Fail2ban is a great way to protect your system but one way to easily cut down on brute-force attempts is to mitigate the area in which users can access those ports.
For me, I do not need international calling, so I will be blocking all NON-US Subnets.
Specifically for FreePBX (CENTOS)
yum install kernel-devel-`uname -r` iptables-devel kernel-headers-`uname -r` rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm yum install gcc gcc-c++ make automake unzip zip perl perl-Text-CSV_XS xz cd /opt wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-1.37.tar.xz tar xvf xtables-addons-1.37.tar.xz cd xtables-addons-1.37/ nano mconfig #build_RAWNAT=m #build_SYSRQ=m #build_ipset6= #build_length2=m ./configure make make install cd geoip/ ./xt_geoip_dl ./xt_geoip_build GeoIPCountryWhois.csv mkdir -p /usr/share/xt_geoip/ cp -r {BE,LE} /usr/share/xt_geoip/ iptables -I INPUT -m geoip --src-cc US -j ACCEPT iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT iptables -I INPUT -s 172.31.0.0/12 -j ACCEPT iptables -I INPUT -s 10.0.0.0/8 -j ACCEPT iptables -P INPUT DROP iptables-save
I’m not going to give extreme details, that information already exists.