There are a number of ways to secure Asterisk once you have secured the actual server on the OS level.
In the public space (cloud/hosted), you are best with IP auth… although personally I prefer IP “allow”, with Digest auth… in other words, “Provide both an auth, and come from an allowed IP, and you’re in.”. This way even if the username and passwords get compromised, you would have to be hacking from the same network.
But let’s say however that this was somehow achieve by a potential intruder… remember that the most common objective would be for someone to dial a number in a foreign country using one of those high rated call costs, that they get a split of the inbound fee… money right… its about money!
So make sure your dial plan is locked down. Avoid doing thing like:
exten => _.,n,Dial(PJSIP/${EXTEN}@twilio-trunk,30)
You are literally asking for trouble here. If an extension SIP details are somehow compromised, an extension could potentially dial any number in the WORLD!
Get your staff/clients to enter a pin or just something, so that you know they are able to dial the destinations they want. I’m not suggesting on all numbers, probably only on international.
Another thing, make sure the extensions, can only make 2 or 3 simultaneous calls at a time… a human could hardly manage more than 3 outbound calls at a time… i mean take it easy right… finish calling your mom, and then call your buddy… right?
The hackers are going to launch as many simultaneous calls as they can, so by slowing that all down to seriously limit the impact a breach could have.
Then finally, though it takes quite a bit of post processing, use a log analyser to check the logs of incorrect username and passwords. If a hacker/bot is poking around on your server, you should see many many auth failures, they normally go… 100, 101, 102, 103… etc etc
Good luck, Asterisk security is a big topic!