Ghost Calls

Prevent ghost calls caused by internet scans against exposed SIP phones or PBX systems.

Ghost calls are unwanted calls that ring a SIP phone directly from the public internet, often from short numbers such as 100 or 1000. They are usually caused by internet scans against exposed SIP ports.

Why ghost calls happen

Scanning tools send SIP INVITE requests to public IP addresses looking for vulnerable phones or PBX systems. If a phone accepts SIP requests from any source, it may ring even though the call did not come through 2talk.

Prevent ghost calls

  • Restrict SIP traffic: Allow SIP only from trusted 2talk IP ranges, such as 27.111.12.0/24.
  • Disable direct IP calls: Many phones have an option to reject direct IP calling.
  • Trust only the SIP server: Enable settings that accept SIP requests only from the registered server.
  • Avoid open port forwards: Do not expose SIP ports to the whole internet unless a firewall rule restricts the source.
  • Use TLS where possible: TLS can reduce interference from network devices and scanners.

Yealink settings

Yealink phones provisioned through 2talk Device Provisioning can receive recommended security settings automatically. For manual configuration, check these settings in the Yealink web interface:

  • Allow IP Call: Disabled.
  • Accept SIP Trust Server Only: Enabled.
  • Firmware: Keep the phone on current firmware from Yealink.
Table of Contents