I've seen an increase in hacking attempts and 3cx Anti-hacking blocking and blacklisting IP's. Trying to figure out the best plan to deal with them. I host 3cx servers for several remote clients. We are using STUN at this point for all remote IP phones I know the best thing would be to restrict 5060 to the sip providers and use SBC's at all the remotes, but I don't think this will be feasible. The remotes all have main offices but all have many users that are working at home etc with IP phones, so an SBC at every phone location would be difficult, plus lots more equipment to manage. Wondering what others are doing in this situation where STUN is used. I think that trying to monitor all client instances and keep updating a blacklist at the firewall would be never ending. I'm thinking that, in most cases, even where home users are on dynamic addresses from ISPs, that the IP ranges they are coming from won't change that often. I could go through the clients and build whitelists and whitelist the current in-use ISP ranges and only allow those through the firewall to 5060. Then the only ongoing management would be adding ISP ranges when a user switches ISP's or ISP changes ranges, but how often is that likely to be with ISP's in the U.S.? Perhaps I'm overthinking it and restricting at the firewall would be adding difficulty. Currently between all the clients getting probably 30 or so blocks/blacklists a day which 3cx servers are dealing with. I have lowered the anti-hacking thresholds and increased the blacklisting time. Any thoughts on what we should do going forward? Our goal is to continue to add hosted clients.