VOS3000 iptables SIP Scanner: Block OPTIONS Floods Without Fail2Ban

Every VOS3000 operator who exposes SIP port 5060 to the internet has experienced the relentless pounding of SIP scanners. These automated tools send thousands of SIP OPTIONS requests per second, probing your server for open accounts, valid extensions, and authentication weaknesses. A VOS3000 iptables SIP scanner defense strategy using pure iptables rules — without the overhead of Fail2Ban — is the most efficient and reliable way to stop these attacks at the network level before they consume your server resources. This guide provides complete, production-tested iptables rules and VOS3000 native security configurations that will protect your softswitch from SIP OPTIONS floods and scanner probes.

The problem with relying on Fail2Ban for VOS3000 SIP scanner protection is that Fail2Ban parses log files reactively — it only blocks an IP after the attack has already reached your application layer and consumed CPU processing those requests. Pure iptables rules, on the other hand, drop malicious packets at the kernel level before they ever reach VOS3000, resulting in zero resource waste. When you combine kernel-level packet filtering with VOS3000 native features like IP whitelist authentication, Web Access Control (Manual Section 2.14.1), and mapping gateway rate limiting, you create an impenetrable defense that stops SIP scanners dead in their tracks.

In this comprehensive guide, we cover every aspect of building a VOS3000 iptables SIP scanner defense system: from understanding how SIP scanners operate and identifying attacks in your logs, to implementing iptables string-match rules, connlimit connection tracking, recent module rate limiting, and VOS3000 native security features. All configurations reference the VOS3000 V2.1.9.07 Manual and have been verified in production environments. For expert assistance with your VOS3000 security, contact us on WhatsApp at +8801911119966.

How VOS3000 iptables SIP Scanner Attacks Waste Server Resources

SIP scanners are automated tools that systematically probe VoIP servers on port 5060 (UDP and TCP). They send SIP OPTIONS requests, REGISTER attempts, and INVITE probes to discover valid accounts and weak passwords. Understanding exactly how these attacks affect your VOS3000 server is the first step toward building an effective defense.

The SIP OPTIONS Flood Mechanism

A SIP OPTIONS request is a legitimate SIP method used to query a server or user agent about its capabilities. However, SIP scanners abuse this method by sending thousands of OPTIONS requests per minute from a single IP address or from distributed sources. Each OPTIONS request that reaches VOS3000 must be processed by the SIP stack, which allocates memory, parses the SIP message, generates a response, and sends it back. At high volumes, this processing consumes significant CPU and memory resources that should be serving your legitimate call traffic.

The impact of a SIP OPTIONS flood on an unprotected VOS3000 server includes elevated CPU usage on the SIP processing threads, increased memory consumption for tracking thousands of short-lived SIP dialogs, degraded call setup times for legitimate calls, potential SIP socket buffer overflow causing dropped legitimate SIP messages, and inflated log files that make it difficult to identify real problems. A severe SIP OPTIONS flood can effectively create a denial-of-service condition where your VOS3000 server is too busy responding to scanner probes to process real calls.

Common VOS3000 iptables SIP Scanner Attack Patterns

SIP scanners targeting VOS3000 servers typically follow predictable patterns that can be identified and blocked with iptables rules. The most common attack patterns include rapid-fire SIP OPTIONS probes used to check if your server is alive and responding, brute-force REGISTER attempts with common username/password combinations, SIP INVITE probes to discover valid extension numbers, scanning from multiple IP addresses in the same subnet (distributed scanning), and scanning with spoofed or randomized User-Agent headers to avoid simple pattern matching. Each of these patterns has a distinctive signature that iptables can detect and block at the kernel level, before VOS3000 ever processes the malicious request.

The key insight for building an effective VOS3000 iptables SIP scanner defense is that legitimate SIP traffic and scanner traffic have fundamentally different behavioral signatures. Legitimate SIP clients send a small number of requests per minute, maintain established dialog states, and follow the SIP protocol flow. Scanners, on the other hand, send high volumes of stateless requests, often with identical or semi-random content, and never complete legitimate call flows. By targeting these behavioral differences, your iptables rules can block scanners with minimal risk of blocking legitimate traffic.

Identifying VOS3000 iptables SIP Scanner Attacks from Logs

Before implementing iptables rules, you need to confirm that your VOS3000 server is actually under a SIP scanner attack. VOS3000 provides several logging mechanisms that reveal scanner activity, and knowing how to read these logs is essential for both detection and for calibrating your iptables rules appropriately.

Checking VOS3000 SIP Logs for Scanner Activity

The VOS3000 SIP logs are located in the /home/vos3000/log/ directory. The key log files to monitor include sipproxy.log for SIP proxy activity, mbx.log for media box and call processing, and the system-level /var/log/messages for kernel-level network information. When a SIP scanner is active, you will see repetitive patterns of unauthenticated SIP requests from the same or similar IP addresses.

# Check VOS3000 SIP logs for scanner patterns
# Look for repeated OPTIONS from same IP
rg "OPTIONS" /home/vos3000/log/sipproxy.log | tail -100

# Count requests per source IP (identify top scanners)
rg "OPTIONS" /home/vos3000/log/sipproxy.log | \
  awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Check for failed registration attempts
rg "401 Unauthorized|403 Forbidden" /home/vos3000/log/sipproxy.log | \
  tail -50

# Monitor real-time SIP traffic on port 5060
tcpdump -n port 5060 -A -s 0 | rg "OPTIONS"

Using tcpdump to Detect SIP Scanner Floods

When you suspect a SIP scanner attack, tcpdump provides the most immediate and detailed view of the traffic hitting your server. The following tcpdump commands help you identify the source, volume, and pattern of SIP scanner traffic targeting your VOS3000 server.

# Real-time SIP packet count per source IP
tcpdump -n -l port 5060 | \
  awk '{print $3}' | cut -d. -f1-4 | \
  sort | uniq -c | sort -rn

# Count SIP OPTIONS per second
tcpdump -n port 5060 -l 2>/dev/null | \
  rg -c "OPTIONS"

# Capture and display full SIP OPTIONS packets
tcpdump -n port 5060 -A -s 0 -c 50 | \
  rg -A 20 "OPTIONS sip:"

# Check UDP connection rate from specific IP
tcpdump -n src host SUSPICIOUS_IP and port 5060 -l | \
  awk '{print NR}'

Why Pure iptables Beats Fail2Ban for VOS3000 iptables SIP Scanner Defense

Many VOS3000 operators initially turn to Fail2Ban for SIP scanner protection because it is well-documented and widely recommended in general VoIP security guides. However, Fail2Ban has significant drawbacks when used as a VOS3000 iptables SIP scanner defense mechanism, and pure iptables rules provide superior protection in every measurable way.

The Fail2Ban Reactive Approach vs. iptables Proactive Approach

Fail2Ban operates by monitoring log files for patterns that indicate malicious activity, then dynamically creating iptables rules to block the offending IP addresses. This reactive approach means that the attack traffic must first reach VOS3000, be processed by the SIP stack, generate log entries, and then be parsed by Fail2Ban before any blocking occurs. The time delay between the start of an attack and Fail2Ban’s response can be several minutes, during which your VOS3000 server is processing thousands of malicious SIP requests.

Pure iptables rules, by contrast, operate at the kernel packet filtering level. When a packet arrives on the network interface, iptables evaluates it against your rules before it is delivered to any user-space process, including VOS3000. A malicious SIP OPTIONS packet that matches a rate-limiting rule is dropped instantly at the kernel level, consuming only the minimal CPU cycles needed for rule evaluation. VOS3000 never sees the packet, never processes it, and never writes a log entry for it. This proactive approach provides zero-latency protection with zero application-layer overhead.

The pure iptables approach for your VOS3000 iptables SIP scanner defense also eliminates the risk of Fail2Ban itself becoming a performance problem. Fail2Ban runs as a Python daemon that continuously reads log files, which adds its own CPU and I/O overhead. On a server under heavy SIP scanner attack, the log files grow rapidly, and Fail2Ban’s log parsing can consume significant resources — ironically adding to the very load you are trying to reduce. Pure iptables rules have no daemon, no log parsing, and no Python overhead; they run as part of the Linux kernel’s network stack.

Essential VOS3000 iptables SIP Scanner Rules: String Drop for OPTIONS

The most powerful weapon in your VOS3000 iptables SIP scanner defense arsenal is the iptables string match module. This module allows you to inspect the content of network packets and drop those that contain specific SIP method strings. By dropping packets that contain the SIP OPTIONS method string, you can instantly block the most common type of SIP scanner probe without affecting legitimate INVITE, REGISTER, ACK, BYE, and CANCEL messages that your VOS3000 server needs to process.

iptables String-Match Rule to Drop SIP OPTIONS

The following iptables rule uses the string module to inspect UDP packets destined for port 5060 and drop any that contain the text “OPTIONS sip:” in their payload. This is the most effective single rule for blocking SIP scanners because the vast majority of scanner probes use the OPTIONS method.

# ============================================
# VOS3000 iptables SIP Scanner: String Drop Rules
# ============================================

# Drop SIP OPTIONS probes from unknown sources
# This single rule blocks 90%+ of SIP scanner traffic
iptables -I INPUT -p udp --dport 5060 -m string \
  --string "OPTIONS sip:" \
  --algo bm -j DROP

# Also drop SIP OPTIONS on TCP port 5060
iptables -I INPUT -p tcp --dport 5060 -m string \
  --string "OPTIONS sip:" \
  --algo bm -j DROP

# Drop known SIP scanner User-Agent strings
iptables -I INPUT -p udp --dport 5060 -m string \
  --string "friendly-scanner" \
  --algo bm -j DROP

iptables -I INPUT -p udp --dport 5060 -m string \
  --string "VaxSIPUserAgent" \
  --algo bm -j DROP

iptables -I INPUT -p udp --dport 5060 -m string \
  --string "sipvicious" \
  --algo bm -j DROP

iptables -I INPUT -p udp --dport 5060 -m string \
  --string "SIPScan" \
  --algo bm -j DROP

# Save rules permanently
service iptables save

The --algo bm parameter specifies the Boyer-Moore string search algorithm, which is fast and efficient for fixed-string matching. An alternative is --algo kmp (Knuth-Morris-Pratt), which uses less memory but is slightly slower for most patterns. For VOS3000 iptables SIP scanner defense, Boyer-Moore is the recommended choice because the patterns are fixed strings and speed is critical.

Allowing Legitimate SIP OPTIONS from Trusted IPs

Before applying the blanket OPTIONS drop rule, you should insert accept rules for your trusted SIP peers and gateway IPs. iptables processes rules in order, so placing accept rules before the drop rule ensures that legitimate OPTIONS requests from known peers are allowed through while scanner OPTIONS from unknown IPs are dropped.

# ============================================
# Allow trusted SIP peers before dropping OPTIONS
# ============================================

# Allow SIP from trusted gateway IP #1
iptables -I INPUT -p udp -s 203.0.113.10 --dport 5060 -j ACCEPT

# Allow SIP from trusted gateway IP #2
iptables -I INPUT -p udp -s 203.0.113.20 --dport 5060 -j ACCEPT

# Allow SIP from entire trusted subnet
iptables -I INPUT -p udp -s 198.51.100.0/24 --dport 5060 -j ACCEPT

# THEN drop SIP OPTIONS from all other sources
iptables -A INPUT -p udp --dport 5060 -m string \
  --string "OPTIONS sip:" \
  --algo bm -j DROP

# Save rules permanently
service iptables save

Limiting UDP Connections Per IP with VOS3000 iptables SIP Scanner Rules

Beyond string matching, the iptables connlimit module provides another powerful tool for your VOS3000 iptables SIP scanner defense. The connlimit module allows you to restrict the number of parallel connections a single IP address can make to your server. Since SIP scanners typically open many simultaneous connections to probe multiple extensions or accounts, connlimit rules can effectively cap the number of concurrent SIP connections from any single source IP.

connlimit Module: Restricting Parallel Connections

The connlimit module matches when the number of concurrent connections from a single IP address exceeds a specified limit. For VOS3000, a legitimate SIP peer typically maintains 1-5 concurrent connections for signaling, while a scanner may open dozens or hundreds. Setting a reasonable connlimit threshold allows normal SIP operation while blocking scanner floods.

# ============================================
# VOS3000 iptables SIP Scanner: connlimit Rules
# ============================================

# Limit concurrent UDP connections to port 5060 per source IP
# Allow maximum 10 concurrent SIP connections per IP
iptables -A INPUT -p udp --dport 5060 \
  -m connlimit --connlimit-above 10 \
  -j REJECT --reject-with icmp-port-unreachable

# More aggressive limit for non-trusted IPs
# Allow maximum 5 concurrent SIP connections per IP
# Insert BEFORE trusted IP accept rules do not match this
iptables -I INPUT 3 -p udp --dport 5060 \
  -m connlimit --connlimit-above 5 \
  --connlimit-mask 32 \
  -j DROP

# Limit per /24 subnet (blocks distributed scanners)
iptables -A INPUT -p udp --dport 5060 \
  -m connlimit --connlimit-above 30 \
  --connlimit-mask 24 \
  -j DROP

# Save rules permanently
service iptables save

The --connlimit-mask 32 parameter applies the limit per individual IP address (a /32 mask covers exactly one IP). Using --connlimit-mask 24 applies the limit per /24 subnet, which catches distributed scanners that use multiple IPs within the same subnet range. For a comprehensive VOS3000 iptables SIP scanner defense, use both per-IP and per-subnet limits to catch both concentrated and distributed scanning patterns.

Recent Module: Rate Limiting SIP Requests Without Fail2Ban

The iptables recent module maintains a dynamic list of source IP addresses and can match based on how many times an IP has appeared in the list within a specified time window. This is the most versatile rate-limiting tool for your VOS3000 iptables SIP scanner defense because it can track request rates over time, not just concurrent connections.

# ============================================
# VOS3000 iptables SIP Scanner: Recent Module Rules
# ============================================

# Create a rate-limiting chain for SIP traffic
iptables -N SIP_RATE_LIMIT

# Add source IP to the recent list
iptables -A SIP_RATE_LIMIT -m recent --set --name sip_scanner

# Check if IP exceeded 20 requests in 60 seconds
iptables -A SIP_RATE_LIMIT -m recent --update \
  --seconds 60 --hitcount 20 \
  --name sip_scanner \
  -j LOG --log-prefix "SIP-RATE-LIMIT: "

# Drop if exceeded threshold
iptables -A SIP_RATE_LIMIT -m recent --update \
  --seconds 60 --hitcount 20 \
  --name sip_scanner \
  -j DROP

# Accept if under threshold
iptables -A SIP_RATE_LIMIT -j ACCEPT

# Direct SIP traffic to the rate-limiting chain
iptables -A INPUT -p udp --dport 5060 -j SIP_RATE_LIMIT

# Save rules permanently
service iptables save

This rate-limiting approach is superior to Fail2Ban for VOS3000 iptables SIP scanner defense because it operates in real-time at the kernel level. A scanner that sends 20 or more SIP requests within 60 seconds is automatically dropped, with no log file parsing delay and no Python daemon overhead. You can adjust the --hitcount and --seconds parameters to match your legitimate traffic patterns — if your real SIP peers send more frequent keepalive OPTIONS requests, increase the hitcount threshold accordingly.

Complete VOS3000 iptables SIP Scanner Firewall Script

The following comprehensive iptables script combines all the techniques discussed above into a single, production-ready firewall configuration for your VOS3000 server. This script implements the full VOS3000 iptables SIP scanner defense strategy with trusted IP whitelisting, string-match dropping, connlimit restrictions, and recent module rate limiting.

#!/bin/bash
# ============================================
# VOS3000 iptables SIP Scanner: Complete Firewall Script
# Version: 1.0 | Date: April 2026
# ============================================

# Define trusted SIP peer IPs (space-separated)
TRUSTED_SIP_IPS="203.0.113.10 203.0.113.20 198.51.100.0/24"

# Flush existing rules (CAUTION: run from console only)
iptables -F
iptables -X

# Create custom chains
iptables -N SIP_TRUSTED
iptables -N SIP_SCANNER_BLOCK
iptables -N SIP_RATE_LIMIT

# ---- LOOPBACK ----
iptables -A INPUT -i lo -j ACCEPT

# ---- ESTABLISHED CONNECTIONS ----
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ---- SSH ACCESS (restrict to your IP) ----
iptables -A INPUT -p tcp -s YOUR_ADMIN_IP --dport 22 -j ACCEPT

# ---- VOS3000 WEB INTERFACE ----
iptables -A INPUT -p tcp --dport 80 -s YOUR_ADMIN_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s YOUR_ADMIN_IP -j ACCEPT

# ---- TRUSTED SIP PEERS ----
for IP in $TRUSTED_SIP_IPS; do
  iptables -A SIP_TRUSTED -s $IP -j ACCEPT
done

# Route port 5060 UDP through trusted chain first
iptables -A INPUT -p udp --dport 5060 -j SIP_TRUSTED

# ---- SIP SCANNER BLOCK CHAIN ----

# Drop SIP OPTIONS from unknown sources
iptables -A SIP_SCANNER_BLOCK -m string \
  --string "OPTIONS sip:" \
  --algo bm -j DROP

# Drop known scanner User-Agent strings
iptables -A SIP_SCANNER_BLOCK -m string \
  --string "friendly-scanner" \
  --algo bm -j DROP

iptables -A SIP_SCANNER_BLOCK -m string \
  --string "VaxSIPUserAgent" \
  --algo bm -j DROP

iptables -A SIP_SCANNER_BLOCK -m string \
  --string "sipvicious" \
  --algo bm -j DROP

iptables -A SIP_SCANNER_BLOCK -m string \
  --string "SIPScan" \
  --algo bm -j DROP

iptables -A SIP_SCANNER_BLOCK -m string \
  --string "sipcli" \
  --algo bm -j DROP

# Route port 5060 UDP through scanner block chain
iptables -A INPUT -p udp --dport 5060 -j SIP_SCANNER_BLOCK

# ---- RATE LIMIT CHAIN ----

# Limit concurrent connections per IP (max 10)
iptables -A SIP_RATE_LIMIT -p udp --dport 5060 \
  -m connlimit --connlimit-above 10 \
  --connlimit-mask 32 \
  -j DROP

# Rate limit: max 20 requests per 60 seconds per IP
iptables -A SIP_RATE_LIMIT -m recent --set --name sip_rate
iptables -A SIP_RATE_LIMIT -m recent --update \
  --seconds 60 --hitcount 20 \
  --name sip_rate -j DROP

# Accept legitimate SIP traffic
iptables -A SIP_RATE_LIMIT -j ACCEPT

# Route port 5060 UDP through rate limit chain
iptables -A INPUT -p udp --dport 5060 -j SIP_RATE_LIMIT

# ---- MEDIA PORTS (RTP) ----
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

# ---- DEFAULT DROP ----
iptables -A INPUT -j DROP

# ---- SAVE ----
service iptables save

echo "VOS3000 iptables SIP scanner firewall applied successfully!"

The firewall script processes SIP traffic through four chains in order: first the SIP_TRUSTED chain (allowing known peer IPs), then the SIP_SCANNER_BLOCK chain (dropping packets with scanner signatures via string-match), then the SIP_RATE_LIMIT chain (enforcing connlimit and recent module rate limits), and finally the INPUT default policy (DROP all other traffic). This ordered processing ensures that trusted peers bypass all restrictions while unknown traffic is progressively filtered through increasingly strict rules.

For more advanced firewall configurations including extended iptables rules and kernel tuning, refer to our VOS3000 extended firewall guide which provides additional hardening techniques for CentOS servers running VOS3000.

VOS3000 Native IP Whitelist: Web Access Control (Section 2.14.1)

While iptables provides kernel-level packet filtering, VOS3000 also includes native IP whitelist functionality through the Web Access Control feature. This feature, documented in VOS3000 Manual Section 2.14.1 (Interface Management > Web Access Control), allows you to restrict access to the VOS3000 web management interface based on source IP addresses. Combined with your VOS3000 iptables SIP scanner rules, the Web Access Control feature adds another layer of defense by ensuring that only authorized administrators can access the management interface.

Configuring VOS3000 Web Access Control

The Web Access Control feature in VOS3000 limits which IP addresses can access the web management portal. This is critically important because SIP scanners and attackers often target the web interface as well as the SIP port. If an attacker gains access to your VOS3000 web interface, they can modify routing, create fraudulent accounts, and compromise your entire platform.

To configure Web Access Control in VOS3000, follow these steps as documented in the VOS3000 Manual Section 2.14.1:

1. Navigate to Interface Management: In the VOS3000 client, go to Operation Management > Interface Management > Web Access Control
2. Access the configuration panel: Double-click “Web Access Control” to open the IP whitelist editor
3. Add allowed IP addresses: Enter the IP addresses or CIDR ranges that should be permitted to access the web interface
4. Apply the configuration: Click Apply to activate the whitelist
5. Verify access: Test that you can still access the web interface from your authorized IP

It is important to understand that the VOS3000 Web Access Control feature only protects the web management interface — it does not protect the SIP signaling port 5060. This is why you must combine Web Access Control with the VOS3000 iptables SIP scanner rules described earlier in this guide. The Web Access Control feature protects the management plane, while iptables rules protect the signaling plane. Together, they provide complete coverage for your VOS3000 server.

VOS3000 Mapping Gateway Authentication Modes for VOS3000 iptables SIP Scanner Defense

The VOS3000 mapping gateway configuration includes authentication mode settings that directly affect your vulnerability to SIP scanner attacks. Understanding and properly configuring these authentication modes is an essential component of your VOS3000 iptables SIP scanner defense strategy, as the authentication mode determines how VOS3000 validates incoming SIP traffic from mapping gateways (your customer-facing gateways).

Understanding the Three Authentication Modes

VOS3000 supports three authentication modes for mapping gateways, each providing a different balance between security and flexibility. These modes are configured in the mapping gateway additional settings and determine how VOS3000 authenticates SIP requests arriving from customer endpoints.

IP Authentication Mode: In IP authentication mode, VOS3000 accepts SIP requests only from pre-configured IP addresses. Any SIP request from an IP address not listed in the mapping gateway configuration is rejected, regardless of the username or password provided. This is the most secure authentication mode for your VOS3000 iptables SIP scanner defense because SIP scanners cannot authenticate from arbitrary IP addresses. However, it requires that all your customers have static IP addresses, which may not be practical for all deployments.

IP+Port Authentication Mode: This mode extends IP authentication by also requiring the correct source port. VOS3000 validates both the source IP address and the source port of incoming SIP requests. This provides even stronger security than IP-only authentication because it prevents IP spoofing attacks where an attacker might forge packets from a trusted IP address. However, IP+Port authentication can cause issues with NAT environments where source ports may change during a session.

Password Authentication Mode: In password authentication mode, VOS3000 authenticates SIP requests based on username and password credentials. This mode is the most flexible because it works with customers who have dynamic IP addresses, but it is also the most vulnerable to SIP scanner brute-force attacks. If you use password authentication, your VOS3000 iptables SIP scanner rules become even more critical because scanners will attempt to guess credentials.

Configuring Mapping Gateway Authentication for Maximum Security

To configure the authentication mode on a VOS3000 mapping gateway, follow these steps:

1. Navigate to Mapping Gateway: Operation Management > Gateway Operation > Mapping Gateway
2. Open gateway properties: Double-click the mapping gateway to open its configuration
3. Set authentication mode: In the main configuration tab, select the desired authentication mode from the dropdown (IP / IP+Port / Password)
4. Configure authentication details: If IP mode, add the customer’s IP address in the gateway prefix or additional settings. If Password mode, ensure strong passwords are set
5. Apply changes: Click Apply to save the configuration

For the strongest VOS3000 iptables SIP scanner defense, use IP authentication mode whenever possible. This mode inherently blocks SIP scanners because scanner traffic originates from IP addresses not configured in your mapping gateways. When IP authentication is combined with iptables string-drop rules, your VOS3000 server becomes virtually immune to SIP scanner probes — the iptables rules block the scanner traffic at the kernel level, and the IP authentication mode blocks any traffic that somehow passes through iptables.

For comprehensive security configuration beyond what iptables provides, see our VOS3000 security anti-hack and fraud protection guide which covers account-level security, fraud detection, and billing protection.

Rate Limit Setting on Mapping Gateway for CPS Control

VOS3000 includes built-in rate limiting on mapping gateways that provides call-per-second (CPS) control at the application level. This feature complements your VOS3000 iptables SIP scanner defense by adding a secondary rate limit that operates even if some scanner traffic passes through your iptables rules. The rate limit setting on mapping gateways restricts the maximum number of calls that can be initiated through the gateway per second, preventing any single customer or gateway from overwhelming your server with call attempts.

Configuring Mapping Gateway Rate Limits

The rate limit setting is found in the mapping gateway additional settings. This feature allows you to specify the maximum number of calls per second (CPS) that the gateway will accept. When the call rate exceeds this limit, VOS3000 rejects additional calls with a SIP 503 Service Unavailable response, protecting your server resources from overload.

# ============================================
# VOS3000 Mapping Gateway Rate Limit Configuration
# ============================================

# Navigate to: Operation Management > Gateway Operation > Mapping Gateway
# Right-click the mapping gateway > Additional Settings
#
# Configure these rate-limiting parameters:
#
# 1. Rate Limit (CPS): Maximum calls per second
#    Recommended values:
#    - Small customer:     5-10 CPS
#    - Medium customer:   10-30 CPS
#    - Large customer:    30-100 CPS
#    - Premium customer: 100-200 CPS
#
# 2. Max Concurrent Calls: Maximum simultaneous calls
#    Recommended values:
#    - Small customer:     30-50 channels
#    - Medium customer:   50-200 channels
#    - Large customer:   200-500 channels
#    - Premium customer: 500-2000 channels
#
# 3. Conversation Limitation (seconds): Max call duration
#    Recommended: 3600 seconds (1 hour) for most customers
#
# Apply the settings and restart the gateway if required.

The mapping gateway rate limit works in conjunction with your VOS3000 iptables SIP scanner rules to provide multi-layered protection. The iptables rules block the initial scanner probes and floods at the kernel level, preventing the traffic from reaching VOS3000 at all. The mapping gateway rate limit acts as a safety net, catching any excessive call attempts that might pass through the iptables rules — for example, a sophisticated attacker who has somehow obtained valid credentials but is using them to flood your server with calls. This layered approach ensures that your server remains protected even if one layer is bypassed.

Advanced VOS3000 iptables SIP Scanner Techniques: hashlimit and conntrack

For operators who need even more granular control over their VOS3000 iptables SIP scanner defense, the hashlimit and conntrack modules provide advanced rate-limiting and connection-tracking capabilities. These modules are particularly useful in high-traffic environments where you need to distinguish between legitimate high-volume traffic from trusted peers and malicious scanner floods from unknown sources.

hashlimit Module: Per-Destination Rate Limiting

The hashlimit module is the most sophisticated rate-limiting module available in iptables. Unlike the recent module, which maintains a simple list of source IPs, hashlimit uses a hash table to track rates per destination, per source-destination pair, or per any combination of packet parameters. This allows you to create rate limits that account for both the source and destination of SIP traffic, providing more precise control than simple per-IP rate limiting.

# ============================================
# VOS3000 iptables SIP Scanner: hashlimit Rules
# ============================================

# Limit SIP requests to 10 per second per source IP
# with a burst allowance of 20 packets
iptables -A INPUT -p udp --dport 5060 \
  -m hashlimit \
  --hashlimit 10/s \
  --hashlimit-burst 20 \
  --hashlimit-mode srcip \
  --hashlimit-name sip_limit \
  --hashlimit-htable-expire 30000 \
  -j ACCEPT

# Drop all SIP traffic that exceeds the hash limit
iptables -A INPUT -p udp --dport 5060 -j DROP

# View hashlimit statistics
cat /proc/net/ipt_hashlimit/sip_limit

# Save rules permanently
service iptables save

The --hashlimit-mode srcip parameter creates a separate rate limit for each source IP address. The --hashlimit-htable-expire 30000 parameter sets the hash table entry expiration to 30 seconds, meaning that an IP address that stops sending traffic will be removed from the rate-limiting table after 30 seconds. The burst parameter (--hashlimit-burst 20) allows a short burst of up to 20 packets above the rate limit before enforcing the cap, which accommodates the natural burstiness of legitimate SIP traffic.

conntrack Module: Connection Tracking Tuning

The Linux connection tracking system (conntrack) is essential for iptables stateful filtering, but its default parameters may be insufficient for a VOS3000 server under SIP scanner attack. When a scanner floods your server with SIP requests, each request creates a conntrack entry, and the conntrack table can fill up quickly. Once the conntrack table is full, new connections (including legitimate ones) are dropped. Tuning conntrack parameters is therefore an important part of your VOS3000 iptables SIP scanner defense.

# ============================================
# VOS3000 iptables SIP Scanner: conntrack Tuning
# ============================================

# Check current conntrack maximum
cat /proc/sys/net/nf_conntrack_max

# Check current conntrack count
cat /proc/sys/net/netfilter/nf_conntrack_count

# Increase conntrack maximum for VOS3000 under attack
echo 1048576 > /proc/sys/net/nf_conntrack_max

# Reduce UDP timeout to free entries faster
echo 30 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout
echo 60 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream

# Make changes permanent across reboots
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.conf
echo "net.netfilter.nf_conntrack_udp_timeout = 30" >> /etc/sysctl.conf
echo "net.netfilter.nf_conntrack_udp_timeout_stream = 60" >> /etc/sysctl.conf

# Apply sysctl changes
sysctl -p

Proper conntrack tuning ensures that your VOS3000 server can handle the increased connection table entries created by SIP scanner attacks without dropping legitimate traffic. The reduced UDP timeouts are particularly important because SIP uses UDP, and shorter timeouts mean that scanner connection entries are cleaned up faster, freeing space for legitimate connections.

Monitoring and Verifying Your VOS3000 iptables SIP Scanner Defense

After implementing your VOS3000 iptables SIP scanner rules, you need to verify that they are working correctly and monitor their ongoing effectiveness. Regular monitoring ensures that your rules are blocking scanner traffic as expected and that legitimate traffic is not being affected.

Verifying iptables Rules Are Active

# ============================================
# VOS3000 iptables SIP Scanner: Verification Commands
# ============================================

# List all iptables rules with line numbers
iptables -L -n -v --line-numbers

# List only SIP-related rules
iptables -L SIP_SCANNER_BLOCK -n -v
iptables -L SIP_RATE_LIMIT -n -v
iptables -L SIP_TRUSTED -n -v

# Check recent module lists
cat /proc/net/xt_recent/sip_scanner
cat /proc/net/xt_recent/sip_rate

# Monitor iptables rule hit counters in real-time
watch -n 1 'iptables -L SIP_SCANNER_BLOCK -n -v'

# Check if specific IP is being blocked
iptables -C INPUT -s SUSPICIOUS_IP -j DROP

# View dropped packets count per rule
iptables -L INPUT -n -v | rg "DROP"

Testing Your VOS3000 iptables SIP Scanner Rules

Before relying on your iptables rules in production, test them to ensure they block scanner traffic without affecting legitimate SIP calls. The following test procedures verify each component of your VOS3000 iptables SIP scanner defense.

# ============================================
# VOS3000 iptables SIP Scanner: Testing Commands
# ============================================

# Test 1: Send SIP OPTIONS from external IP (should be dropped)
# From a test machine (NOT a trusted IP):
sipsak -s sip:YOUR_SERVER_IP:5060 OPTIONS

# Test 2: Verify OPTIONS are dropped (check counter)
iptables -L SIP_SCANNER_BLOCK -n -v | rg "OPTIONS"

# Test 3: Verify legitimate SIP call still works
# Make a test call through VOS3000 from a trusted peer
# Check VOS3000 CDR for the test call

# Test 4: Verify rate limiting works
# Send rapid SIP requests and verify blocking
for i in $(seq 1 30); do
  sipsak -s sip:YOUR_SERVER_IP:5060 OPTIONS &
done

# Test 5: Check that trusted IPs bypass rate limits
# Verify that trusted IP accept rules have higher packet counts
iptables -L SIP_TRUSTED -n -v

# Test 6: Monitor server performance under simulated attack
top -b -n 5 | rg "vos3000|mbx|sip"

After completing these tests, review the iptables rule hit counters to confirm that your VOS3000 iptables SIP scanner rules are actively dropping malicious traffic. The packet and byte counters next to each rule show how many packets have been matched and dropped. If the OPTIONS string-drop rule shows a high hit count, your rules are working correctly to block SIP scanner probes.

VOS3000 iptables SIP Scanner Defense: Putting It All Together

A successful VOS3000 iptables SIP scanner defense requires integrating multiple layers of protection. Each layer addresses a different aspect of the SIP scanner threat, and together they create a comprehensive defense that is far stronger than any single measure alone.

The Five-Layer Defense Model

Your complete VOS3000 iptables SIP scanner defense should consist of five layers, each operating at a different level of the network and application stack:

Layer 1 — iptables Trusted IP Whitelist: Allow SIP traffic only from known, trusted IP addresses. All traffic from trusted IPs bypasses the scanner detection rules. This is your first line of defense and should be configured with the IP addresses of all your SIP peers and customers who use static IPs.

Layer 2 — iptables String-Match Dropping: Drop packets containing known scanner signatures including SIP OPTIONS requests from unknown sources, known scanner User-Agent strings, and other malicious patterns. This layer catches the vast majority of automated scanner traffic before it reaches VOS3000.

Layer 3 — iptables Rate Limiting: Use the connlimit, recent, and hashlimit modules to restrict the rate of SIP requests from any single IP address. This layer catches sophisticated scanners that avoid the string-match rules by using legitimate SIP methods like REGISTER or INVITE instead of OPTIONS.

Layer 4 — VOS3000 Native Security: Configure VOS3000 mapping gateway authentication mode (IP or IP+Port), rate limiting (CPS control), Web Access Control (Section 2.14.1), and dynamic blacklist features. These application-level protections catch any threats that pass through the iptables layers.

Layer 5 — Monitoring and Response: Regularly monitor iptables hit counters, VOS3000 logs, conntrack table usage, and server performance metrics. Set up automated alerts for abnormal conditions and review your security configuration regularly to adapt to new threats.

For a broader overview of VOS3000 security practices, see our VOS3000 security guide which covers the complete security hardening process for your softswitch platform.

🔗 Related Resources – VOS3000 iptables SIP Scanner

• 📖 VOS3000 Extended Firewall Configuration Guide
• 📖 VOS3000 Security Anti-Hack and Fraud Protection
• 📖 VOS3000 Security Hardening Complete Guide
• 📥 VOS3000 Downloads – Manual and Software

Frequently Asked Questions About VOS3000 iptables SIP Scanner

❓ What is a VOS3000 iptables SIP scanner and why does it target my server?

A VOS3000 iptables SIP scanner refers to the category of automated tools that systematically probe VOS3000 VoIP servers by sending SIP OPTIONS, REGISTER, and INVITE requests on port 5060. These scanners target your server because VOS3000 platforms are widely deployed in the VoIP industry, and attackers know that many operators leave their SIP ports exposed without proper firewall protection. The scanners are looking for open SIP accounts, weak passwords, and exploitable configurations that they can use for toll fraud, call spoofing, or service theft. The iptables firewall on your CentOS server is the primary tool for blocking these scanners at the network level before they can interact with VOS3000.

❓ How do I know if my VOS3000 server is under a SIP scanner attack?

You can identify a SIP scanner attack by checking your VOS3000 logs for repetitive unauthenticated SIP requests from the same or similar IP addresses. Use the command rg "OPTIONS" /home/vos3000/log/sipproxy.log | tail -100 to look for a high volume of OPTIONS requests. You can also use tcpdump to monitor real-time SIP traffic on port 5060 with tcpdump -n port 5060 -A -s 0 | rg "OPTIONS". If you see dozens or hundreds of SIP requests per minute from IPs that are not your known SIP peers, your server is likely under a scanner attack. Elevated CPU usage and slow call setup times are also indicators of a SIP scanner flood affecting your VOS3000 server.

❓ Why should I use pure iptables instead of Fail2Ban for VOS3000 iptables SIP scanner defense?

Pure iptables is superior to Fail2Ban for VOS3000 iptables SIP scanner defense because iptables operates at the Linux kernel level, dropping malicious packets before they reach VOS3000, while Fail2Ban works reactively by parsing log files after the attack traffic has already been processed by VOS3000. This means Fail2Ban allows the first wave of attack traffic to consume your server resources before it can respond, whereas iptables blocks the attack from the very first packet. Additionally, iptables has no daemon overhead (Fail2Ban runs as a Python process), supports string matching to drop packets based on SIP method content, and provides direct rate limiting through connlimit, recent, and hashlimit modules that Fail2Ban cannot match.

❓ What VOS3000 native features complement iptables for SIP scanner protection?

Several VOS3000 native features complement your iptables SIP scanner defense. The Web Access Control feature (Manual Section 2.14.1) restricts web management access to authorized IPs. The mapping gateway authentication modes (IP / IP+Port / Password) control how SIP endpoints authenticate, with IP authentication being the most secure against scanners. The rate limit setting on mapping gateways provides CPS control that prevents excessive call attempts even if some scanner traffic passes through iptables. The dynamic blacklist feature automatically blocks numbers exhibiting suspicious calling patterns. Together with iptables, these features create a comprehensive, multi-layered defense against SIP scanner attacks.

❓ Can iptables string-match rules block legitimate SIP OPTIONS from my peers?

Yes, a blanket iptables string-match rule that drops all SIP OPTIONS packets will also block legitimate OPTIONS requests from your SIP peers. This is why you must insert accept rules for trusted IP addresses BEFORE the string-match drop rules in your iptables chain. iptables processes rules in order, so if a trusted IP accept rule matches first, the traffic is accepted and the string-drop rule is never evaluated. Always configure your trusted SIP peer IPs at the top of your INPUT chain, then add the scanner-blocking rules below them. This ensures that your legitimate peers can send OPTIONS requests for keepalive and capability queries while unknown IPs are blocked.

❓ How do I configure mapping gateway rate limiting in VOS3000 to complement iptables?

To configure mapping gateway rate limiting in VOS3000, navigate to Operation Management > Gateway Operation > Mapping Gateway, right-click the gateway, and select Additional Settings. In the rate limit field, set the maximum calls per second (CPS) appropriate for the customer tier — typically 5-10 CPS for small customers and up to 100-200 CPS for premium wholesale customers. Also configure the maximum concurrent calls and conversation limitation settings. These VOS3000 rate limits complement your iptables rules by providing application-level protection against any excessive call attempts that might pass through the network-level iptables filtering, ensuring that even a compromised account cannot overwhelm your server.

❓ What conntrack tuning is needed for VOS3000 under SIP scanner attack?

Under a SIP scanner attack, the Linux conntrack table can fill up quickly because each SIP request creates a connection tracking entry. You should increase nf_conntrack_max to at least 1048576 (1 million entries) and reduce the UDP timeouts to free entries faster. Set nf_conntrack_udp_timeout to 30 seconds and nf_conntrack_udp_timeout_stream to 60 seconds. These changes can be made live via the /proc filesystem and made permanent by adding them to /etc/sysctl.conf. Without these tuning adjustments, a severe SIP scanner attack can fill the conntrack table and cause Linux to drop all new connections, including legitimate SIP calls.

Protect Your VOS3000 from SIP Scanners

Implementing a robust VOS3000 iptables SIP scanner defense is not optional — it is a fundamental requirement for any VOS3000 operator who exposes SIP services to the internet. The pure iptables approach described in this guide provides the most efficient, lowest-overhead protection available, blocking scanner traffic at the kernel level before it can consume your server resources. By combining iptables trusted IP whitelisting, string-match dropping, connlimit connection tracking, recent module rate limiting, and hashlimit per-IP rate control with VOS3000 native features like IP authentication, Web Access Control, and mapping gateway rate limiting, you create a defense-in-depth system that stops SIP scanners at every level.

Remember that security is an ongoing process, not a one-time configuration. Regularly review your iptables rule hit counters, monitor your VOS3000 logs for new attack patterns, update your scanner User-Agent block list as new tools emerge, and verify that your trusted IP list is current. The VOS3000 iptables SIP scanner defense you implement today may need adjustments tomorrow as attackers develop new techniques.

📱 Contact us on WhatsApp: +8801911119966

Our VOS3000 security specialists can help you implement the complete iptables SIP scanner defense described in this guide, audit your existing configuration for vulnerabilities, and provide ongoing monitoring and support. Whether you need help with iptables rules, VOS3000 authentication configuration, mapping gateway rate limiting, or a comprehensive security overhaul, our team has the expertise to protect your VoIP platform. For professional VOS3000 security assistance, reach out to us on WhatsApp at +8801911119966.

📞 Need Professional VOS3000 Setup Support?

For professional VOS3000 installations and deployment, VOS3000 Server Rental Solution:

📱 WhatsApp: +8801911119966
🌐 Website: www.vos3000.com
🌐 Blog: multahost.com/blog
📥 Downloads: VOS3000 Downloads