I cannot whitelist clients because they will be logging in from different IPs every day.

That’s fine, but you should know which extensions are going to be logging in from different IPs and make your configuration allow those while at the same time restrict for extensions that you know will always be on your local network (ie: hard phones on desks in office). You could also limit those nomadic extensions from making calls to expensive destinations.

I use passwords that are generated automatically by FreePBX, and these passwords are presumably complex enough.

You’d be surprised at home many organizations use the same password for all their extensions. Or maybe you wouldn’t be surprised.

if the system is improperly configured or the system is changed to be badly configured

Let’s look at this part a bit closer. A default, out-of-the-box vanilla asterisk installation includes a number of demo extensions in the dialplan and (last time I checked) were enabled, with at least one of them able to access the system voicemail. If you’ve left those examples in place and customized the voicemail to be able to call out from it (a not uncommon use case), you might have not properly ensured that it doesn’t allow unrestricted calls.

My suggestion would be that you should know which extensions are nomadic and setup your configuration such to only allow those to register from outside your network and the non-nomadic ones only from within. Make sure you are using complex passwords and different ones for each extension.

OpenSIPS is essentially Kamailio, they have the same origins in SER. There’s some differences from when the two diverged but not a whole lot.

Come on man, you necro’ed a 2 year old thread to post a low (no) quality reply.