IMO, blocking by country provides almost no protection, though it requires considerable administrative effort and might block a legitimate user, e.g he’s on vacation and trying to call in.
Know your enemy! I consider three ‘grades’ of attacks: Grade 1, the weakest but by far the most common, come from automated tools that probe every IPv4 address on the internet for vulnerabilities in SIP, HTTP, etc. Grade 2 attacks target your system specifically, e.g. a competitor trying to obtain your customer list or disrupt your operation, or a former customer or vendor seeking revenge for a perceived wrong. Grade 3, the strongest, come from someone with internal knowledge of your system, e.g. a disgruntled employee, former employee or contractor.
A home or very small business might only be concerned about grade 1. Simply hiding everything behind a ‘secret’ domain name will provide virtually complete protection, without significant inconveniences. The scanning bots never see any response on your SIP ports; HTTP(S) requests get only a dummy site. They don’t learn that you have a PBX. The number of authentication failures in your log is zero. Any that appear are almost certainly caused by misconfiguration of your equipment.
I’ve run a test system with only 6 iptables rules, not even fail2ban. After several months, there have been no unexpected authentication failures logged, see PBX Security . (Port 22 in the example should be replaced with a non-standard value.)
Of course, such a setup provides almost no protection against grade 2 (hard to keep the domain name secret) or 3 (attacker already knows it), so a firewall for a larger business needs additional restrictions such as IP address whitelists or certificate-based authentication. However, this should be on top of your grade 1 protection. The number of authentication failures from automated tools should still be zero (if Fail2Ban bans anything, something’s wrong).
Blocking requests from specific countries does not significantly help. The grade 1 attackers (from any country) are already effectively blocked. Grade 2 and 3 attackers are likely in your country. If not, they surely know what country you are in and will use a VPN to make the attack.
If grade 1 is your only concern, just set up a secret domain name and you can then spend your time improving the phone system in other ways or on other aspects of your business. If threatened by grade 2 or 3, design your defenses accordingly.