@avayax is correct that where possible, if you know all the source IP addresses for your SIP signaling, then locking them down gives you the best protection. With external extensions, if you can restrict those to always use a VPN, then that id ideal.
If you have external extensions and can not require VPN access to them, you should use the Responsive FreePBX Firewall. There is a lot of intelligence built into this mode that will watch and throttle SIP registration and call attempts from outside sources such as external extensions. It has the affect of allowing all 'honest' attempts in and once recognized and validated, restrictions are removed. If those attempts are not able to properly validate (register or authenticate a call challenge) within a very few tries, the IP will be rejected. This means that a hacker must guess your password within a couple attempts or so or they will be rejected. As such, between this and a strong password, you are affectively guaranteed that attacks will be stopped in their tracks, while all your honest users will be let in, even if they accidentally fumble once or twice with the wrong password at first.