Port Scanning/How to stop it

I am having an issue with hackers or scanners possible. I’m a tech for a company that services online schools. The teacher are using Yealink phones at their homes. Recently we have been getting bombarded with tickets and complaints about their phones are ringing at all hours with several different numbers (555,5555,1000,100 Test, etc.) and when they pick up the phones no one is there and it never actually hits the server if you look in the reports. Is there a way to just block this from happening or to find a way to stop them from scanning ports on the server (if that actually is the issue of course). We have been going into phones and blacklisting the numbers, but we have way to many endpoints to keep doing this. Any ideas would be much appreciated. Thanks everyone!

Maybe a firewall

A correctly configured one and a vpn

First a port scan won’t initiate a phone call, but you can block scans with your firewall. Secondly if they are hitting your SIP, restrict ( through firewall ) whom you accept SIP from. I also think you’re not giving a lot of info here to help show what is happening.

An unauthenticated SIP message should not cause the Yealink to ring. You server must be compromised or incorrectly configured to allow anonymous inbound.

Also the Yealink supports Open VPN I thing that would make your life a lot easier for many reasons.

We do have a linux firewall with fail2ban and IPtables, however, its hard to block IPs due to the fact that these are people who work from home for a virtual school and there are over 500 employees each obviously with all different IPs, and with that obviously we can’t make 1000’s of VPNs. We were doing some testing here with SIPvicious and scanned the external IP of the server and was actually able to replicate the issue on a test phone here being able to disguise the callerID on the phone. We did make that phone ring without it going through any kind of reports in FREEPBX. We just can’t find a good way to block it from happening on the phone.

Do you enforce strong passwords for your extensions?

Why not? Any modern SSL appliance can handle that, you are already taking the hits. I would just do 3 or 4 concentrators in a round robing configuration and have them authenticate to your current RADIUS/LDAP AAA environment.

Do you have an inbound route Any CID/Any DID that points to Terminate the call?