James,
Thanks. I came up with something very similar to you... I created a
subroutine that would be called from the international calling rules
section of my dialplan and compares the country code against a comma
separated list pulled from the astdb. Subroutine can be called either with
or without the international dial prefix. It has to be fairly complex
thanks to North American Numbering Plan that has caribbean countries in the
'1' country code. One might want to permit all of the USA but block a few
caribbean countries. Or block the whole of the USA but permit a handful of
caribbean countries (or US area codes).
Another problem I have not tackled is how to determine if Authenticate()
fails, and therefore to block the IP. The documentation says that users
have three attempts before the channel is hungup. I can catch that hangup
in a 'h' exten but don't know how to tell that the hangup is from
Authanticate() failing rather than user hangup without attempting to enter
PIN.
Check this out...
[check-international]
exten => _00X.,1,Goto(${EXTEN:2},1)
exten => _011X.,1,Goto(${EXTEN:3},1)
exten => _X.,1,NoOp(Check if country code in blocked or permitted list)
same => n,GotoIf(${DB_EXISTS(actionlist/CountryCodesBlocked)}?checkblocked)
same =>
n(checkpermitted),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkcode)
same => n(oktodial),Return()
same => n(checkcode),NoOp(Check ${EXTEN} against permitted list
${DB_RESULT})
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?oktodial)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?oktodial)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?oktodial)
same =>
n(checkpermitted4),GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?oktodial)
same => n(blocked),Authenticate(/whitelist,da,4)
same => n,Set(CDR(userfield)=${CDR(userfield)}-PIN
OK-${DB(whitelistcomment/${CDR(accountcode)})})
same => n,Background(pls-wait-connect-call)
same => n,Goto(oktodial)
same => n(checkblocked),NoOp(Check ${EXTEN} against blocked list
${DB_RESULT})
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?checkNANP)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?blocked)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?blocked)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?blocked)
same => n,Goto(checkpermitted)
same =>
n(checkNANP),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkpermitted4)
same => n,Goto(oktodial)
exten => i,1,Return()
exten => h,1,NoOp(Hangup in check-international. Maybe Authenticate failed?)
On Sat, Jan 26, 2013 at 11:35 PM, James Babiak <[email protected]> wrote:
> Oops.
>
> Those dialplan examples should read ...{EXTEN:*3*:1}...{EXTEN:*3*
> :2}...{EXTEN:*3*:3}... as you need to offset the preceding 011 first.
>
> See, I knew I had some errors in there!
>
> --James
>
>
>
> On 01/26/2013 11:29 PM, James Babiak wrote:
>
> David,
>
> There are a few ways you can accomplish this.
>
> How many countries do you want to permit dialing to without a pin? If only
> a static handful, it might be easier to setup more granular dialplan
> entries to handle calls to those permitted countries (ie: _01144XX. for UK,
> etc.) and then have a catch-all (ie: _011XXX.) for everything else which
> could require pin-based authentication. If you have a long list of
> permitted countries, or you need the list to be more dynamic and flexible,
> you could use a generic wildcard on international calls, and then examine
> the first 1-3 digits and see if they are on the "allowed" list (which could
> be in the dialplan itself, or more preferably in a database). If they are,
> process the call, if not, ask for a pin before continuing. Remember that
> CCs can be 1-3 digits in length. Fortunately, there are no 2-digit CCs that
> overlap with 3-digit ones where the first 2 match as well (ie: there isn't
> a 35 and 351 CC). But unless I'm mistaken, this would mean you would need
> to run three different extension comparisons (one for each CC length) to
> match all the possible combinations, assuming of course that you want to
> allow pinless calls to 1, 2 and 3 digit CCs.
>
> So, off the top of my head, I think something like this might work:
> --==--
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:1})}?onwhitelist)
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:2})}?onwhitelist)
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:3})}?onwhitelist)
>
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:1})}?onblacklist)
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:2})}?onblacklist)
> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:3})}?onblacklist)
>
> exten => _011XXX.,n,Authenticate(1234,)
> exten => _011XXX.,n, [NORMAL DIALPLAN FOR INTERNATIONAL CALLS]
> ...
>
> exten => _011XXX.,n(onwhitelist), [NORMAL DIALPLAN FOR INTERNATIONAL CALLS]
> ....
>
> exten => _011XXX.,n(onblacklist), [SOMETHING TO BLOCK THE CALLER AND WARN
> YOU]
> ....
> --==--
>
> Bare in mind that I just wrote that quickly, so it's far from complete and
> probably has a few errors (not to mention requiring some fill in the
> blank), but I think the gist of it would fit your needs. You could then
> create two database lists, CCwhitelist and CCblacklist, that could help to
> route International calls to different destinations in the dialplan. The
> above example would actually give you three different levels of security:
> whitelist, blacklist and everything else.
>
> Also, don't simply rely on a pin-based authentication system to block
> international toll fraud, as this would be trivial for someone to brute
> force in a short amount of time (depending on pin length). You should add
> some other mechanism to only allow a small number of attempts before the IP
> is blacklisted and trigger a warning to you that something is wrong.
>
> One security tip I would suggest implementing, which I do and outlined a
> bit above, is to specifically block certain country codes that I know would
> never legitimately be called and have Asterisk warn me if it is ever
> attempted. Basically any number on the list of popular toll fraud
> destinations. Countries like Sierra Leone, Nigeria, most of Africa in
> general, any country that ends in -stan, etc. You can also look at your
> provider's rate-deck and see what countries, which you have no intention of
> allowing calls to, have very high CPMs and put them on the block/warn list.
> This way, even in the event that your PBX is compromised, you will get an
> early warning alert that something is going wrong (via email, etc.) from
> the call attempt itself. Though this only protects against a compromised
> PBX, not the system itself. Some providers will also let you setup this
> level of granular call blocking as a failsafe to prevent crazy bills.
>
> --James
>
> On 01/26/2013 06:11 PM, David Kerr wrote:
>
> Does anyone have a asterisk dialplan that will...
>
> 1) Check an outbound international phone number against a list of
> permitted country codes.
> 2) If country code is on list, connect call.
> 3) if country code is not on list, prompt for a PIN and only connect if
> PIN entered correctly.
>
> Thanks,
> David
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more
> at:http://p.sf.net/sfu/learnnow-d2d
>
>
>
> _______________________________________________
> Astlinux-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
