Port 5060 (TCP/UDP) – SIP (VoIP)

What runs on port 5060?

Port 5060 carries SIP (Session Initiation Protocol), the signaling protocol that establishes, modifies, and terminates VoIP calls. It registers phones, routes INVITEs, and negotiates the media session (the actual audio/video then flows over RTP). It runs on both UDP and TCP 5060 in cleartext; the encrypted variant, SIP over TLS, uses port 5061. PBXs like Asterisk, FreePBX, and FreeSWITCH all listen here.

Why it matters for security

A compromised SIP server is directly monetizable through toll fraud: attackers place a flood of calls to premium-rate numbers and bill them to the victim, sometimes racking up huge charges overnight. Cleartext SIP also exposes credentials and call metadata, and the protocol's registration model allows extension takeover. Because 5060 is so lucrative, it is one of the most aggressively scanned VoIP ports on the internet.

How it's attacked

Tools like sipvicious and the nmap sip-enum-users script enumerate valid extensions, then brute-force their secrets. With a valid registration the attacker performs registration hijacking and launches outbound toll-fraud calls. The sip-methods probe fingerprints servers, and INVITE/REGISTER flooding is used both to enumerate and to cause denial of service.

Hardening checklist

Keep SIP off the open internet where possible — front it with a Session Border Controller (SBC) or VPN. Use SIP over TLS (5061) and SRTP so signaling and media are encrypted, and enforce strong, unique secrets per extension. Rate-limit registrations and INVITEs, deploy fail2ban, restrict trunk source IPs, and set per-extension call limits and allowed destinations to cap fraud. Use the nmap snippet above to enumerate methods and users on systems you are authorized to test.