HOWTO use geoiplookup

From Fail2ban
Revision as of 23:22, 21 March 2008 by (Talk) (Requierements)

Jump to: navigation, search

Geolocalization of banned IPs

You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information.


In Gentoo, the needed package is the following :

     Latest version available: 1.3.14
     Latest version installed: [ Not Installed ]
     Size of downloaded files: 1,984 kB
     Description: easily lookup countries by IP addresses, even when Reverse DNS entries don't exist
     License:     GPL-2

This will install "geoiplookup" and "geoipupdate" to update the database (you need a license id to get a new db)

In Debian or Ubuntu, one can simple do apt-get install geoip-bin


This small script will extract the banned IPs from fail2ban.log. It looks for lines such as "..... Ban", extracts the IP and runs geoiplookup. You may have to change the hardcoded paths in the script depending on your configuration.

import os
import re
f = open('fail2ban.log', 'r')    
pattern = r".*?Ban\s*?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"
p = re.compile(pattern)
for i in f:
        m = p.match(i)
        if m:
                ip =
                file = os.popen('geoiplookup %s' % ip)

Note that there is a Geo-Ip binding for Python available.


myserver # python
GeoIP Country Edition: CI, Cote D'Ivoire
GeoIP Country Edition: FR, France
GeoIP Country Edition: CN, China
GeoIP Country Edition: KO, South Korea
GeoIP Country Edition: VN, Vietnam

Other interesting links

For advanced results, you may be interested in :