Asterisk/FreePBX disable international calls

We discovered late yesterday someone hacked into your phone system (Asterisk) and dialed international calls from 4pm-until early this morning when discovered.  We immediately secured the system by closing the firewall so that Asterisk will only talk to our VOIP provider outside of our network (short term solution).

Is there a simple way to create dialing rules or disable all international calls from the system?  Is there a way to track after the fact who connected to the phone system, IP address?  
In the research this morning I have not found anything that particularly addresses securing dialing outside of the US.  I found one post that had a ton of dialing rules for international going to a bogus trunk, however it did not cover Somalia  the destination of this attack.    There has to be a simple set of strings that can prevent the calls in the future.  Is it simply enough to create a bogus trunk and add international as the dialing string (9|011.)?  Note that I used 9| as we need to dial 9 to get out.
LVL 2
acasgarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nasirbestCommented:
in FreePBX

1. Click to Create a custom trunk
2. put "Local/s@macro-hangupcall" in Custom Dial String  and save the trunk
3. Create a new route with following Dialling Role (if internation dialprefix in your country is 011)

011.

4. choose your custom trunk and save the route
5. save / reload asterisk
0
feptiasChief DudeCommented:
I would think it is much more important to focus on how the outsider was able to "hack into your phone system" than to just try and add special dialing rules to limit what they can do once they are in.

If you want to adjust the dialing rules then usually the section to look at is Outbound Routes, not Trunks. Outbound Routes is where you can control the routing for numbers dialled from an extension. Do you know if the hacker is using the system as if they were on an extension phone or did they gain access through an IVR menu - possibly gaining access to the DISA feature? Do you have the DISA module installed and are there any DISA objects defined? What does the call log report show for the Channel and Source of the hacker's calls?

Note that you can add PIN or Route Password access restrictions on both DISA and Outbound Routes.
0
Ron MalmsteadInformation Services ManagerCommented:
I agree with Feptias, there must be something with the way the dialplan is configured that allowed an outside caller to place an outbound call, and it should be the priority to fix that first.

The dialing rules are determined by pattern matching as Feptias pointed out, not the trunk itself, unless your provider has placed call restrictions for you.

That being said...
"Is it simply enough to create a bogus trunk and add international as the dialing string (9|011.)?  Note that I used 9| as we need to dial 9 to get out. "....... yes that actually would work, but you would be restricting international for all outgoing calls on your pbx if you simply add a bogus pattern match, just FYI.

Example.... I block all 900 numbers on my pbx...like this.
[restricted]
exten => 900XXXXXXX,1,Hangup()

Check to see if you have a DISA() , that could certainly allow this to happen...but there are also other possiblities as well that have more to do with the way your dialplan is configured.

For example....
....using ...   _.X,  as a pattern matching extension on your outbound rules...means.... "EVERYTHING", not found in any another part of the dialplan.  It's a "catch-all"...

If you happen to have a Background() or WaitExten() applications, somewhere in your IVR.... a person could potentially dial an extension...like  902883772634, while in the app.... and if that extension isn't found in the same context, or anywhere else in the dialplan, it could place an outbound call by failing over to the "catch all" pattern match.

Also, ..it's possible to have a custom feature enabled in features.conf... that is allowed for "caller", on the incoming route.  If the feature is designed to deliver up DISA, or some other custom dialing function...  that's another way it could be done.

These examples, show how a caller wouldn't have to "hack" into the system to register a phone, but rather,...call into the system normally, from any phone, and achieve an outbound dial due to a misconfiguration.

Can you post some dialplan code for us ?
0
Ron MalmsteadInformation Services ManagerCommented:
....sorry that was...

[restricted]
exten => _900XXXXXXX,1,Hangup()
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
acasgarAuthor Commented:
We ended up going to broadvoice and disabling all international calls, we also closed the firewall so that trixbox could only go to broadvoice and no one else outside could connect to it (less than ideal).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.