Difference between revisions of "HOWTO use geoiplookup"
(→Script) |
(GeoIP in log file) |
||
| Line 2: | Line 2: | ||
You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information. | You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information. | ||
| − | == | + | == Requirements== |
* Geoiplookup - http://www.maxmind.com/geoip/api/c.shtml | * Geoiplookup - http://www.maxmind.com/geoip/api/c.shtml | ||
* Python (you should already have that...) | * Python (you should already have that...) | ||
| Line 55: | Line 55: | ||
GeoIP Country Edition: VN, Vietnam | GeoIP Country Edition: VN, Vietnam | ||
| + | |||
| + | == Logging == | ||
| + | You can also change the fail2ban script to write the country code to the log file whenever a ban occurs. Make sure you install geoiplookup, then edit the file <code>/usr/share/fail2ban/server/actions.py</code> and change line 31 to read | ||
| + | import time, logging, commands | ||
| + | and change line 139 in the <code>__checkBan(self)</code> function from | ||
| + | logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]) | ||
| + | to (changes are in bold) | ||
| + | logSys.warn("[%s] Ban %s '''%s'''" % (self.jail.getName(), aInfo["ip"]''', commands.getstatusoutput('geoiplookup ' + aInfo["ip"])[1][23:])''') | ||
| + | This will log output such as | ||
| + | 2008-04-27 20:18:03,109 fail2ban.actions: WARNING [ssh] Ban 256.256.256.256 US, United States | ||
| + | If you only want the two character country code, change the line to | ||
| + | logSys.warn("[%s] Ban %s %s" % (self.jail.getName(), aInfo["ip"], commands.getstatusoutput('geoiplookup ' + aInfo["ip"])[1][23:'''25'''])) | ||
| + | |||
== Other interesting links == | == Other interesting links == | ||
Revision as of 06:45, 28 April 2008
Geolocalization of banned IPs
You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information.
Requirements
- Geoiplookup - http://www.maxmind.com/geoip/api/c.shtml
- Python (you should already have that...)
In Gentoo, the needed package is the following :
dev-libs/geoip
Latest version available: 1.3.14
Latest version installed: [ Not Installed ]
Size of downloaded files: 1,984 kB
Homepage: http://www.maxmind.com/geoip/api/c.shtml
Description: easily lookup countries by IP addresses, even when Reverse DNS entries don't exist
License: GPL-2
This will install "geoiplookup" and "geoipupdate" to update the database (you need a license id to get a new db)
In Debian or Ubuntu, one can simple do apt-get install geoip-bin
Script
This small script will extract the banned IPs from fail2ban.log. It looks for lines such as "..... Ban 192.168.1.1", extracts the IP and runs geoiplookup. You may have to change the hardcoded paths in the script depending on your configuration.
# Fail2BanGeo.py
import os
import re
f = open('/var/log/fail2ban.log', 'r')
pattern = r".*?Ban\s*?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"
p = re.compile(pattern)
for i in f:
m = p.match(i)
if m:
ip = m.group(1)
file = os.popen('geoiplookup %s' % ip)
print file.read()
Note that there is a Geo-Ip binding for Python available.
Output
myserver # python fail2bangeo.py GeoIP Country Edition: CI, Cote D'Ivoire
GeoIP Country Edition: FR, France
GeoIP Country Edition: CN, China
GeoIP Country Edition: KO, South Korea
GeoIP Country Edition: VN, Vietnam
Logging
You can also change the fail2ban script to write the country code to the log file whenever a ban occurs. Make sure you install geoiplookup, then edit the file /usr/share/fail2ban/server/actions.py and change line 31 to read
import time, logging, commands
and change line 139 in the __checkBan(self) function from
logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"])
to (changes are in bold)
logSys.warn("[%s] Ban %s %s" % (self.jail.getName(), aInfo["ip"], commands.getstatusoutput('geoiplookup ' + aInfo["ip"])[1][23:]))
This will log output such as
2008-04-27 20:18:03,109 fail2ban.actions: WARNING [ssh] Ban 256.256.256.256 US, United States
If you only want the two character country code, change the line to
logSys.warn("[%s] Ban %s %s" % (self.jail.getName(), aInfo["ip"], commands.getstatusoutput('geoiplookup ' + aInfo["ip"])[1][23:25]))
Other interesting links
For advanced results, you may be interested in :
