IP
SIP Digest
High
Dynamic IPs, softphones, any network
Username + Password required
IP + Digest
Highest
High-security environments
Both IP and credentials validated
๐ต Codec Configuration
Codec configuration determines voice quality and bandwidth usage for calls through each gateway. VOS3000 allows codec preferences to be set per gateway.
๐ Supported Codecs
Codec
Bitrate
Quality
Bandwidth (with overhead)
G.711 (alaw/ulaw)
64 kbps
Excellent
~87 kbps
G.729
8 kbps
Good
~31 kbps
G.723.1
5.3/6.3 kbps
Fair
~21 kbps
GSM
13 kbps
Fair
~36 kbps
โ๏ธ Configuring Codec Priority
In Gateway Additional Settings โ Codec:
1. Add supported codecs in priority order
2. Most preferred codec at top of list
3. System parameter default: SS_VALUE_ADDED_CODECS
Example Configuration (Low Bandwidth Priority):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Priority โ Codec โ Type โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1 โ G.729 โ Audio โ
โ 2 โ G.723.1 โ Audio โ
โ 3 โ G.711a โ Audio โ
โ 4 โ G.711u โ Audio โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Example Configuration (Quality Priority):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Priority โ Codec โ Type โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1 โ G.711u โ Audio โ
โ 2 โ G.711a โ Audio โ
โ 3 โ G.729 โ Audio โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก DTMF Configuration
DTMF (Dual-Tone Multi-Frequency) handling is critical for IVR systems and calling card platforms. VOS3000 supports multiple DTMF modes.
โ๏ธ DTMF Mode Options
DTMF Mode
Protocol
Reliability
Best For
RFC 2833
SIP
High
Most SIP devices, recommended
Inband
SIP/H.323
Low
Legacy devices only
SIP INFO
SIP
Medium
Specific vendor requirements
H.245 Alphanumeric
H.323
High
H.323 gateways (default)
๐ Gateway Groups
Gateway groups allow you to organize multiple gateways for routing purposes. This is useful for load balancing, redundancy, and access control.
โ๏ธ Gateway Group Configuration
Location: Navigation โ Operation Management โ Gateway Operation โ Gateway Group
Parameters:
- Gateway Group Name: Descriptive name for the group
- Line Limit: Total capacity for the group
โข None: Use individual gateway limits
โข Set value: Override individual limits
- Number of Routing Gateways: Count of routing GW in group
- Number of Mapping Gateways: Count of mapping GW in group
Use Cases:
1. Route balancing across multiple vendors
2. Restrict specific customers to specific vendors
3. Implement failover groups
4. Organize gateways by destination or quality tier
๐ Monitoring Gateway Status
VOS3000 provides real-time monitoring of gateway status through the Online Gateway views.
๐ Online Routing Gateway Information (VOS3000 Gateway Configuration)
Field
Description
Gateway Name
Device ID of the gateway
Number of Calling
Current active calls / Total line limit
Routing ASR
Answer Seizure Ratio (if real-time ASR enabled)
Routing ACD
Average Call Duration (if real-time ACD enabled)
Call Per Second
Current call rate (if rate limiting enabled)
Registered IP
Current IP address of the gateway
Registration Time
When the gateway last registered
Encryption Type
TLS/SRTP status if configured
โ ๏ธ Common Gateway Configuration Problems
๐ง Troubleshooting Guide
Problem
Possible Cause
Solution
Gateway not registering
Wrong credentials, firewall blocking
Verify username/password, check firewall rules
Calls failing with NoAvailableRouter
No matching prefix, gateway offline
Check gateway prefix, verify gateway status
One-way audio
NAT issues, media proxy setting
Enable media proxy, check NAT configuration
Call quality issues
Codec mismatch, bandwidth
Verify codec negotiation, check network
DTMF not working
DTMF mode mismatch
Set matching DTMF mode on both ends
๐ Related Resources (VOS3000 Gateway Configuration)
What is the difference between Static and Dynamic gateway types?
Static gateways use a fixed IP address that you configure manually – VOS3000 always sends calls to that IP. Dynamic gateways learn the IP address from SIP registration – the gateway device registers to VOS3000, and VOS3000 uses the registered IP for routing. Use Static when the vendor has a fixed IP, and Dynamic when the device may have a changing IP or is behind NAT.
How do I configure a gateway for a vendor that requires outbound registration?
First, create an entry in Registration Management with the vendor’s server IP, username, and password. Then create a Routing Gateway with type “Registration” and reference the Mark field from Registration Management. VOS3000 will register to the vendor and use that registration for routing calls.
What should the Line Limit be set to?
Line Limit should match your agreement with the vendor or the actual capacity of the gateway. Setting it too high may result in call failures when the vendor cannot handle the load. Setting it too low wastes available capacity. Monitor ASR and ACD to determine optimal settings.
How do I implement gateway failover?
Configure multiple routing gateways with the same prefix but different priorities. Lower priority values are tried first. If a call fails, VOS3000 will try the next gateway in priority order. You can also use Gateway Groups to organize failover paths.
Why is my gateway showing as offline in VOS3000?
For dynamic gateways, check if registration is working properly by examining Registration Management. For static gateways, verify the IP is reachable (ping test), firewall rules allow the SIP port, and the gateway device is powered on and operational. Check system logs for registration or connection errors.
๐ Get Expert Help with VOS3000 Gateway Configuration
Need assistance configuring VOS3000 gateways for your wholesale VoIP operation? Our team provides professional VOS3000 installation, gateway configuration, and ongoing support services.
