As above, all extensions should have loooong random passwords - after all, other than when setting up extensions (softphones), there is no need for a human to ever even see it let alone type it. If you can remotely provision your phones then all the better.
Block all connections at the firewall except for specific known ranges (eg your provider, specific home users*). If you don't then I'll agree that you WILL be subjected to at least one persistent brute force attack - maybe even multiple ones from multiple attackers at the same time as I've seen in the past. A single attack may be megabits of traffic, and thousands of registration requests, per second.
Interestingly, once an attack has started, some of them do not stop when they stop getting replies. When I read up on this, it seems that one of the tools they use is buggy and keeps going on and on and on ... for days/weeks !
Yes, I've been ramping up security over the years at work !
* Better still, block all external traffic and use something like port knocking to allow access as required. I believe this is supported as standard by PBX in a Flash.