In respect of dynamic IP addresses, there is a script available which will update your externip every few minutes. Have a search round and you will find something.
Starting something in an SSH screen, then closing the SSH screen stops whatever you started (unless its a service).
Investigate the command "screen" if you want to start something and leave it running when you disconnect the putty session.
Alternatively, put the commands to start whatever you want to start in /etc/rc.d/rc.local, then it will start on boot.
In respect of security, there are a number of layers to consider.
The first one is at the application itself. If an application is set only to listen to "localhost" then provided that there are no security holes in the application, then whether there is a firewall present or not, it should not be possible to get into the system via that route, because its not listening.
e.g. we can leave the MySQL database with the default root password of passw0rd, because to get in, you need to have the password, and be connecting from 127.0.0.1. The same would apply to the asterisk Manager, with its password of amp109, and the asteriskuser MySQL password amp111. The security is that those usernames are only listening to connections on the local box. Indeed you could argue that the presence of a password on those accounts is surplus to requirements, as everyone knows them anyway.
This is a powerful way of locking down extensions, make them listen to a range of ip addresses determined by you using deny and permit, which stops the application (asterisk in this case) listening, and therefore responding.
If something is listening to the outside world, then we need to use a form of security which is very secure - e.g. a password.
The next layer is the firewall or IP tables. If you have done the job properly, then nothing should be listening. but there are a whole load of applications on a Centos box, and anyone of them may have a security flaw yet to be discovered. So the firewall ensures that packets destined for ports where nothing should listening are dropped, and then we don't have to worry about them.
Finally, there is your external firewall, which should stop stuff getting to the PBX in the first place, unless you want it there.
So when you add or configure something new, it's good practice to :-
1. Make sure it's only listening and responding to addresses you want it to listen to, set IP tables to only allow connections from that address as well as a belt and braces approach.
2. If you need it to listen to everyone and anyone, - e.g. your webserver, then make sure that it has a good password, and the application itself is suited to being exposed to the outside world.
3. If a port does not need access, then close it down with IPTables to prevent anyone having a go, and exploiting a a yet undiscovered security flaw.
Joe