>>I think I'll be disabling my unused SPn services along with using the Oleg4 method:
Change X_InboundCallRoute from {ph1} to {>('Insert your AuthUserName here'):ph1}
Are there any downsides to doing this?
Not that I am aware of. That method was temporarily broken in firmware Builds 4303 and 4318. And I believe it is superseded by this setting, if supported by your ITSP i.e. it registers:
SPn Service - SIP Credentials::X_EnforceRequestUserID = checked ;prohibit anonymous SIP.
>>I also saw somewhere on a configuration page (can't find it now), that there is a setting to prevent connections that sustain per-minute rates above some threshold or maybe exceeding some total time or total cost.
I would set prudent ITSP account settings, where possible, such as limit/block International destinations and set International rate thresholds. Also set any max call time limits.
>>Are there any other best practices (other than good passwords) that people use?
I use 12 character SIP passwords that look like this: 5o&[nTm%3$27. And vary them across mobile softphones.
If you are using OBi2 Series v3.0.1 Build 4367 or earlier and Google Voice, use 2-Step Authentication with an app-specific password to configure the Google Voice service on your OBi.
Fund your account modestly without auto-pay. If available, subscribe to an account balance e-mail alert and other e-mail alerts for key account setting changes.
I don't use OBiTALK Provisioning or OBiTALK Service... the OBiTALK Cloud is a point of vulnerability for both Obihai and its customers; and no device is secure if it's being updated unattended, unannounced, undocumented, untested, and unapproved:
Auto Provisioning - Auto Firmware Update::Method = Disabled ;prohibit remote access.
Auto Provisioning - ITSP Provisioning::Method = Disabled ;prohibit remote access.
Auto Provisioning - OBiTalk Provisioning::Method = Disabled ;prohibit remote access.
And:
OBiTALK Service - OBiTALK Service Settings::Enable = NOT checked ;prohibit remote access.
Disable OBi Voice Services you are not using.
Move the UserAgentPort to obscure it from scanning (should not be a problem behind a good firewall):
SPn Service - SP1 Service::X_UserAgentPort = 6xxxn
Visit Steve Gibson's reputable site
https://www.grc.com, find the Shields Up! page, and scan all of your service ports to see if you are exposing any resources.
Backup your OBi configuration to file; no options.
Place your OBi downstream from your site router/firewall. I would not use the OBi202 router for an Internet firewall.
Unrelated, but may be worth doing...
Change OBi WAN/Internet port from default (2) 10Mbs half-duplex to (1) 100Mbs full-duplex (undocumented?):
Dial *** for Device Configuration Menu
Dial 0 for option
Dial 27# for current value
Dial 1 to set a new value
Dial 1# for new value 100Mbs full-duplex
Dial 1 to confirm/save
Hang up to reboot automatically