+1 for jfinstrom’s answer.
VoIP systems are a very big target worldwide.
-Make sure all your passwords are strong, like the root account for SSH, phone registration passwords, provisioning, FreePBX admin account, FreePBX user accounts, voicemail passwords, admin passwords for your physical phones, PBX authentication to your VoIP provider, admin account for your VoIP provider…
-If you can, don’t allow ANY port forwarding to your PBX. I believe an IAX2 trunk is better at this than a SIP trunk. If you must allow incoming connections, try using IP whitelisting or requiring a VPN.
-my VoIP provider, voip.ms, lets me configure LOTS of things related to security. I can block calls to/from countries, set time limits, pre-pay an account balance, get email notifications about dozens of things, whitelist an IP for my FreePBX, etc. Fully investigate every option you can find on your VoIP provider’s website.