Using GeoIP data from the command line

Today’s topic is using GeoIP data from the command line. Security analysts often find they need to ascertain an IP addresses geographic location in order to make decisions. The most obvious use would be around geofencing, i.e. blocking IP’s from certain countries or regions. GeoIP information is simple to acquire from the Linux command line with the tool geoiplookup and the Maxmind dat files. Here is an updated post and video on how to use Maxmind’s GeoLite2 database. How to use GeoLite2 on the command line.

Getting started with GeoIP data

GeoIP data is extremely useful when investigating events but the data used is constantly changing; this poses a problem. The accuracy of the analysts work depends on this data being fresh and accurate so this blog post and accompanying video will cover three things:

  • Setting up the tool
  • Scripting automatic updates of the data
  • Using the tool and creating a script for mass look ups

Setting up the tool

First lets make sure the system is up to date with the latest patches (execute as root):

yum -y update

Now we can check to see if the geoiplookup package is installed and if not then install it:

yum -y install geoip

Once installed we will need to setup a scripts folder in roots home folder:

cd \root
mkdir scripts

Maxmind provides the geoiplookup package with the default dat files, but these may not get updated as frequent as needed by using yum alone. Lets begin by updating the dat files manually by using wget to download them from Maxmind:

cd \root\scripts
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz

Unzip the files and move them to /usr/share/GeoIP/:

gunzip Geo*
cp Geo*.dat /usr/share/GeoIP/

Now we can test our geoiplookup tool to see what it provides us:

geoiplookup 45.79.221.75
GeoIP Country Edition: US, United States
GeoIP ASNum Edition: AS63949 Linode, LLC

That provided us with the location and the AS number of the owner. To see more data we can specify the GeoLiteCity.dat like this:

geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat 45.79.221.75
GeoIP City Edition, Rev 1: US, GA, Georgia, Atlanta, 30301, 33.749001, -84.388000, 524, 404

Scripting automatic updates of GeoIP data

Maxmind updates the ASN data weekly on Tuesday  and the City and Country data monthly on the 1st Tuesday of the month. In order to build a better understanding of Linux here is an example of how to script and schedule these updates. First lets create a script to update the City and Country dat files. 

cd /root/scripts
vim updater.sh

Now add the following to the updater.sh script:

cd /root/scripts
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

gunzip Geo*.gz
\cp Geo*.dat /usr/share/GeoIP/
rm -rf /root/scripts/Geo*

Save the file and do the following to add the second script, updater-ASN.sh:

vim updater-ASN.sh

Then add the following to it:

cd /root/scripts
wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz

gunzip Geo*.gz
\cp Geo*.dat /usr/share/GeoIP/
rm -rf /root/scripts/Geo*

Now we need to make them executable:

chmod +x updater*.sh

The updater scripts will be executed by cron so we will need to edit the crontab and set ip up:

crontab -e

And add the following:

1 3 15 * * /root/scripts/updater.sh
1 4 * * 3 /root/scripts/updater-ASN.sh

Crontab looks confusing but it is not that bad, I’ll try to explain it. The crontab line is broken into two parts: schedule and what to do. The first five spaces represent:

  • minute
  • hour
  • day of month
  • month
  • day of week (0-6 with Sunday = 0)

So in our example 1 3 15 * * would mean 1 minute after 3 am on the 15th day of the month. The second example would be 1 minute after 4 am every Wednesday. Pretty simple.

Putting GeoIP to use

Now that we have a working tool that automatically updates constantly changing data lets see how to use it efficiently. The tool, as we saw above, it is invoked by typing geoiplookup followed by an IP address or if needed we can specify the GeoLiteCity dat file for more info. But what if we were handed a list of 100 IP addresses? This scenario, where one is handed a long list of IP’s, is not uncommon, but who wants to execute a command 100 times? Lets create a script to do this in mass and clean up the output a little in the process.

Lets start by making sure we are logged in as our normal user and not root. It is a good idea to add a scripts directory in your path so you have a place to put your scripts and do not have to type the full path to each script when you use it. 

cd /home/<username>
mkdir scripts
PATH=$PATH:/home/<username>/scripts
export PATH

Now create a script called ipinfo.sh:

vim ipinfo.sh

And add the following:

while read p;
   do
     echo	"$p";geoiplookup "$p"|awk -F":" '{print $2}';geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat "$p"|awk -F":" '{print $2}';echo " ";
   done < IP-LIST.txt

Make the script executable:

chmod +x ipinfo.sh

Create a file called IP-LIST.txt and add your IP’s to this list, the example has 2 IP’s but it could be however many you need:

vim IP-LIST.txt

Add the following two IP’s:

170.146.243.252
169.61.78.202

Execute the ipinfo.sh and you will get the following output:

170.146.243.252
 US, United States
 AS14299 Automatic Data Processing, Inc.
 US, KY, Kentucky, Florence, 41042, 39.002300, -84.656898, 515, 859
 
169.61.78.202
 US, United States
 AS36351 SoftLayer Technologies Inc.
 US, N/A, N/A, N/A, N/A, 37.750999, -97.821999, 0, 0

If you have questions feel free to ask them in the comments below. I hope you enjoyed this blog post and the accompanying video, if you did please take a moment and give it a like, also consider subscribing to my YouTube channel. I enjoy doing tutorials and how-to’s on cyber security topics and as long as they are popular I’ll keep doing them.

References

Some of the links we provide on the site are affiliate links and your use of that link provides this site with needed funding to provide this free content; and we greatly appreciate it! Without your support we could not sustain the site.

See Ya

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.