I have never been a fan of using “non-standard” SIP ports as a primary method of “SIP security” but if it works it works. However, to think that probes happen in the 5XXX range is not entirely true as many regions around the world already block “external access” for SIP along the most common ranges. I’ve had customers in the past out of India, Iran, etc and those required me to have non-standard ports listening for SIP. Ports that in some cases where standards for other protocols. I’ve had to have 80, 443, etc all listening on SIP for these special cases because their regional firewalls let those through.
Honestly, in most business PBX deployments have a Deny All by default firewall and only letting what you need in is the best course of action. In some rare cases there are “remote” users and you might need to run some filtering/rate limiting to let them in but those are IBC’s for sure.
For someone like me that has end users connecting from all over US/Canada I took a little more pragmatic approach. I have customers that exist in one Regional Internal Registry, ARIN. I have no need to allow any access from the other four RIR’s so those are automatically blocked. Now all I have to do is deal with those within the ARIN ranges and that makes life a lot easier since they are more manageable and regulated. Case in point, my firewall caught someone in the same Data Center as me trying to hack my network. Whoever they were, no longer in my DC due to me filing complaints and logs.
Right now I got a system using these rules and in the last 75 days (since it was brought up) over 250K packets dropped from non-ARIN sources and over 100 ARIN ips dropped after they broke rules. In most cases they pretty much stop and move on once they start getting dropped constantly.
So really, security measures put into place should meet the requirements and need of your deployment. Since those are different for everybody some best practices are wise to follow but you’ll need to tweak it to meet your needs.