Today let’s talk about how to use Maxmind’s Geolite2 to get geoip data from the command line in Linux. This post is an update to the original “using GeoIP data from the command line” post from September. Maxmind GeoLite legacy databases were discontinued on January 2, 2019 and have moved to the new GeoLite2 format and makes the original article obsolete. The new format requires new tools and scripts so I will treat it as a new article from a technical perspective, however the practical use is still the same from a security analyst’s perspective. So let’s dive right in and get the new format setup and ready to use.
Installing Maxmind GeoLite2
Installing Maxmind’s GeoLite2 is a relatively simple operation requiring downloading and extracting the files. You can download the three files you need from the following links:
https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz
https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz
Unzip the files into a directory called geoipdata under your home directory, i.e. /home/username/geoipdata.
To use the mmdblookup utility with GeoLite2 you will need to install the libmaxmind-devel libraries. You may have to install the EPEL repository to get the package. I also use the jq tool in the formatting of the output. This can be done by typing the following as root:
yum -y install epel-release
yum -y install jq
yum -y install libmaxminddb-develCreating the scripts for GeoLite2
There are two scripts that need to be created, one for a single IP address and one for bulk IP’s. Along with the script for bulk IP’s there is also a list of IP’s, so three files total. Create the file called ip-info.sh in the geoipdata directory by typing:
vim ip-info.shAnd then insert the following:
echo "Type the IP that you want to check, followed by [ENTER]:"
read p
a=`mmdblookup --file /home/secops/geoipdata/GeoLite2-ASN.mmdb --ip $p | sed -e ':a;N;$!ba;s/\n/ /g' |sed -e 's/ <[a-z0-9_]\+>/,/g' |sed -e 's/,\s\+}/}/g' | jq '"AS\(.autonomous_system_number) \(.autonomous_system_organization)"'`
c=`mmdblookup --file /home/eda/geoipdata/GeoLite2-City.mmdb --ip $p
city names en |awk -F'"' '{print $2}'`
o=`mmdblookup --file /home/eda/geoipdata/GeoLite2-City.mmdb --ip $p
continent names en |awk -F'"' '{print $2}'`
u=`mmdblookup --file /home/eda/geoipdata/GeoLite2-City.mmdb --ip $p
country names en |awk -F'"' '{print $2}'`
echo $p","$c","$u","$o","$aYou will need to make it executable, this can be done by typing:
chmod +x ip-info.shNow create the ip-info-bulk.sh script in the geoipdata directory by typing:
vim ip-info-bulk.shAnd then insert:
while read p
do
a=`mmdblookup --file /home/secops/geoipdata/GeoLite2-ASN.mmdb --ip $p | sed -e ':a;N;$!ba;s/\n/ /g' |sed -e 's/ <[a-z0-9_]\+>/,/g' |sed -e 's/,\s\+}/}/g' | jq '"AS\(.autonomous_system_number) \(.autonomous_system_organization)"'`
c=`mmdblookup --file /home/secops/geoipdata/GeoLite2-City.mmdb --ip $p city names en |awk -F'"' '{print $2}'`
o=`mmdblookup --file /home/secops/geoipdata/GeoLite2-City.mmdb --ip $p continent names en |awk -F'"' '{print $2}'`
u=`mmdblookup --file /home/secops/geoipdata/GeoLite2-City.mmdb --ip $p country names en |awk -F'"' '{print $2}'`
echo $p","$c","$u","$o","$a
done < ip-info.txtAnd make it executable:
chmod +x ip-info-bulk.shNow create the text file for the ip-info-bulk.sh script in the geoipdata directory by typing:
vim ip-info.txtThis block is where you will enter the IP’s for your ip-info-bulk.sh script, one per line.
Using the scripts to find GeoIP data
Using the scripts are pretty simple; for a single IP address just type:
./ip-info.shAnd follow the prompts and enter the IP address. The script will run and give you the geoip data for the IP. In order to get the geoip data on a list of IP’s just edit the ip-info.txt file and add the IP’s, one per line, to the file. Running the ip-info-bulk.sh script will read in the file and run eah line against the mmdblookup and return the results.
./ip-info-bulk.shThis will return the following output:
8.8.8.8,, United States, North America,"AS15169 Google LLC"
45.79.221.75, Atlanta, United States, North America,"AS63949 Linode, LLC"
65.55.4.5, Dublin, Ireland, Europe,"AS8075 Microsoft Corporation"
24.67.5.4, Westbank, Canada, North America,"AS6327 Shaw Communications Inc."
If there are errors present in the output from the script it is most likely due to no data on an IP in one of the fields in the database. The best way around this is to send the error to dev null like so:
./ip-info-bulk.sh 2> /dev/nullI hope you find this useful, and if you did please give it a thumbs up and subscribe to our YouTube channel.