There is another function of Asterisk which also greatly improves security (but little used) if you use UDP/5060 (the target of 99.99% of the bad guys) .For chan_sip , just add
domain=your.dns.name
domain= 127.0.0.1 ;If you have t38modems or the like
to either
/etc/asterisk/sip_general_additional.conf
or in the gui to extra sip settings in the GUI.
For chan_pjsip, I’m sure there is an equivalency in your AOR setup to reject any IP based URI’s
That would trigger something like a message
[2018-12-29 12:41:12] NOTICE[13726] chan_sip.c: Registration from ‘“301” sip:301@yourip’ failed for ‘185.53.88.6:5616’ - Not a local domain
that a well configured fail2ban asterisk regex will capture and ban at iptables but even so Neither SIP REGISTER nor INVITES nor OPTION would be accepted nor processed.
This particular attacker is in Iceland, so RIPE, I will note that most of the Chinese Universities (also not stupid) have moved their attack servers to ARIN cloud servers, they are still there though
Just have your phones register to your dns name and not the IP. There are possibly some problems with some VSP’s requiring them to use names not IP’s but none of mine have a problem here.
(Watching sngrep is very informative as to WTF is going on)