There are three basic vectors open to compromise Asterisk, FreePBX, which has multiple ports open via htttp and https and downline by the version of PHP you rely on.
The most obvious is ssh, simple answer just use keys and disallow passwords, move ssh to anything but 22 for quietness.
Allowing any incall DTMF WILL allow compromise, just don’t allow it, that leaves the more insidious one hich is TCP 5038, which is pure asterisk, and is often left open unknowingly. If compromised, there is little evidence in any “log files” but the calls still go out.
Watching the md5sums of /etc/asterisk/*.conf is a very good starting point for backstop-checking FreePBX intrusions, you would be informed everytime you or anyone else managed to change the dialplan.
But watching /etc/asterisk/bin/asterisk/astdb.sqlite3 won’t easily work as it is too busy.
Quick check from outside, check tcp connections open
nmap -vv -p 1-65535 your.pbx.server
(don’t worry too much about UDP ports)
Each hit is a possible problem . . .