Today’s topic is using GeoIP data from the command line. Security analysts often find they need to ascertain an IP addresses geographic location in order to make decisions. The most obvious use would be around geofencing, i.e. blocking IP’s from certain countries or regions. GeoIP information is simple to acquire from the Linux command line with the tool geoiplookup and the Maxmind dat files. Here is an updated post and video on how to use Maxmind’s GeoLite2 database. How to use GeoLite2 on the command line.
Getting started with GeoIP data
GeoIP data is extremely useful when investigating events but the data used is constantly changing; this poses a problem. The accuracy of the analysts work depends on this data being fresh and accurate so this blog post and accompanying video will cover three things:
- Setting up the tool
- Scripting automatic updates of the data
- Using the tool and creating a script for mass look ups
Setting up the tool
First lets make sure the system is up to date with the latest patches (execute as root):
yum -y updateNow we can check to see if the geoiplookup package is installed and if not then install it:
yum -y install geoipOnce installed we will need to setup a scripts folder in roots home folder:
cd \root
mkdir scriptsMaxmind provides the geoiplookup package with the default dat files, but these may not get updated as frequent as needed by using yum alone. Lets begin by updating the dat files manually by using wget to download them from Maxmind:
cd \root\scripts
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gzUnzip the files and move them to /usr/share/GeoIP/:
gunzip Geo*
cp Geo*.dat /usr/share/GeoIP/Now we can test our geoiplookup tool to see what it provides us:
geoiplookup 45.79.221.75
GeoIP Country Edition: US, United States
GeoIP ASNum Edition: AS63949 Linode, LLCThat provided us with the location and the AS number of the owner. To see more data we can specify the GeoLiteCity.dat like this:
geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat 45.79.221.75
GeoIP City Edition, Rev 1: US, GA, Georgia, Atlanta, 30301, 33.749001, -84.388000, 524, 404Scripting automatic updates of GeoIP data
Maxmind updates the ASN data weekly on Tuesday and the City and Country data monthly on the 1st Tuesday of the month. In order to build a better understanding of Linux here is an example of how to script and schedule these updates. First lets create a script to update the City and Country dat files.
cd /root/scripts
vim updater.shNow add the following to the updater.sh script:
cd /root/scripts
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip Geo*.gz
\cp Geo*.dat /usr/share/GeoIP/
rm -rf /root/scripts/Geo*Save the file and do the following to add the second script, updater-ASN.sh:
vim updater-ASN.shThen add the following to it:
cd /root/scripts
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
gunzip Geo*.gz
\cp Geo*.dat /usr/share/GeoIP/
rm -rf /root/scripts/Geo*Now we need to make them executable:
chmod +x updater*.shThe updater scripts will be executed by cron so we will need to edit the crontab and set ip up:
crontab -eAnd add the following:
1 3 15 * * /root/scripts/updater.sh
1 4 * * 3 /root/scripts/updater-ASN.shCrontab looks confusing but it is not that bad, I’ll try to explain it. The crontab line is broken into two parts: schedule and what to do. The first five spaces represent:
- minute
- hour
- day of month
- month
- day of week (0-6 with Sunday = 0)
So in our example 1 3 15 * * would mean 1 minute after 3 am on the 15th day of the month. The second example would be 1 minute after 4 am every Wednesday. Pretty simple.
Putting GeoIP to use
Now that we have a working tool that automatically updates constantly changing data lets see how to use it efficiently. The tool, as we saw above, it is invoked by typing geoiplookup followed by an IP address or if needed we can specify the GeoLiteCity dat file for more info. But what if we were handed a list of 100 IP addresses? This scenario, where one is handed a long list of IP’s, is not uncommon, but who wants to execute a command 100 times? Lets create a script to do this in mass and clean up the output a little in the process.
Lets start by making sure we are logged in as our normal user and not root. It is a good idea to add a scripts directory in your path so you have a place to put your scripts and do not have to type the full path to each script when you use it.
cd /home/<username>
mkdir scripts
PATH=$PATH:/home/<username>/scripts
export PATHNow create a script called ipinfo.sh:
vim ipinfo.shAnd add the following:
while read p;
do
echo "$p";geoiplookup "$p"|awk -F":" '{print $2}';geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat "$p"|awk -F":" '{print $2}';echo " ";
done < IP-LIST.txtMake the script executable:
chmod +x ipinfo.shCreate a file called IP-LIST.txt and add your IP’s to this list, the example has 2 IP’s but it could be however many you need:
vim IP-LIST.txtAdd the following two IP’s:
170.146.243.252
169.61.78.202Execute the ipinfo.sh and you will get the following output:
170.146.243.252
US, United States
AS14299 Automatic Data Processing, Inc.
US, KY, Kentucky, Florence, 41042, 39.002300, -84.656898, 515, 859
169.61.78.202
US, United States
AS36351 SoftLayer Technologies Inc.
US, N/A, N/A, N/A, N/A, 37.750999, -97.821999, 0, 0If you have questions feel free to ask them in the comments below. I hope you enjoyed this blog post and the accompanying video, if you did please take a moment and give it a like, also consider subscribing to my YouTube channel. I enjoy doing tutorials and how-to’s on cyber security topics and as long as they are popular I’ll keep doing them.
References
- Computer Forensics: Incident Response Essentials
- Learning the bash shell
- Vi and Vim Editors Pocket Reference
- Mastering CentOS 7 Linux Server
Some of the links we provide on the site are affiliate links and your use of that link provides this site with needed funding to provide this free content; and we greatly appreciate it! Without your support we could not sustain the site.
See Ya
