James,
Thanks. I came up with something very similar to you... I created
a subroutine that would be called from the international calling rules
section of my dialplan and compares the country code against a comma
separated list pulled from the astdb. Subroutine can be called either
with or without the international dial prefix. It has to be fairly
complex thanks to North American Numbering Plan that has caribbean
countries in the '1' country code. One might want to permit all of
the USA but block a few caribbean countries. Or block the whole of
the USA but permit a handful of caribbean countries (or US area codes).
Another problem I have not tackled is how to determine if
Authenticate() fails, and therefore to block the IP. The
documentation says that users have three attempts before the channel
is hungup. I can catch that hangup in a 'h' exten but don't know how
to tell that the hangup is from Authanticate() failing rather than
user hangup without attempting to enter PIN.
Check this out...
[check-international]
exten => _00X.,1,Goto(${EXTEN:2},1)
exten => _011X.,1,Goto(${EXTEN:3},1)
exten => _X.,1,NoOp(Check if country code in blocked or permitted list)
same =>
n,GotoIf(${DB_EXISTS(actionlist/CountryCodesBlocked)}?checkblocked)
same =>
n(checkpermitted),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkcode)
same => n(oktodial),Return()
same => n(checkcode),NoOp(Check ${EXTEN} against permitted list
${DB_RESULT})
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?oktodial)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?oktodial)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?oktodial)
same =>
n(checkpermitted4),GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?oktodial)
same => n(blocked),Authenticate(/whitelist,da,4)
same => n,Set(CDR(userfield)=${CDR(userfield)}-PIN
OK-${DB(whitelistcomment/${CDR(accountcode)})})
same => n,Background(pls-wait-connect-call)
same => n,Goto(oktodial)
same => n(checkblocked),NoOp(Check ${EXTEN} against blocked list
${DB_RESULT})
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?checkNANP)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?blocked)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?blocked)
same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?blocked)
same => n,Goto(checkpermitted)
same =>
n(checkNANP),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkpermitted4)
same => n,Goto(oktodial)
exten => i,1,Return()
exten => h,1,NoOp(Hangup in check-international. Maybe Authenticate
failed?)
On Sat, Jan 26, 2013 at 11:35 PM, James Babiak <[email protected]
<mailto:[email protected]>> wrote:
Oops.
Those dialplan examples should read
...{EXTEN:*3*:1}...{EXTEN:*3*:2}...{EXTEN:*3*:3}... as you need to
offset the preceding 011 first.
See, I knew I had some errors in there!
--James
On 01/26/2013 11:29 PM, James Babiak wrote:
David,
There are a few ways you can accomplish this.
How many countries do you want to permit dialing to without a
pin? If only a static handful, it might be easier to setup more
granular dialplan entries to handle calls to those permitted
countries (ie: _01144XX. for UK, etc.) and then have a catch-all
(ie: _011XXX.) for everything else which could require pin-based
authentication. If you have a long list of permitted countries,
or you need the list to be more dynamic and flexible, you could
use a generic wildcard on international calls, and then examine
the first 1-3 digits and see if they are on the "allowed" list
(which could be in the dialplan itself, or more preferably in a
database). If they are, process the call, if not, ask for a pin
before continuing. Remember that CCs can be 1-3 digits in length.
Fortunately, there are no 2-digit CCs that overlap with 3-digit
ones where the first 2 match as well (ie: there isn't a 35 and
351 CC). But unless I'm mistaken, this would mean you would need
to run three different extension comparisons (one for each CC
length) to match all the possible combinations, assuming of
course that you want to allow pinless calls to 1, 2 and 3 digit CCs.
So, off the top of my head, I think something like this might work:
--==--
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:1})}?onwhitelist)
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:2})}?onwhitelist)
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:3})}?onwhitelist)
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:1})}?onblacklist)
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:2})}?onblacklist)
exten =>
_011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:3})}?onblacklist)
exten => _011XXX.,n,Authenticate(1234,)
exten => _011XXX.,n, [NORMAL DIALPLAN FOR INTERNATIONAL CALLS]
...
exten => _011XXX.,n(onwhitelist), [NORMAL DIALPLAN FOR
INTERNATIONAL CALLS]
....
exten => _011XXX.,n(onblacklist), [SOMETHING TO BLOCK THE CALLER
AND WARN YOU]
....
--==--
Bare in mind that I just wrote that quickly, so it's far from
complete and probably has a few errors (not to mention requiring
some fill in the blank), but I think the gist of it would fit
your needs. You could then create two database lists, CCwhitelist
and CCblacklist, that could help to route International calls to
different destinations in the dialplan. The above example would
actually give you three different levels of security: whitelist,
blacklist and everything else.
Also, don't simply rely on a pin-based authentication system to
block international toll fraud, as this would be trivial for
someone to brute force in a short amount of time (depending on
pin length). You should add some other mechanism to only allow a
small number of attempts before the IP is blacklisted and trigger
a warning to you that something is wrong.
One security tip I would suggest implementing, which I do and
outlined a bit above, is to specifically block certain country
codes that I know would never legitimately be called and have
Asterisk warn me if it is ever attempted. Basically any number on
the list of popular toll fraud destinations. Countries like
Sierra Leone, Nigeria, most of Africa in general, any country
that ends in -stan, etc. You can also look at your provider's
rate-deck and see what countries, which you have no intention of
allowing calls to, have very high CPMs and put them on the
block/warn list. This way, even in the event that your PBX is
compromised, you will get an early warning alert that something
is going wrong (via email, etc.) from the call attempt itself.
Though this only protects against a compromised PBX, not the
system itself. Some providers will also let you setup this level
of granular call blocking as a failsafe to prevent crazy bills.
--James
On 01/26/2013 06:11 PM, David Kerr wrote:
Does anyone have a asterisk dialplan that will...
1) Check an outbound international phone number against a list
of permitted country codes.
2) If country code is on list, connect call.
3) if country code is not on list, prompt for a PIN and only
connect if PIN entered correctly.
Thanks,
David
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL,ASP.NET <http://ASP.NET>, C# 2012,
HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal
[email protected] <mailto:[email protected]>.
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>,
C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal
to [email protected] <mailto:[email protected]>.
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
