This tutorial will show you how to retrieve the geolocation information for the banned IP addresses reported inside the fail2ban log file. Depending on the IP2Location BIN data that you are using for the lookup, you could get very detailed information like below if you are using the IP2Location DB26 BIN data to geolocate Fail2Ban IP address.
- Country
- Region
- City
- Latitude & Longitude
- ZIP Code
- ISP
- Domain
- Time Zone
- Net Speed
- Area Code
- Weather Station Information
- Mobile Information
- Elevation
- Usage Type
- Address Type
- Category
- District
- ASN
In this tutorial, we will use the IP2Location DB11 BIN data, which will display information regarding the country, region, city, latitude & longitude, ZIP code and time zone. For the BIN data lookup, we will use the IP2Location Python Library. However, you may use other Open Source Libraries, e.g. C, Perl or others, whichever you may prefer.
First of all, you will need to install the IP2Location Python library if you haven’t done so. Follow the instructions at https://www.ip2location.com/developers/python to install the IP2Location Python library.
Next, you will need to download the IP2Location DB11 BIN data. Login to your account and download the file.
Script
This simple script will read the IP information from the fail2ban log file and retrieve the location information from the IP2Location BIN data
Create a Python script Fail2BanIP2Location.py as below:
# Fail2BanIP2Location.py
import re
import IP2Location;
IP2LocObj = IP2Location.IP2Location();
IP2LocObj.open("PATH/TO/IP2LOCATION/BIN/DATABASE");
f = open('/var/log/fail2ban.log', 'r')
pattern = r".*?Ban\s*?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"
p = re.compile(pattern)
for i in f:
m = p.match(i)
if m:
ip = m.group(1)
rec = IP2LocObj.get_all(ip);
print "%s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (ip, rec.country_short, rec.country_long, rec.region, rec.city, rec.latitude, rec.longitude, rec.zipcode, rec.timezone)
Then, you can run this script to review IP addresses that have been banned by Fail2Ban.
python Fail2BanIP2Location.py |
You will see the below output:
12.54.6.78 (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)
Logging
You can also enable Geolocation information in Fail2Ban logs. Edit the file /usr/share/fail2ban/server/actions.py.
Add the following lines after import time, logging
import IP2Location;
IP2LocObj = IP2Location.IP2Location();
IP2LocObj.open("PATH/TO/IP2LOCATION/BIN/DATABASE");
Find the following line:
logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
And replace with following lines:
rec = IP2LocObj.get_all(aInfo["ip"]);
logSys.warn("[%s] Ban %s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (self.jail.getName(), aInfo["ip"], rec.country_short, rec.country_long, rec.region, rec.city, rec.latitude, rec.longitude, rec.zipcode, rec.timezone))
Your Fail2Ban log will now looks more informative as below:
2016-09-14 20:01:23,650 fail2ban.actions[17751]: WARNING [ssh] Ban 23.0.18.220 (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)
THE POWER OF IP GEOLOCATION
Find a solution that fits.