I decided to start documenting the most popular misconceptions about SIP device definitions.
[ul] 1. Use nat=yes everywhere[/ul]
[ul] 2. Use insecure=port,invite everywhere[/ul]
[ul] 3. Use type=friend everywhere[/ul]
[ul] 4. Always port forward UDP 5060. SIP will not work without it.[/ul]
[ul] 5. Always define 2 separate “trunks” for incoming and outgoing traffic.[/ul]
[ul] 6. Only port 5060 can be used with SIP [/ul]
[ul] 7. localnet decides whether nat will be used or not [/ul]
[ul] 8. fail2ban improves security[/ul]
Calling these items misconceptions and just leaving it can be extremely confusing to people new to Asterisk, especially the way you worded some of your items.
Might I suggest that under each item you put in a small blurb that explains why the misconception exists and the alternative(s)? When i first came across your list and began reading the first thing that went through my mind was “wow, this guy is suggesting you do these things? How old is this post and how many times has his server been hacked since?”.
I agree with much of what the OP wrote & share those frustrations. You forgot to include something about false assumptions that router manufacturers make by enabling brain-dead SIP ALGs in many lower-cost routers - some of which cannot even be disabled by force.
But, I agree with the 2nd poster as well and would like to see you flesh out these a bit more and offer some solutions or at least links to back up what you’re saying.