Security is always an issue worth considering. Looking at InboundCallRoutes we have three parts that we can use:
Caller>callee:terminal
If we look at the "Direct Calling" method of using CSipSimple described here, then we can see a typical InboundCallRoute:
http://www.obitalk.com/forum/index.php?topic=6211.msg39466#msg39466Voice Services > SP1 Service > X_InboundCallRoute (typical example):
{(Mcot)>(Msp1),(Mcot)>(<**1:>(Msp1)):sp1},{(Mcot)>(<**2:>(Msp2)):sp2},{(Mcot)>(<**8:>(Mli)):li},{(Mcot)>(<**9:>(Mpp)):pp},{(Mcot)>**0:aa},{(Mcot)>0:ph},{>1787856:ph}
Mcot contains the list of allowed CallerIDs. These can be quite complex made up of numbers, lower and upper case letters (beware of "reserved characters"). The OBi is case sensitive whan it deals with CallerIDs. For example you might have a CallerID of 62Hf17nN4kd3. Hackers and scanners are not easily going to break that sort of CallerID. I'm not sure how many characters long a CallerID can be, but long enough for our purposes!
Callee is used differently. The last rule above {>1787856:ph} is a typical use of the "Oleg Method". An incoming service or DID is allowed to call the target (phone in this case) if they are using the correct callee. The callee in this case might be your phone number or SIP identity. In this case callers only get access to ring your phone, no through dialling is allowed.
Callee in a more complex rule above such as {(Mcot)>(<**2:>(Msp2)):sp2} is (<**2:>(Msp2)). In this case the number dialled has to begin with **2 and match the DigitMap Msp2. We use **2 to make it the same as dialling from the phone attached to the OBi. However, if you wished to make things more difficult for hackers, you could use any combination such as (<**2*8:>(Msp2)). The problem here is that you are making things difficult for yourself! You could be extra clever and use CSipSimple's filters to add these odd codes for you.
Next we have terminal. Not much you can do here, although a blank terminal can be used to send unwanted callers to the "bit bucket" as in this rule:
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):}
This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".
Finally we have the SIP "listening ports". The OBi knows them as UserAgentPorts. I recommend always changing them to something obscure well away from 5060, 5061 etc. It's not a sure way to stop scanners, but it's another level of security to add to the others.
I've been using CSipSimple for direct calling into my OBi for quite a while and have had no hacker / scanner problems. I do use most of the methods described above.
May the OBi force be with you