If you are looking to secure your PBX you have several options which can be implemented independently or in combination:

• PBX Configuration - adjust the settings of your PBX to minimize obvious attack surfaces (no longer considered optional - just part of setting up any PBX).
• Perimeter Security - Add software/hardware around your PBX to improve security (one notch above configuration - just part of operating any server).
• Integrated Security - add software which integrates with your specific PBX to improve security (this is what really makes a difference in protecting your PBX).

Note that some recommendations (eg: changing ports, port knocking, etc.) are ideal for small and home office installations, whereas these same recommendations are impractical for large-scale implementations. As well, some recommendations are a great starting point (eg: hardware firewall) but this is no longer sufficient to protect a PBX.

Integrated Security

SecAst

SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against intrusion and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.generationd.com or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)

Fail2Ban

Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to iptables. See security warning regarding fail2ban http://forums.asterisk.org/viewtopic.php?p=159984 Fail2ban is not an intrusion detection / prevention tool, it depends completely on Asterisk to detect and reject an attempt from a hacker.

Perimeter Security

If you are looking to add layers around your PBX with generic protection:

Hardware Firewall

Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. ...