Just another couple of notes , fail2ban doesnt work all that well with the latest versions of asterisk / freepbx.
I've switched to apf and bfd:
https://www.rfxn.com/projects/advanced-policy-firewall/
https://www.rfxn.com/projects/brute-force-detection/
default rules for asterisk work well. I also added a rule to find "Rejected from unknown SIP" messages too.
changing the default SIP port 5060 (sip.conf bindport=) to something else is also probably not a bad idea given all the scanning going on these days for sip services. I got hammered by these until I changed the default.
I've been using flynumber and they dont offer an option to change , just add an iptables redirect to 5060 and NAT it on your router to allow the providers WAN IP only if you have a similar issue.
eg
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5060 -j REDIRECT --to-ports xxxx
One last issue ive found , mwi external module was also built alongside app_voicemail.so but asterisk defaults to it (duh not very intuitive)
to fix this and get internal voicemail working add
preload = app_voicemail.so
to /etc/asterisk/modules.conf