Are these incoming calls copper or VOIP?
If you only accept copper calls, make sure Asterisk is only listening to
127.0.0.1 and enforce this policy with another layer dropping any incoming SIP packets at the firewall.
If you only intend to accept calls from your ISP, configure Asterisk to only accept calls from your ISP, and enforce this policy at the firewall.
If you accept calls from everyone, re-think your definition of ‘everyone.’
It probably does not include Iraq, North Korea, China, Russia, etc. Configure Asterisk and your firewall accordingly.
Beyond this, follow ‘best practices’ (google for sip best practices