It sounds like a job for a router/firewall. If you did come up with something that blocked all, and other than 255 blacklists starting with 1.0.0.0 up to 255.0.0.0 with the appropriate subnet masks, I'm not sure how that would be accomplished. You would then have to become become more specific when it came to the IP that your provider uses.
If you did a blanket blacklist, I'm not certain that a whitelist will make it through, or if the order makes a difference, as it does in the outbound rules. But you can certainly try and report back.
3CX does a pretty good job of blacklisting anyone that tries to get way with anything falling outside the parameters that you have set. I've found that there have been about 20 IP's that I've had to change from a 250,000 second blacklist to permanent. You can have an email send when an IP is blacklisted so you don't have to keep going in and checking.
There is vigilant, and then there is paranoid. Just be sure that all passwords are extremely difficult to "guess".