If you have phones in the wild (changing IP's such as Softphones on Laptops) you need to have SIP open to the Internet - if you only have onsite phones, you can block SIP being forwarded to the PBX and the hacking attempts will stop.
Also, make sure that Fail2Ban is working - from the CLI, "iptables -L -v" will show you if Fail2Ban is working - if it's not, troubleshoot that also.
Finally, if you are using SIP trunking, do not assume that you have to have SIP open on the firewall. SIP Trunks that register do NOT need SIP forwarded to the PBX to work - the act of sending the registration opens the Firewall to the ITSP.
If you are using SIP trunks with IP-Authentication (They just send the traffic to your IP without registration) you still don't have to open SIP to the world - find out where your ITSP will be sending traffic from (their IP Addresses) and ONLY open the firewall to those ports.