SIP is a technology that is commonly targeted for abuse on the open Internet. In most cases, malicious hackers will attempt to scan a range of IP addresses by sending UDP packets on port 5060 and look for servers that respond. Once they find a server which responds, they will attempt to brute-force common passwords or simply try to dial out. In some cases they will also simply flood the server with fake registration or other packets, crippling the system's ability to operate properly.
In average, a SIP server begins to be probed by hackers and script kiddies 30 minutes after is connected to the Internet. If you trace SIP packets, you'll see a lot of REGISTER attempts, or INVITE attempts, by user-agents like SIPvicious, friendly-scanner and SIPcli (and the ones that tries harder to disguise themselves as "normal" phones). Yes, they're there with a purpose.
One of the most basic ways by which you can protect your FreeSWITCH system is by separating your SIP interfaces and enforcing firewall or IPTables rules that are different on each interface.
As you've learned in previous chapters, FreeSWITCH allows you to set up different Sofia SIP interfaces so that you can send and receive SIP traffic via different IP addresses and ports on the same system. What may not be obvious is that this setup is useful for providing an extra layer of security and stability.
In terms of security, Sofia SIP profiles have default contexts for which they will route inbound calls to. Those contexts can default to fairly restrictive dialplan contexts. If you combine restrictive dialplan contexts with the relevant SIP profile, you are less likely to allow someone to send fraudulent SIP traffic through your system, even if you accidentally create a minor misconfiguration.
In addition, each Sofia SIP profile can have a different Access Control List (ACL). In this way, you can put more stringent restrictions on public facing SIP profiles (IP addresses) and looser restrictions on private IP addresses.
In terms of stability and performance, a little known fact about FreeSWITCH's design is that each Sofia SIP interface is a separate thread. It means that by having separate threads for each port and IP, you somewhat help in minimizing any disruptions someone can cause to the system. While this is by no means a foolproof way of protecting your system, any additional time you get to resolve an issue when being attacked maliciously is helpful.