You will have a very restricted machine, unfortunately you will need to open holes for software updates and even diagnostic tools like whois, this might be a pain but as you get used to the concept, you will only be opening up the minimal hosts/ports.
This concept is restrictive by nature, but if you have the patience it is very secure even mustardman or obelisk will not see you, it gets interesting as you slowly open up comcast/coxnet etc as needed to suit your remote phones, but generally you can restrict those to /16 networks at worse, you will be protected from Chinese Universities and Palestinian/eastern europe/Amazon cloud hackers (In my experience, the biggest pricks, and NO they are NOT STUPID)
Having opened up “holes” you probably need a logfile scanner,
I suggest fail2ban as it is easy to install and easy to customize. Google for the latest regexes for the asterisk you use, edit thoe filters to your liking,
Don’t be complacent here, regularly run
fail2ban-regex
against your log files and against new attacks that might show up, edit the filters to keep up to date.
These logfile scanners scan the logfiles from postfix/exim, apache/httpd, asterisk, ssh , actaully anything, the world is your oyster here, but they only do waht yoy tell them to do, Caveate emptor and be prepared to get your feet wet.
On another note, Webmin, ssh and other conveniences should not be running on standard ports. actually, apart from ssh, they should probably not be running at all until you need them.
Simple services like tftpd and ntpd are also prone to attack, again restrict access to them.
The process goes on, but after these few steps you might be ready to install asterisk and FreePBX.
(many distros do most of these steps for you, many don’t, plase be aware of what you are installing from an iso)
dicko