Newer Asterisk's (1.8 and 11) have an 'r' option "Remove the database key upon successful entry (valid with d only)"
Application_Authenticate https://wiki.asterisk.org/wiki/display/AST/Application_Authenticate Lonnie On Jan 27, 2013, at 1:37 PM, David Kerr wrote: > That option may have existed in the past but it is not available any more > (1.8, 10, 11) I even checked the source core for app_authenticate.c and it is > not there. Seems odd, as there should be a way to determine that > authentication failed. > > David > > > On Sun, Jan 27, 2013 at 1:48 PM, James Babiak <[email protected]> wrote: > David, > > This might be a possible solution for your Authenticate issue (from > voip-info.org, Authenticate options): > • j - jump to priority n+101 if the authentication fails and that > priority exists (1.4-, 1.6+) > I've never used it myself, so I'm not sure how well it works, but it looks > like it would allow you to handle failed authentications differently then > just a hangup. So maybe something like this: > exten => n(blocked),Authenticate(/whitelist,da,4) > exten => blocked+101,Goto(fraud) > ... > exten => n(fraud),... > > --James > > > On 01/27/2013 11:34 AM, David Kerr wrote: >> James, >> Thanks. I came up with something very similar to you... I created a >> subroutine that would be called from the international calling rules section >> of my dialplan and compares the country code against a comma separated list >> pulled from the astdb. Subroutine can be called either with or without the >> international dial prefix. It has to be fairly complex thanks to North >> American Numbering Plan that has caribbean countries in the '1' country >> code. One might want to permit all of the USA but block a few caribbean >> countries. Or block the whole of the USA but permit a handful of caribbean >> countries (or US area codes). >> >> Another problem I have not tackled is how to determine if Authenticate() >> fails, and therefore to block the IP. The documentation says that users >> have three attempts before the channel is hungup. I can catch that hangup >> in a 'h' exten but don't know how to tell that the hangup is from >> Authanticate() failing rather than user hangup without attempting to enter >> PIN. >> >> Check this out... >> >> >> [check-international] >> exten => _00X.,1,Goto(${EXTEN:2},1) >> exten => _011X.,1,Goto(${EXTEN:3},1) >> exten => _X.,1,NoOp(Check if country code in blocked or permitted list) >> same => n,GotoIf(${DB_EXISTS(actionlist/CountryCodesBlocked)}?checkblocked) >> same => >> n(checkpermitted),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkcode) >> same => n(oktodial),Return() >> same => n(checkcode),NoOp(Check ${EXTEN} against permitted list >> ${DB_RESULT}) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?oktodial) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?oktodial) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?oktodial) >> same => >> n(checkpermitted4),GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?oktodial) >> same => n(blocked),Authenticate(/whitelist,da,4) >> same => n,Set(CDR(userfield)=${CDR(userfield)}-PIN >> OK-${DB(whitelistcomment/${CDR(accountcode)})}) >> same => n,Background(pls-wait-connect-call) >> same => n,Goto(oktodial) >> same => n(checkblocked),NoOp(Check ${EXTEN} against blocked list >> ${DB_RESULT}) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?checkNANP) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?blocked) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?blocked) >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?blocked) >> same => n,Goto(checkpermitted) >> same => >> n(checkNANP),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkpermitted4) >> same => n,Goto(oktodial) >> exten => i,1,Return() >> exten => h,1,NoOp(Hangup in check-international. Maybe Authenticate failed?) >> >> >> >> >> On Sat, Jan 26, 2013 at 11:35 PM, James Babiak <[email protected]> wrote: >> Oops. >> >> Those dialplan examples should read >> ...{EXTEN:3:1}...{EXTEN:3:2}...{EXTEN:3:3}... as you need to offset the >> preceding 011 first. >> >> See, I knew I had some errors in there! >> >> --James >> >> >> >> On 01/26/2013 11:29 PM, James Babiak wrote: >>> David, >>> >>> There are a few ways you can accomplish this. >>> >>> How many countries do you want to permit dialing to without a pin? If only >>> a static handful, it might be easier to setup more granular dialplan >>> entries to handle calls to those permitted countries (ie: _01144XX. for UK, >>> etc.) and then have a catch-all (ie: _011XXX.) for everything else which >>> could require pin-based authentication. If you have a long list of >>> permitted countries, or you need the list to be more dynamic and flexible, >>> you could use a generic wildcard on international calls, and then examine >>> the first 1-3 digits and see if they are on the "allowed" list (which could >>> be in the dialplan itself, or more preferably in a database). If they are, >>> process the call, if not, ask for a pin before continuing. Remember that >>> CCs can be 1-3 digits in length. Fortunately, there are no 2-digit CCs that >>> overlap with 3-digit ones where the first 2 match as well (ie: there isn't >>> a 35 and 351 CC). But unless I'm mistaken, this would mean you would need >>> to run three different extension comparisons (one for each CC length) to >>> match all the possible combinations, assuming of course that you want to >>> allow pinless calls to 1, 2 and 3 digit CCs. >>> >>> So, off the top of my head, I think something like this might work: >>> --==-- >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:1})}?onwhitelist) >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:2})}?onwhitelist) >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:3})}?onwhitelist) >>> >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:1})}?onblacklist) >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:2})}?onblacklist) >>> exten => >>> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:3})}?onblacklist) >>> >>> exten => _011XXX.,n,Authenticate(1234,) >>> exten => _011XXX.,n, [NORMAL DIALPLAN FOR INTERNATIONAL CALLS] >>> ... >>> >>> exten => _011XXX.,n(onwhitelist), [NORMAL DIALPLAN FOR INTERNATIONAL CALLS] >>> .... >>> >>> exten => _011XXX.,n(onblacklist), [SOMETHING TO BLOCK THE CALLER AND WARN >>> YOU] >>> .... >>> --==-- >>> >>> Bare in mind that I just wrote that quickly, so it's far from complete and >>> probably has a few errors (not to mention requiring some fill in the >>> blank), but I think the gist of it would fit your needs. You could then >>> create two database lists, CCwhitelist and CCblacklist, that could help to >>> route International calls to different destinations in the dialplan. The >>> above example would actually give you three different levels of security: >>> whitelist, blacklist and everything else. >>> >>> Also, don't simply rely on a pin-based authentication system to block >>> international toll fraud, as this would be trivial for someone to brute >>> force in a short amount of time (depending on pin length). You should add >>> some other mechanism to only allow a small number of attempts before the IP >>> is blacklisted and trigger a warning to you that something is wrong. >>> >>> One security tip I would suggest implementing, which I do and outlined a >>> bit above, is to specifically block certain country codes that I know would >>> never legitimately be called and have Asterisk warn me if it is ever >>> attempted. Basically any number on the list of popular toll fraud >>> destinations. Countries like Sierra Leone, Nigeria, most of Africa in >>> general, any country that ends in -stan, etc. You can also look at your >>> provider's rate-deck and see what countries, which you have no intention of >>> allowing calls to, have very high CPMs and put them on the block/warn list. >>> This way, even in the event that your PBX is compromised, you will get an >>> early warning alert that something is going wrong (via email, etc.) from >>> the call attempt itself. Though this only protects against a compromised >>> PBX, not the system itself. Some providers will also let you setup this >>> level of granular call blocking as a failsafe to prevent crazy bills. >>> >>> --James >>> >>> On 01/26/2013 06:11 PM, David Kerr wrote: >>>> Does anyone have a asterisk dialplan that will... >>>> >>>> 1) Check an outbound international phone number against a list of >>>> permitted country codes. >>>> 2) If country code is on list, connect call. >>>> 3) if country code is not on list, prompt for a PIN and only connect if >>>> PIN entered correctly. >>>> >>>> Thanks, >>>> David >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Master Visual Studio, SharePoint, SQL, >>>> ASP.NET >>>> , C# 2012, HTML5, CSS, >>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>>> MVPs and experts. ON SALE this month only -- learn more at: >>>> >>>> http://p.sf.net/sfu/learnnow-d2d >>>> >>>> >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> [email protected]. >>> >> >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. ON SALE this month only -- learn more at: >> http://p.sf.net/sfu/learnnow-d2d >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. >> >> >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, >> ASP.NET >> , C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. ON SALE this month only -- learn more at: >> >> http://p.sf.net/sfu/learnnow-d2d >> >> >> _______________________________________________ >> Astlinux-users mailing list >> >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnnow-d2d > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnnow-d2d_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
