As @dicko is usually quick to point out, 5060 and 5160 (or 5062) are the defaults, but certainly not “best practice” addresses.
There are a couple of ways to deal with the default SIP port. The first thing to remember is that the script-kiddies scan for 5060 and 5160 (or 5062) when looking for exploitable SIP gateways. We, as a community, recommend dealing with this in one of three ways. The first (and usually easiest) way is to set up your inbound firewall so that only authorized hosts (your SIP provider, for example) can connect to port SIP. The second way to deal with this is to use encryption, either through TLS or VPN. The third is to use the Adapting Firewall that locks out sources that abuse the system.
As far as I’m concerned, there are no “wrong” answers, except for doing nothing. Since the distro comes with the Firewall turned on and installed, doing nothing is an active decision that can cause you all sorts of problems. Like other herd immunity, the more effort we take to lock these services down to authorized users, the less value scanning and exploiting the ports has and eventually the “sk” will just stop asking.