Softphones Unified Communications

Never Run a SIP Server on Port 5060

By Jim O'Brien
Port 5060 isn’t your only option.
Port 5060 isn’t your only option.

The well-known port for SIP is 5060. It’s common knowledge. Convention. You might say it’s the default. To be clear RFC 3261 says: “If the port is absent, the default value depends on the transport. It is 5060 for UDP, TCP and SCTP, 5061 for TLS.”

The rule is there is no rule. Which is great!

In most if not all SIP clients you can specify a port to connect to on a SIP server or proxy. You can also setup DNS SRV for your domain or SIP server’s name to allow clients (maybe scanners and attackers?) to find the correct non-standard SIP port.

So using an alternate SIP port on your server is easy. But why would you want to?

Here are a few reasons:

1) Choosing a more obscure port for your SIP server is a good idea because it circumvents the most basic SIP scanning. Your server will still get scanned, but being a less obvious target is a good thing.

2) More importantly, in devices like mobile hotspots, home routers, and metro WiFi networks there is a class called Application Layer/Level Gateways (ALG):

  • Things like Cisco PIX’s SIP Fix-up feature
  • A network process that believes it can be helpful (and rarely is)
    • It’s designed to specifically stop the use of SIP clients within or on a network
Go on, try a new port!
Go on, try a new port!

In both these cases running a SIP server not on port 5060 has its benefits. Most scanners blindly look for responses from servers listening on 5060. Most ALGs don’t know what you might be connecting to on port 15555, so they let the traffic pass without mangling it.

To learn more about CounterPath and what we offer, visit our product page.

Related Posts

Subscribe to our blog

Get the latest posts in your email.