I’ve been doing this for a couple of years or more, I have helped to fund both Chinese Universities and Palastinians, I regret both . . .
A few suggestions,
Never use beta software unless you are prepared to add risk.
Never run a SIP server on 5060 nor a wb server on 80/443, it will be attacked in minutes.
Always add a rootkit analysis tool, it will notify you of things that you need to know about, maybe not immediately but within a day.
Always add a local iptables based firewall, running without one is just plain neglectful.
Never have a mysql root account not protected by a password
watch sensitive directory structures like /etc/asterisk and /var/www/html for unrequested changes.
If you follow these suggestions then I am pretty sure you will never see mr. mgknight or his ilk again.
My recipe is
Install the OS (you will need one, I use Debian)
Install rkhunter (without that you fly with your trousers unbelted from that point on)
install csf/lfd for a secure firewall with LFD adding all sorts of checks including the directory ones I spoke about before, follow the audit script, you will need webmin to do that, don’t let any one say that is intrinsically a bad thing (you would be surprised by how necessary that is)
install fail2ban (0.9+ for best effect unfortunatley not working on redhat based distros yet) if properly configured , it will protect all sorts of services you might be tempted to run including postfix, apache, ssh, webmin etc. etc. etc.
install a lamp stack whilst changing the mysql root password to something only you will remember
Install FreePBX, bearing in mind that FreePBX assumes you have no need for a root password, which you now do (go figure that one )
Of course there is a little RTFM’ing on each step, but I am pretty sure that with little theatricality, you would not have been subject to the latest round of FreePBX/bash penetrations, it’s just pragmatic common sense
To forestall the VPN arguments, no I have not the time nor the inclination to support installing VPN software on everything from my granny’s Win98 to a CEO’s humility impaired idea of how Iphone 8+ should work, apparently nor do you, if the bad guys find you on port “WTF” then you chose a bad one, change it
p.s. You will ALWAYS have to worry about security, if you don’t you will sooner or later pay big bucks, there is no known solution to that.