Asterisk Protection On Internet and sip accounts

How do you guys protect your asterisk against attacks from the internet.

I currently have a setup where the attacks are blocked with fail2bin after some failed login attempts. In the fail2bin setup i
had a white list, those would be allowed to multiple tries with wrong pw.

Now the problem is, i want to give the customers the ability to create accounts. I have a setup where the customers should not be able to go over some limit in $. but i would like a better protection.

So that somebody cannot brute force a customer pw.

If i block a ip after some tries, i might block a customer when he made a typo.

The only thing that i can come up is that i block the ip after wrong tries and send a customer email with link where they can unblock that ip.

I also dont allow a customer to chose the pw for a sip account, i generate the pw. So there is a less chance for brute forcing the account.