...
Keep your system updated (firmware) and patched for the latest security updates (FreePBX wiki - Updates).
Enable Fail2ban (FreePBX wiki - Intrusion Detection):
Whitelist authorized IPs.
Enable PBX Firewall (FreePBX wiki - Firewall):
Whitelist authorized IPs.
CRITICALLY IMPORTANT - set the zone to "Internet" for all interfaces that have or could have inbound untrusted traffic.
If you must provide access to SIP clients that can't be white-listed enable the Responsive feature in the PBX Firewall. If untrusted access is not necessary, disable Responsive.
Enable HTTPS only access (w/ corresponding certificate services) (FreePBX wiki - Certificate Management). Consider HTTP to HTTPS redirect (System Admin - Port Management#PortManagement-Forcehttps).
Use TLS / SRTP for encryption of signalling and media.
Asterisk SIP Settings (FreePBX wiki - Asterisk SIP Settings User Guide):
Set Allow Anonymous Inbound SIP Calls to NO.
Set Allow SIP Guests to NO.
Blacklist offensive IP Addresses manually (FreePBX wiki - Firewall Blacklist).
Use obscure port number other than 5060, etc for SIP.
Configure trunk to use the new port.
Configure SIP peers/clients to the new port.
Use IP based authentication for your trunk provider (if supported).
No untrusted access to critical services such as admin GUI, SSH.
If possible, block untrusted access to user facing services such as UCP and SIP. If not possible enforce strong user passwords and ensure fail2ban is configured and working.
If your company does not make International calls then request SIP provider to disable International calling or implement a block of International calling within your PBX (or both) (FreePBX wiki - Outbound Routes Configuration Examples).
Awareness is your best defense. Review the Call Reports/log regularly.
...