Quick answer: Self-hosted fax servers share the same SIP attack surface as any VoIP system, and 2026 has seen a steady run of brute-force scans and toll-fraud attempts against exposed SIP endpoints, with global telecom fraud topping 40 billion dollars in losses. If you run an open-source fax server, you own the hardening. The essentials are strong trunk credentials, an IP allowlist on SIP, TLS and SRTP for encryption, and rate limiting to shut down brute-force attempts before they cost you.
Open source means you are in charge, which is the appeal and the responsibility. Security coverage through 2026 keeps flagging the same pattern: automated scanners hunt for SIP endpoints with weak or default credentials, then use them for toll fraud. The numbers are not small, with telecom fraud estimated above 40 billion dollars in losses last year, much of it flowing through abused SIP trunks.
A fax server speaks SIP just like a softphone or PBX, so it is a target too. The good news is that a self-hosted fax server gives you every lever you need to lock it down. You just have to pull them, because no vendor security team is doing it for you.
How the Attacks Actually Work
Most attempts are not clever, they are relentless. A scanner finds your SIP port open to the internet and starts guessing extension numbers and passwords. If it lands on a weak credential or a leftover default, it registers and starts placing calls, often to premium-rate international numbers, racking up charges fast. Spoofed registration attempts and malformed packets round out the toolkit.
The exposure is simple to picture. An endpoint reachable by anyone, protected only by a guessable password, is an open door. The same endpoint behind an allowlist with strong credentials and rate limiting is a wall.
The Hardening That Stops Most of It
You do not need exotic tooling. A handful of controls blocks the overwhelming majority of these attempts. ICTFax is FreeSWITCH-based and self-hosted, so each of these is yours to configure directly.
Strong trunk and extension credentials
Default and weak passwords are the single biggest cause of compromise. Set long, unique credentials on every trunk and extension, and remove anything you are not using. This one change defeats most automated scanners on its own.
Lock SIP to known sources
If your fax traffic only comes from a known carrier or a fixed set of sites, restrict SIP to those addresses with an allowlist. An endpoint that only answers known sources is invisible to the random internet scan.
Encrypt with TLS and SRTP
TLS protects the SIP signaling and SRTP protects the media, so credentials and fax content are not readable in transit. For a fax server carrying sensitive documents, that protection is worth the small setup cost.
Rate limit and watch the logs
Rate limiting and a fail2ban-style block on repeated failures stop brute-force attempts after a few tries. Watching registration and call logs lets you spot an odd pattern, like calls to countries you never dial, before the bill arrives.
A Self-Host Security Checklist
Run through this on any internet-facing fax server.
- Replace every default credential and remove unused trunks and extensions.
- Restrict SIP to known carrier and site addresses with an allowlist.
- Turn on TLS for signaling and SRTP for media.
- Add rate limiting and automatic blocking for repeated failed registrations.
- Review call and registration logs regularly, and alert on calls to destinations you never use.
None of this requires a vendor contract. It is the trade you make for running your own stack: full control, and the duty to use it.
Related reading:
Open source faxing based on the T.38 protocol · Email-to-fax and fax-to-email services
Frequently Asked Questions
Is a fax server really a SIP target?
Yes. A FoIP fax server registers and places calls over SIP just like a softphone or PBX, so the same scanners that hunt for VoIP endpoints will find it. The attack and the defense are the same as for any SIP system.
What is the single most important fix?
Strong, unique credentials on every trunk and extension, with no defaults left in place. Weak passwords are the most common way these servers get compromised, so fixing that alone stops most automated attacks.
Do I need TLS and SRTP for fax?
For a server carrying sensitive documents, yes. TLS protects the signaling and SRTP protects the media, so credentials and fax content are not exposed in transit. The setup cost is small relative to the protection.
How does rate limiting help?
Brute-force attacks rely on many rapid attempts. Rate limiting and automatic blocking after repeated failures cut those attempts off early, so a scanner cannot keep guessing passwords against your endpoint.
Does open source make this harder or easier?
Easier, in the sense that you have full access to every control. The catch is that the responsibility is yours, since no managed vendor is applying these settings for you. The levers are all there to pull.
Get Started
Want help hardening a self-hosted fax server against the 2026 attack wave? Contact our team and we will walk you through it.