Dec 1, 2019

Geoiplookup

Today I want to know where the IPs accessing my Nginx Webserver are located.

Therefore, we need a few packages to handle the geolocalization:

apt install mmdb-bin grepcidr -y

We need to download a current database containing the geolocations of IPs. The company MaxMind offers free databases for this purpose: wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz

Unzip it to /usr/share/GeoIP/GeoLite2-City.mmdb So we want to pipe the content of our nginx access.log files to get the counted and sorted number of IPs:

#!/bin/bash

# change to zcat if needed for old log files
sudo cat /var/log/nginx/access.log$1 | awk '{print $1}' | sort | uniq -c | sort -nr | xargs -L1 ./logfile-helper.sh

Here we can set an optional first param which can be set to .1 to get the previous log file. To get earlier logfiles we need to modify the script to use zcat to efficiently decompress the older log files and access the log with script.sh .2 as needed.

An example output line looks like that

Count IP
123 127.0.0.1

Now we want to pipe this content to the mmdblookup by creating another script which handles the formatting called logfile-helper.sh with the following content:

#!/bin/bash
#set -e
printf "%s \t" $1
c=`mmdblookup -f /usr/share/GeoIP/GeoLite2-City.mmdb --ip $2 city names en |awk -F'"' '{print $2}'`
o=`mmdblookup -f /usr/share/GeoIP/GeoLite2-City.mmdb --ip $2 continent code |awk -F'"' '{print $2}'`
u=`mmdblookup -f /usr/share/GeoIP/GeoLite2-City.mmdb --ip $2 country iso_code |awk -F'"' '{print $2}'`
echo -e $2"\t"$o"\t"$u"\t"$c

The first param here is just a number which gets printed, the second param is the ip which should be looked up. So that it fits the output from our previous format and produces output like this (I removed the IP addresses)

9       AS       CN      Beijing
4       EU       RU      St Petersburg
4       EU       NL      Amsterdam
4       NA       US      Denver
3       EU       ME
3       NA       US      Sioux Falls
3       EU       NL      Amsterdam
1       SA       CO      MedellĂ­n
1       SA       BR      Barretos
1       EU       SK
1       SA       BR      Mogi das Cruzes
1       SA       BR      Sao Jose do Ouro

And this is very interesting to see that somehow my server gets accessed from all over the world from people who don’t know me

Reference: https://www.shabinx.com/how-to-use-maxmind-geolite2-to-obtain-geoip-data-from-the-command-line/