Docs navigation

Abuse control

Within hours of going online, any SIP system starts receiving scanner traffic — automated probes guessing extensions and passwords. Abuse control watches for those patterns and bans the sources automatically, before they get enough attempts to matter.

Abuse Control: live tracking status and authentication limits

What it watches

Admin → Advanced → Abuse Control shows the live state — IPs currently tracked, auto-blacklisted counts, last block — and the thresholds:

  • Failed authentication — wrong SIP or web-login credentials; the source IP is blacklisted after the configured attempt count (default 5).
  • Failed challenge requests — SIP scanners fire registration attempts without ever completing authentication; these unanswered challenges (407s) have their own, higher threshold (default 500) to catch high-volume probing that never even tries a password.
  • Traffic rate — packet-rate barriers escalate from a grace threshold to short temporary blocks to a full blacklisting for outright floods.

Scanning probes against the routing endpoints themselves are banned at the firewall level — the noisiest scanners stop consuming any resources at all.

Bans and escalation

Blocked IPs land on the IP blacklist marked Auto, with a configurable duration (a minute to 7 days). Escalating bans — each repeat offense multiplying the duration — is worth enabling on any internet-facing system.

Every block is logged in the Event Log and can email you. False positives (someone fat-fingering a password from the branch office) are resolved by unblocking the entry on the IP Blacklist page — or pre-empted by adding your known sites as Allow entries.

What it doesn't need

No whitelisting of your carriers or phones is required for normal operation — legitimate devices authenticate successfully and never approach the thresholds. The system is deliberately safe to leave on (it ships enabled) with default thresholds.