But why would I want to remove the db key? It needs to stay for the next
time someone tries to authenticate?
David
On Sun, Jan 27, 2013 at 2:54 PM, Lonnie Abelbeck
<[email protected]>wrote:
> Newer Asterisk's (1.8 and 11) have an 'r' option "Remove the database key
> upon successful entry (valid with d only)"
>
> Application_Authenticate
> https://wiki.asterisk.org/wiki/display/AST/Application_Authenticate
>
> Lonnie
>
>
> On Jan 27, 2013, at 1:37 PM, David Kerr wrote:
>
> > That option may have existed in the past but it is not available any
> more (1.8, 10, 11) I even checked the source core for app_authenticate.c
> and it is not there. Seems odd, as there should be a way to determine that
> authentication failed.
> >
> > David
> >
> >
> > On Sun, Jan 27, 2013 at 1:48 PM, James Babiak <[email protected]> wrote:
> > David,
> >
> > This might be a possible solution for your Authenticate issue (from
> voip-info.org, Authenticate options):
> > • j - jump to priority n+101 if the authentication fails and that
> priority exists (1.4-, 1.6+)
> > I've never used it myself, so I'm not sure how well it works, but it
> looks like it would allow you to handle failed authentications differently
> then just a hangup. So maybe something like this:
> > exten => n(blocked),Authenticate(/whitelist,da,4)
> > exten => blocked+101,Goto(fraud)
> > ...
> > exten => n(fraud),...
> >
> > --James
> >
> >
> > On 01/27/2013 11:34 AM, David Kerr wrote:
> >> James,
> >> Thanks. I came up with something very similar to you... I created a
> subroutine that would be called from the international calling rules
> section of my dialplan and compares the country code against a comma
> separated list pulled from the astdb. Subroutine can be called either with
> or without the international dial prefix. It has to be fairly complex
> thanks to North American Numbering Plan that has caribbean countries in the
> '1' country code. One might want to permit all of the USA but block a few
> caribbean countries. Or block the whole of the USA but permit a handful of
> caribbean countries (or US area codes).
> >>
> >> Another problem I have not tackled is how to determine if
> Authenticate() fails, and therefore to block the IP. The documentation
> says that users have three attempts before the channel is hungup. I can
> catch that hangup in a 'h' exten but don't know how to tell that the hangup
> is from Authanticate() failing rather than user hangup without attempting
> to enter PIN.
> >>
> >> Check this out...
> >>
> >>
> >> [check-international]
> >> exten => _00X.,1,Goto(${EXTEN:2},1)
> >> exten => _011X.,1,Goto(${EXTEN:3},1)
> >> exten => _X.,1,NoOp(Check if country code in blocked or permitted list)
> >> same =>
> n,GotoIf(${DB_EXISTS(actionlist/CountryCodesBlocked)}?checkblocked)
> >> same =>
> n(checkpermitted),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkcode)
> >> same => n(oktodial),Return()
> >> same => n(checkcode),NoOp(Check ${EXTEN} against permitted list
> ${DB_RESULT})
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?oktodial)
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?oktodial)
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?oktodial)
> >> same =>
> n(checkpermitted4),GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?oktodial)
> >> same => n(blocked),Authenticate(/whitelist,da,4)
> >> same => n,Set(CDR(userfield)=${CDR(userfield)}-PIN
> OK-${DB(whitelistcomment/${CDR(accountcode)})})
> >> same => n,Background(pls-wait-connect-call)
> >> same => n,Goto(oktodial)
> >> same => n(checkblocked),NoOp(Check ${EXTEN} against blocked list
> ${DB_RESULT})
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:1})}?checkNANP)
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:2})}?blocked)
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:3})}?blocked)
> >> same => n,GotoIf(${FIELDNUM(DB_RESULT,\,,${EXTEN:0:4})}?blocked)
> >> same => n,Goto(checkpermitted)
> >> same =>
> n(checkNANP),GotoIf(${DB_EXISTS(actionlist/CountryCodesPermitted)}?checkpermitted4)
> >> same => n,Goto(oktodial)
> >> exten => i,1,Return()
> >> exten => h,1,NoOp(Hangup in check-international. Maybe Authenticate
> failed?)
> >>
> >>
> >>
> >>
> >> On Sat, Jan 26, 2013 at 11:35 PM, James Babiak <[email protected]>
> wrote:
> >> Oops.
> >>
> >> Those dialplan examples should read
> ...{EXTEN:3:1}...{EXTEN:3:2}...{EXTEN:3:3}... as you need to offset the
> preceding 011 first.
> >>
> >> See, I knew I had some errors in there!
> >>
> >> --James
> >>
> >>
> >>
> >> On 01/26/2013 11:29 PM, James Babiak wrote:
> >>> David,
> >>>
> >>> There are a few ways you can accomplish this.
> >>>
> >>> How many countries do you want to permit dialing to without a pin? If
> only a static handful, it might be easier to setup more granular dialplan
> entries to handle calls to those permitted countries (ie: _01144XX. for UK,
> etc.) and then have a catch-all (ie: _011XXX.) for everything else which
> could require pin-based authentication. If you have a long list of
> permitted countries, or you need the list to be more dynamic and flexible,
> you could use a generic wildcard on international calls, and then examine
> the first 1-3 digits and see if they are on the "allowed" list (which could
> be in the dialplan itself, or more preferably in a database). If they are,
> process the call, if not, ask for a pin before continuing. Remember that
> CCs can be 1-3 digits in length. Fortunately, there are no 2-digit CCs that
> overlap with 3-digit ones where the first 2 match as well (ie: there isn't
> a 35 and 351 CC). But unless I'm mistaken, this would mean you would need
> to run three different extension comparisons (one for each CC length) to
> match all the possible combinations, assuming of course that you want to
> allow pinless calls to 1, 2 and 3 digit CCs.
> >>>
> >>> So, off the top of my head, I think something like this might work:
> >>> --==--
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:1})}?onwhitelist)
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:2})}?onwhitelist)
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCwhitelist/${EXTEN:0:3})}?onwhitelist)
> >>>
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:1})}?onblacklist)
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:2})}?onblacklist)
> >>> exten =>
> _011XXX.,n,GotoIf(${DB_EXISTS(CCblacklist/${EXTEN:0:3})}?onblacklist)
> >>>
> >>> exten => _011XXX.,n,Authenticate(1234,)
> >>> exten => _011XXX.,n, [NORMAL DIALPLAN FOR INTERNATIONAL CALLS]
> >>> ...
> >>>
> >>> exten => _011XXX.,n(onwhitelist), [NORMAL DIALPLAN FOR INTERNATIONAL
> CALLS]
> >>> ....
> >>>
> >>> exten => _011XXX.,n(onblacklist), [SOMETHING TO BLOCK THE CALLER AND
> WARN YOU]
> >>> ....
> >>> --==--
> >>>
> >>> Bare in mind that I just wrote that quickly, so it's far from complete
> and probably has a few errors (not to mention requiring some fill in the
> blank), but I think the gist of it would fit your needs. You could then
> create two database lists, CCwhitelist and CCblacklist, that could help to
> route International calls to different destinations in the dialplan. The
> above example would actually give you three different levels of security:
> whitelist, blacklist and everything else.
> >>>
> >>> Also, don't simply rely on a pin-based authentication system to block
> international toll fraud, as this would be trivial for someone to brute
> force in a short amount of time (depending on pin length). You should add
> some other mechanism to only allow a small number of attempts before the IP
> is blacklisted and trigger a warning to you that something is wrong.
> >>>
> >>> One security tip I would suggest implementing, which I do and outlined
> a bit above, is to specifically block certain country codes that I know
> would never legitimately be called and have Asterisk warn me if it is ever
> attempted. Basically any number on the list of popular toll fraud
> destinations. Countries like Sierra Leone, Nigeria, most of Africa in
> general, any country that ends in -stan, etc. You can also look at your
> provider's rate-deck and see what countries, which you have no intention of
> allowing calls to, have very high CPMs and put them on the block/warn list.
> This way, even in the event that your PBX is compromised, you will get an
> early warning alert that something is going wrong (via email, etc.) from
> the call attempt itself. Though this only protects against a compromised
> PBX, not the system itself. Some providers will also let you setup this
> level of granular call blocking as a failsafe to prevent crazy bills.
> >>>
> >>> --James
> >>>
> >>> On 01/26/2013 06:11 PM, David Kerr wrote:
> >>>> Does anyone have a asterisk dialplan that will...
> >>>>
> >>>> 1) Check an outbound international phone number against a list of
> permitted country codes.
> >>>> 2) If country code is on list, connect call.
> >>>> 3) if country code is not on list, prompt for a PIN and only connect
> if PIN entered correctly.
> >>>>
> >>>> Thanks,
> >>>> David
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Master Visual Studio, SharePoint, SQL,
> >>>> ASP.NET
> >>>> , C# 2012, HTML5, CSS,
> >>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> current
> >>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> >>>> MVPs and experts. ON SALE this month only -- learn more at:
> >>>>
> >>>> http://p.sf.net/sfu/learnnow-d2d
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Astlinux-users mailing list
> >>>>
> >>>> [email protected]
> >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>
> >>>>
> >>>> Donations to support AstLinux are graciously accepted via PayPal to
> >>>> [email protected].
> >>>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> >> MVPs and experts. ON SALE this month only -- learn more at:
> >> http://p.sf.net/sfu/learnnow-d2d
> >> _______________________________________________
> >> Astlinux-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>
> >> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Master Visual Studio, SharePoint, SQL,
> >> ASP.NET
> >> , C# 2012, HTML5, CSS,
> >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> >> MVPs and experts. ON SALE this month only -- learn more at:
> >>
> >> http://p.sf.net/sfu/learnnow-d2d
> >>
> >>
> >> _______________________________________________
> >> Astlinux-users mailing list
> >>
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>
> >>
> >> Donations to support AstLinux are graciously accepted via PayPal to
> >> [email protected].
> >
> >
> >
> ------------------------------------------------------------------------------
> > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > MVPs and experts. ON SALE this month only -- learn more at:
> > http://p.sf.net/sfu/learnnow-d2d
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> ------------------------------------------------------------------------------
> > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > MVPs and experts. ON SALE this month only -- learn more at:
> >
> http://p.sf.net/sfu/learnnow-d2d_______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
