Skip to content
PortsDB

Port reference

Port 5061 (TCP) – SIP over TLS

SIP (Session Initiation Protocol) signaling encrypted with TLS for secure VoIP call setup.

tcpRegisteredCommonly attacked

Default state

Open on VoIP servers and PBXes (Asterisk, FreeSWITCH, Kamailio) configured for SIP-TLS. The encrypted counterpart to plaintext SIP on 5060.

Common attacks

  • SIP user/extension enumeration to find valid accounts
  • Credential brute force leading to toll fraud
  • Downgrade attempts to plaintext SIP on 5060
  • Exploiting weak TLS configuration or expired certificates

Hardening

  • Enforce TLS with strong ciphers and valid certificates
  • Use strong SIP credentials and disable guest/anonymous calls
  • Restrict source IPs and rate-limit registration attempts
  • Disable plaintext SIP on 5060 where TLS is required
  • Patch the PBX/SIP stack and monitor for enumeration

nmap snippet

nmap -p5061 --script sip-methods,ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5061?

Port 5061 carries SIP (Session Initiation Protocol) signaling over TLS — the encrypted counterpart to plaintext SIP on 5060. It is used by VoIP servers and PBXes such as Asterisk, FreeSWITCH, and Kamailio to set up, modify, and tear down voice and video calls. TLS protects the signaling and credentials in transit; pairing it with SRTP protects the media stream itself.

Why it matters for security

Encrypting signaling closes off eavesdropping and tampering on the wire, but it does not fix weak accounts. SIP services are relentlessly targeted for toll fraud: attackers who register a stolen extension can place expensive calls on the victim's account. A misconfigured TLS setup — weak ciphers, expired or unvalidated certificates, or a fallback to plaintext 5060 — undoes the protection TLS is meant to provide.

How it's attacked

Attackers probe SIP servers with the nmap sip-methods script to map supported requests, then enumerate extensions and brute-force credentials. They attempt to downgrade sessions to plaintext 5060 where it is still open, and exploit weak TLS configuration or expired certificates exposed by checks like ssl-cert.

Hardening checklist

Enforce TLS with strong ciphers and valid certificates, and disable plaintext SIP on 5060 where TLS is required. Use strong SIP credentials, disable guest/anonymous calling, restrict source IPs, and rate-limit registration attempts to blunt brute force. Patch the PBX/SIP stack and monitor for enumeration. Use the nmap snippet above to review methods and certificate health on systems you are authorized to assess.

Related ports

Port 5060Port 5004Port 3478Port 443

Frequently asked questions

What is the difference between 5060 and 5061?
5060 carries plaintext SIP signaling; 5061 carries SIP over TLS, encrypting call setup and credentials. Pair 5061 with SRTP to protect the media as well as the signaling.
Does SIP over TLS prevent toll fraud?
It protects signaling in transit but not weak accounts. Attackers still enumerate extensions and brute-force credentials, so strong passwords, IP restrictions, and rate limiting remain essential.