Skip to content

SIP IP blacklist

A SIP IP blacklist that only contains VoIP attackers.

Pull blacklist.txt or stream JSON from GET /v1/threats. Every IP is verified against live honeypot telemetry, not recycled from unrelated abuse categories.

Static blocklists go stale in hours

Fraud crews rotate infrastructure constantly. A monthly updated DROP list cannot keep pace with SIP scanners that appear, exploit, and vanish within a day. You need a feed that refreshes as attacks happen.

Live blacklist from honeypot hits

SipRadar publishes high-confidence attacker IPs minutes after our honeypots record malicious SIP behavior. Filter by minimum threat score, country, or port before you block.

How SipRadar helps

Plain-text export

GET /v1/blacklist.txt returns one IP per line, ideal for cron jobs, nftables sets, and simple shell scripts.

JSON threat stream

GET /v1/threats returns structured events with timestamp, geo, user-agent, port, and threat score for richer automation.

Per-IP reputation lookup

Check any address with GET /v1/ip/{address} before you block. Useful for investigating log entries and carrier complaints.

Fail2Ban-ready

Copy our jail and filter examples from the API docs to ban attackers automatically when they hit your edge.

Drop into Fail2Ban or iptables

Schedule a cron pull of blacklist.txt, or point Fail2Ban at our API for dynamic bans. Kamailio users can load the feed into dispatcher or permissions modules.

FAQ

Frequently asked questions

Common questions about SIP IP blacklist and how SipRadar fits your VoIP security stack.

Ask a question →
  • Continuously. Honeypot events stream in real time; paid API tiers receive immediate updates. Community tier uses a 48-hour delayed snapshot.