A&A Local SIP Ports

Dr Stephen Strange

unread,

Jan 13, 2024, 4:59:17 AM1/13/24

to

I have just set up two Grandstream HT812 devices on A&A.

What are the best local SIP ports to uses with a setup like this.

Each has two FXS ports and I have a phone atached to all of them.

When I ring in only one of the phones rings on each device.

Not sure if this is down to the SIP ports I ma usings or if this is
expected behaviour?

Woody

unread,

Jan 13, 2024, 7:59:05 AM1/13/24

to

You will have to go into the ATA and set it up. If it is only set up for
one line then it will only ring on that port. A two-circuit unit like
the 812 is intended for two different numbers.

Sipgate recommend port 43160 for SIP and 43104-43120 for UDP and it
works for me albeit on their service.

David Woolley

unread,

Jan 13, 2024, 8:49:42 AM1/13/24

to

On 13/01/2024 12:59, Woody wrote:
> Sipgate recommend port 43160 for SIP and 43104-43120 for UDP and it
> works for me albeit on their service.

So 43160 goes onto the script kiddies' attack lists!

If you are neither using 5060, nor one specified by the provider, the
best port number is a relatively high number that only you know. Most
attacks will be on 5060/UDP.

Marco Moock

unread,

Jan 13, 2024, 3:26:19 PM1/13/24

to

Am 13.01.2024 um 13:49:40 Uhr schrieb David Woolley:

> So 43160 goes onto the script kiddies' attack lists!

Attackers will scan all ports for vulnerable services.
The only way to secure that is to avoid running vulnerable software
whenever possible.
Make sure the latest firmware is installed.

Using another port isn't a security measure that lasts long.

David Woolley

unread,

Jan 13, 2024, 6:47:16 PM1/13/24

to

On 13/01/2024 20:26, Marco Moock wrote:
> Attackers will scan all ports for vulnerable services.
> The only way to secure that is to avoid running vulnerable software
> whenever possible.

People on the FreePBX forum report that using weird port numbers reduces
attack rates drastically, and using TCP, rather than UDP, is even more
effective.

Chris Green

unread,

Jan 14, 2024, 6:18:05 AM1/14/24

to

My strategy is to configure the firewall so that it only accepts
connections from expected places. E.g. for VOIP with A&A you would
only accept connections from A&A servers.

Similarly I use intermediate proxy servers to connect to my home
system using ssh, the home system's firewall only accepts ssh
connections from those proxy servers. (Of course the proxy servers
have to manage connections from anywhere but that's another sysadmin's
headache!)

--
Chris Green
·

Brian Gregory

unread,

Jan 14, 2024, 6:57:40 AM1/14/24

to

Same here. I don't know if I've happened to choose odd VOIP providers,
but I've never had any problems with leaving my normal firewall enabled
so that my VOIP devices can only receive packets from things they have
already connected to (registered with) - namely my provider.

--
Brian Gregory (in England).

Andy Burns

unread,

Jan 14, 2024, 12:14:22 PM1/14/24

to

Brian Gregory wrote:

> I don't know if I've happened to choose odd VOIP providers, but I've
> never had any problems with leaving my normal firewall enabled so that
> my VOIP devices can only receive packets from things they have already
> connected to (registered with) - namely my provider.

If you've got STUN settings for your provider configured in your VoIP
device(s) then that should indeed be the way it works

Brian Gregory

unread,

Jan 14, 2024, 12:35:30 PM1/14/24

to

No separate STUN is configured.

I think maybe it only works using UDP for SIP (and the audio is, of
course, always UDP).