From VoIP.ms Wiki
Based on the broad view we have of thousands of customers, we believe that most of the hacking cases for the purpose of placing unwanted calls, can be avoided by following these suggestions:
1) Use strong Passwords: We can't stress this one enough: Use strong passwords! One of the first actions many people do after they install their PBX, is often to create a phone extension with an easy password. Avoid using short or weak extension passwords. Please remember to use passwords of at least 8 characters, including a mix of upper and lower case along with digits. Remember to change them periodically every 2-3 months at most.
2) Public Internet: Avoid leaving your PBX systems, ATA Adapters and IP Phones open to the internet. Do not use DMZ mode on your router and do not forward ports to your equipment, unless you absolutely know what you are doing. This is only needed on specific cases, and only leave it open to the internet if you have experience on how to properly manage security on equipment that is open to the internet.
3) Confirm that both your PBX's configuration admin and guest passwords have been changed to something strong, making sure that you are not able to access your device using the default passwords that appear in your manual (e.g. admin). It is very important that you remember this new password in case you need to make any further changes to your configuration in the future.
4) Asterisk Tweak: If you are using an Asterisk based PBX, add the following line to the sip.conf file under the [general] section and issue a reload
alwaysauthreject = yes
What this parameter does, is that it will always return an authentication error instead of a .404 not found:., even when the extension doesn't exist. This steps-up the difficulty for brute force scanners when they are attacking your PBX.
5) Trixbox, PBX In a Flash and other web interface based PBX: Change the default password. Different flavors of PBX installs come with default administration passwords. Make sure to change the default passwords immediately after your installation and also make sure the web interface is not reachable from the internet.
6) PBX Dial Plan: Do you make international calls? If not, do not allow international calls to be placed from your PBX. In Asterisk, remove ._011.. Or .00_. . Never use ._... If you are only calling a few countries on a regular basis, enable these countries only. For example: The only country you're calling is UK? Only configure _01144. In your dialplan.
7) Use additional caution while travelling: Do you plan on using a soft phone at a random internet cafe? Make sure you remove your login details after using it, and uninstall the software if possible.
8) Asterisk and Fail2ban: As an additional step you can install an additional security tool such as fail2ban, which is a free brute force detection system, it scans the log files of your PBX and then takes action based on the entries of those logs. (http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk).
9) Have your PBX Equipment listen to a different port than 5060/5061: If your PBX is open to the internet, you can drastically reduce scan / brute force attempts by using a different SIP Port for incoming connections.
10) Account restrictions: VoIP.ms offer new options that can help for the security, refer to Main Menu >> Account Settings >> select the tab "Account Restrictions" (https://www.voip.ms/m/settings.php). These settings define the restrictions the system will use when you place calls to either USA48, Canada or International Numbers. It is strongly suggested to use the restrictions by country, this tool will help you avoid having calls to countries that you do not intend to reach at all.
There are various other measures that you can perform to secure your VoIP equipment, however this article covers some of the most important aspects. The technology and the methods used by abusers keep evolving constantly. By meeting the recommendations on this article you will have a more secure PBX system.
For FreePBX Users
A critical vulnerability has been discovered that can affect FreePBX versions between 13.0.12 and 13.0.26. An unauthenticated remote attacker can run shell commands as the Asterisk user of any FreePBX machine with ‘Recordings’ This has been fixed in Recordings 13.0.27. You can read more about this vulnerability including how to fix this here: http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation