ip2location facebbook  ip2location twitter  ip2location google+

Geolocate Fail2Ban IP Using IP2Location

This tutorial will show you how to retrieve the geolocation information for the banned IP addresses reported inside the fail2ban log file. Depending on the IP2Location BIN data that you are using for the lookup, you could get very detailed information like below if you are using the IP2Location DB24 BIN data.

In this tutorial, we will use the IP2Location DB11 BIN data, which will display information regarding the country, region, city, latitude & longitude, ZIP code and time zone. For the BIN data lookup, we will use the IP2Location Python Library. However, you may use other Open Source Libraries, e.g. C, Perl or others, whichever you may prefer.

First of all, you will need to install the IP2Location Python library if you haven’t done so. Follow the instructions at http://ip2location.com/developers/python to install the IP2Location Python library.

Next, you will need to download the IP2Location DB11 BIN data. Login to your account at http://www.ip2location.com/login and download the file.

Script

This simple script will read the IP information from the fail2ban log file and retrieve the location information from the IP2Location BIN data

Create a Python script Fail2BanIP2Location.py as below:

# Fail2BanIP2Location.py
import re

import IP2Location;

IP2LocObj = IP2Location.IP2Location();
IP2LocObj.open("PATH/TO/IP2LOCATION/BIN/DATABASE");

f = open('/var/log/fail2ban.log', 'r')
pattern = r".*?Ban\s*?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"
p = re.compile(pattern)
for i in f:
	m = p.match(i)
	if m:
		ip = m.group(1)
		rec = IP2LocObj.get_all(ip);
		print "%s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (ip, rec.country_short, rec.country_long, rec.region, rec.city, rec.latitude, rec.longitude, rec.zipcode, rec.timezone)

Then, you can run this script to review IP addresses that have been banned by Fail2Ban.

python Fail2BanIP2Location.py

You will see the below output:

12.54.6.78 (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)

Logging

You can also enable Geolocation information in Fail2Ban logs. Edit the file /usr/share/fail2ban/server/actions.py.

Add the following lines after import time, logging

import IP2Location;

IP2LocObj = IP2Location.IP2Location();
IP2LocObj.open("PATH/TO/IP2LOCATION/BIN/DATABASE");

Find the following line:

logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
And replace with following lines:
rec = IP2LocObj.get_all(aInfo["ip"]);
logSys.warn("[%s] Ban %s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (self.jail.getName(), aInfo["ip"], rec.country_short, rec.country_long, rec.region, rec.city, rec.latitude, rec.longitude, rec.zipcode, rec.timezone))

Your Fail2Ban log will now looks more informative as below:

2016-09-14 20:01:23,650 fail2ban.actions[17751]: WARNING [ssh] Ban 23.0.18.220 (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)


Do you like this article? Share it with others by clicking the social media buttons below. We will write more articles related to this topic.