Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

sip trunk security

This message also posted in security/network management:

cisco router 2651XM running a sip trunk (call manager express)

IOS: c2600-adventerprisek9-mz.124-15.T9.bin

after having my sip account hacked I need to make my sip trunk secure. I'm fairly certain my sip details were hacked using packet sniffing but not 100% sure. My sip provider has changed my password but I'm reluctant to re-register with my sip provider because my new details will just get sniffed again. In the meantime I have changed all the router passwords to strong ones and set up a logging trap as well with delays to discourage brute force attacks.

How can I harden the encryption in my router or make my sip trunk resilient to packet sniffing? My sip-ua currently looks like this:


authentication username xxxxxxxx password 7 152552393279781D06

calling-info pstn-to-sip from number set xxxxxxxx

retry invite 2

registrar expires 3600


Thanks for any advice.

Hall of Fame Super Gold

Re: sip trunk security

You can't do anything more.

Also it's actually impossible that anybody "sniffed" your credentials, as digest authentication is strictly one-way:

New Member

Re: sip trunk security

thanks for your feedback but are you sure about 'impossible via packet sniffing'? The phone company claims it is possible so I'm in a quandary, don't know what to do next. I also have to consider mail interception and router hack but I'm working on that. Appreciate for any further ideas...

Hall of Fame Super Gold

Re: sip trunk security

They are wrong. Point them to documentation that explains digest (one way) encryption, as I did above.

Beside, who exactly would be sniffing you, how, and where ?

New Member

Re: sip trunk security

someone has hacked my sip credentials and used up all the credit in two different sip accounts I've had - both with different companies so this isn't hypothetical. I'm trying to find how they did it (three times) so I have to look at all avenues, no matter how unlikely.

Super Bronze

Re: sip trunk security


It's equally possible that the credentials were obtained another way - i.e. from your email (rare to see that encrypted in flight), maybe from your router config (that type 7 encoded password is a simple thing to decode if you have the config) - how many people have access?

No point worrying how good the locks are if the front door is open :-)

Surely the service provider should be able to limit access to your account to a particular set of IP addresses provided by yourself? One would think if they're happy to state to their customers that their credentials are unsafe and might be sniffed any time you use their service they would want to take measures to prevent it...


Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

Re: sip trunk security

yes I know there are several ways my credentials could have been obtained and believe me I'm trying to address every one of them, my packet sniffing query was just one. I'm not sure what to do if emails are being read, I've changed the password on my email but if they're sniffed in flight that's a different problem. No-one uses my computer but me, no-one has access to my router but me, no-one knows the passwords (all changed yesterday) except me. I did a hd scan and found a couple of trojans but whether they were connected I'm still investigating  I've set up a logging trap-to-syslog to monitor router telnet attempts and it works and I've also set up a logon delay to prevent brute force attacks.

Thanks for your advice and I've sent an email to my sip provider about restricting access but I don't hold out much hope. I don't know if you've had experience with sip providers but my experience of them is not a pleasant one, they're unhelpful and frustrating.

New Member

Re: sip trunk security

have you seen this article?

it mentions SIPScan and this appears to be exactly what has happened to me, I've even seen calls to Africa and Cuba in my call log just like it says in the article. If sipscan isn't a sip trunk sniffer, what does it do?


Re: sip trunk security

Hi Tony,

Was / is it possible that your router was an open SIP-SIP ot H323-SIP gateway ?


CreatePlease to create content