That option may have existed in the past but it is not available any more
(1.8, 10, 11) I even checked the source core for app_authenticate.c and it
is not there. Seems odd, as there should be a way to determine that
authentication failed.
David
On Sun, Jan 27, 2013 at 1:48 PM, James Babiak <[email protected]> wrote:
> David,
>
> This might be a possible solution for your Authenticate issue (from
> voip-info.org, Authenticate options):
>
> - j - jump to priority n+101 if the authentication fails and that
> priority exists (1.4-, 1.6+)
>
> I've never used it myself, so I'm not sure how well it works, but it looks
> like it would allow you to handle failed authentications differently then
> just a hangup. So maybe something like this:
> exten => n(blocked),Authenticate(/whitelist,da,4)
> exten => blocked+101,Goto(fraud)
> ...
> exten => n(fraud),...
>
> --James
>
>
> On 01/27/2013 11:34 AM, David Kerr wrote:
>
> James,
> Thanks. I came up with something very similar to you... I created a
> subroutine that would be called from the international calling rules
> section of my dialplan and compares the country code against a comma
> separated list pulled from the astdb. Subroutine can be called either with
> or without the international dial prefix. It has to be fairly complex
> thanks to North American Numbering Plan that has caribbean countries in the
> '1' country code. One might want to permit all of the USA but block a few
> caribbean countries. Or block the whole of the USA but permit a handful of
> caribbean countries (or US area codes).
>
> Another problem I have not tackled is how to determine if Authenticate()
> fails, and therefore to block the IP. The documentation says that users
> have three attempts before the channel is hungup. I can catch that hangup
> in a 'h' exten but don't know how to tell that the hangup is from
> Authanticate() failing rather than user hangup without attempting to enter
> PIN.
>
> Check this out...
>
>
> [check-international]
> exten => _00X.,1,Goto(${EXTEN:2},1)
> exten => _011X.,1,Goto(${EXTEN:3},1)
> exten => _X.,1,NoOp(Check if country code in blocked or permitted list)
> same =>
> n,GotoIf(${DB_EXISTS(actionlist/CountryCodesBlocked)}?checkblocked)
> same =>
> n(checkpermitted),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkcode)
> same => n(oktodial),Return()
> same => n(checkcode),NoOp(Check ${EXTEN} against permitted list
> ${DB_RESULT})
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?oktodial)
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?oktodial)
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?oktodial)
> same =>
> n(checkpermitted4),GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?oktodial)
> same => n(blocked),Authenticate(/whitelist,da,4)
> same => n,Set(CDR(userfield)=${CDR(userfield)}-PIN
> OK-${DB(whitelistcomment/${CDR(accountcode)})})
> same => n,Background(pls-wait-connect-call)
> same => n,Goto(oktodial)
> same => n(checkblocked),NoOp(Check ${EXTEN} against blocked list
> ${DB_RESULT})
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?checkNANP)
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?blocked)
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?blocked)
> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?blocked)
> same => n,Goto(checkpermitted)
> same =>
> n(checkNANP),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkpermitted4)
> same => n,Goto(oktodial)
> exten => i,1,Return()
> exten => h,1,NoOp(Hangup in check-international. Maybe Authenticate
> failed?)
>
>
>
>
> On Sat, Jan 26, 2013 at 11:35 PM, James Babiak <[email protected]> wrote:
>
>> Oops.
>>
>> Those dialplan examples should read ...{EXTEN:*3*:1}...{EXTEN:*3*
>> :2}...{EXTEN:*3*:3}... as you need to offset the preceding 011 first.
>>
>> See, I knew I had some errors in there!
>>
>> --James
>>
>>
>>
>> On 01/26/2013 11:29 PM, James Babiak wrote:
>>
>> David,
>>
>> There are a few ways you can accomplish this.
>>
>> How many countries do you want to permit dialing to without a pin? If
>> only a static handful, it might be easier to setup more granular dialplan
>> entries to handle calls to those permitted countries (ie: _01144XX. for UK,
>> etc.) and then have a catch-all (ie: _011XXX.) for everything else which
>> could require pin-based authentication. If you have a long list of
>> permitted countries, or you need the list to be more dynamic and flexible,
>> you could use a generic wildcard on international calls, and then examine
>> the first 1-3 digits and see if they are on the "allowed" list (which could
>> be in the dialplan itself, or more preferably in a database). If they are,
>> process the call, if not, ask for a pin before continuing. Remember that
>> CCs can be 1-3 digits in length. Fortunately, there are no 2-digit CCs that
>> overlap with 3-digit ones where the first 2 match as well (ie: there isn't
>> a 35 and 351 CC). But unless I'm mistaken, this would mean you would need
>> to run three different extension comparisons (one for each CC length) to
>> match all the possible combinations, assuming of course that you want to
>> allow pinless calls to 1, 2 and 3 digit CCs.
>>
>> So, off the top of my head, I think something like this might work:
>> --==--
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:1})}?onwhitelist)
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:2})}?onwhitelist)
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:3})}?onwhitelist)
>>
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:1})}?onblacklist)
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:2})}?onblacklist)
>> exten =>
>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:3})}?onblacklist)
>>
>> exten => _011XXX.,n,Authenticate(1234,)
>> exten => _011XXX.,n, [NORMAL DIALPLAN FOR INTERNATIONAL CALLS]
>> ...
>>
>> exten => _011XXX.,n(onwhitelist), [NORMAL DIALPLAN FOR INTERNATIONAL
>> CALLS]
>> ....
>>
>> exten => _011XXX.,n(onblacklist), [SOMETHING TO BLOCK THE CALLER AND WARN
>> YOU]
>> ....
>> --==--
>>
>> Bare in mind that I just wrote that quickly, so it's far from complete
>> and probably has a few errors (not to mention requiring some fill in the
>> blank), but I think the gist of it would fit your needs. You could then
>> create two database lists, CCwhitelist and CCblacklist, that could help to
>> route International calls to different destinations in the dialplan. The
>> above example would actually give you three different levels of security:
>> whitelist, blacklist and everything else.
>>
>> Also, don't simply rely on a pin-based authentication system to block
>> international toll fraud, as this would be trivial for someone to brute
>> force in a short amount of time (depending on pin length). You should add
>> some other mechanism to only allow a small number of attempts before the IP
>> is blacklisted and trigger a warning to you that something is wrong.
>>
>> One security tip I would suggest implementing, which I do and outlined a
>> bit above, is to specifically block certain country codes that I know would
>> never legitimately be called and have Asterisk warn me if it is ever
>> attempted. Basically any number on the list of popular toll fraud
>> destinations. Countries like Sierra Leone, Nigeria, most of Africa in
>> general, any country that ends in -stan, etc. You can also look at your
>> provider's rate-deck and see what countries, which you have no intention of
>> allowing calls to, have very high CPMs and put them on the block/warn list.
>> This way, even in the event that your PBX is compromised, you will get an
>> early warning alert that something is going wrong (via email, etc.) from
>> the call attempt itself. Though this only protects against a compromised
>> PBX, not the system itself. Some providers will also let you setup this
>> level of granular call blocking as a failsafe to prevent crazy bills.
>>
>> --James
>>
>> On 01/26/2013 06:11 PM, David Kerr wrote:
>>
>> Does anyone have a asterisk dialplan that will...
>>
>> 1) Check an outbound international phone number against a list of
>> permitted country codes.
>> 2) If country code is on list, connect call.
>> 3) if country code is not on list, prompt for a PIN and only connect if
>> PIN entered correctly.
>>
>> Thanks,
>> David
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more
>> at:http://p.sf.net/sfu/learnnow-d2d
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> [email protected].
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> Astlinux-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> [email protected].
>>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more
> at:http://p.sf.net/sfu/learnnow-d2d
>
>
>
> _______________________________________________
> Astlinux-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
