A FreeSWITCH instance exposed to the public internet is a high-value target. Unprotected SIP ports are continuously scanned for open registrations that can be exploited for toll fraud — where attackers generate thousands of dollars of calls within minutes using compromised credentials. Before putting a FreeSWITCH system into production, you should address every layer of the security model: network-level IP filtering, transport encryption, application authentication, media encryption, and operating system permissions.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/signalwire/freeswitch/llms.txt
Use this file to discover all available pages before exploring further.
Access Control Lists (ACLs)
ACLs are the first line of defense. FreeSWITCH’smod_acl lets you define named IP-address lists and then reference those lists in SIP profile configurations to restrict which hosts can send SIP traffic or register endpoints.
Configuring ACLs
ACL lists are defined inconf/autoload_configs/acl.conf.xml:
Applying ACLs to SIP Profiles
After defining an ACL list, reference it inside your Sofia SIP profile XML (conf/sip_profiles/internal.xml or external.xml) using the apply-inbound-acl and apply-register-acl parameters:
ESL Security
The Event Socket Layer (ESL) provides full programmatic control over FreeSWITCH, including the ability to originate calls, intercept media, and reload configuration. Its security must be treated with the same care as a root SSH session.Default Configuration
The defaultconf/autoload_configs/event_socket.conf.xml ships with a well-known password and listens on all interfaces:
Hardening ESL
Apply all three of the following changes before exposing a system to any untrusted network:Change the default password
Replace
ClueCon with a strong, unique password of at least 24 random characters.Bind to loopback only
Change
listen-ip from :: (all interfaces) to 127.0.0.1 so ESL is not reachable from the network at all.SIP TLS
SIP signaling travels over UDP or TCP in plaintext by default, making it possible for an attacker on the network path to intercept credentials, read dial plans, or inject fraudulent SIP messages. Enabling TLS on a Sofia SIP profile encrypts signaling between FreeSWITCH and endpoints.Enabling TLS in a SIP Profile
Add the following parameters to your SIP profile XML (e.g.,conf/sip_profiles/internal.xml):
Generating Certificates with gentls_cert
FreeSWITCH ships a shell script (scripts/gentls_cert) that creates a self-signed CA and server certificate suitable for TLS SIP and WSS (WebSocket Secure).
| File | Purpose |
|---|---|
CA/cacert.pem | CA certificate (distribute to endpoints that need to trust the server). |
agent.pem | Combined server certificate + private key (used by FreeSWITCH). |
cafile.pem | Copy of the CA cert for Sofia’s tls-cafile parameter. |
Enabling TLS in vars.xml
You can also enable TLS globally by setting pre-processor variables inconf/vars.xml:
Testing the TLS Connection
SRTP
TLS encrypts SIP signaling, but the media stream (RTP audio) remains in plaintext unless you also enable SRTP. SRTP negotiation is handled automatically during SDP offer/answer when configured on the SIP profile.Enabling SRTP
Addrtp-secure-media to your SIP profile:
Avoid storing SRTP encryption keys in CDRs or channel variables. The
switch.conf.xml parameter rtp-retain-crypto-keys defaults to false — leave it that way. Enabling it exposes call media to anyone with CDR read access.Running as Non-Root
FreeSWITCH does not need to run as root for normal operation. Running as a dedicated, unprivileged system user limits the blast radius if the process is ever compromised.Creating a Dedicated User
Starting FreeSWITCH as the Dedicated User
Use the-u and -g flags to drop privileges immediately after startup:
Firewall Recommendations
A well-configured host firewall is essential for any production deployment. The following ports should be considered:| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 5060 | UDP/TCP | Inbound | SIP signaling (restrict with ACLs or whitelist) |
| 5061 | TCP | Inbound | SIP over TLS |
| 5080 | UDP/TCP | Inbound | Outbound SIP profile (carrier traffic) |
| 8021 | TCP | Inbound | Event Socket Layer — never expose publicly |
| 16384–32768 | UDP | Inbound/Outbound | RTP media streams |
Fail2Ban Integration
mod_fail2ban (or alternatively the standalone fail2ban daemon reading FreeSWITCH logs) can automatically ban IP addresses that make repeated failed authentication attempts — a common pattern in SIP brute-force attacks targeting registration credentials.
fail2ban Filter for FreeSWITCH Log Files
Create/etc/fail2ban/filter.d/freeswitch.conf:
/etc/fail2ban/jail.d/freeswitch.conf: