VPNs are the most secure in my opinion.
That being said it’s not magic. The more you expose the more attack vectors someone has. The reoccurring advice is
- To use a non-standard signaling port (thanks @dicko)
- Port forward only the necessary ports (signaling & RTP), no need to expose everything
- Turn off Anonymous and Guest calls
- Use Sangoma Responsive Firewall
- Restrict your outbound route dialplan to block international and “pay” numbers
- Look at using proactive blocking as well Integrating apiban.org with FreePBX - FreePBX / Tips and Tricks - FreePBX Community Forums