In my work I often need to block particular IP addresses on the firewall. Those are typically some attackers who try to either scan for network vulnerability or just attack some resources.
I am usually curious where these attacks are coming from. There are plenty of resources out there that help geo-locating IP addresses. One of them is
https://www.geolocation.com/
For instance, if I wanted to find out the location of one of Microsoft Name Server:
40.90.4.205
I could go to the website and type and get the results like that:
But when I hit enter, the url field shows the exact query sent to their server.
The query looks like this:
And that can be easily automated in Bash.
The best way is to use an example. Let's say I want to find the location of Microsoft NS servers.
Step 1 - Obtain IP addresses
Okay. Not exactly what I want is it? Let's 'cut' the output and get just the name of the servers:
Better. But I need IPs rather than names.
Well, I'd rather have IPv4 addresses only. One more shot at this:
With this ip.txt file and only IP addresses in it, I can proceed to step 2.
I am usually curious where these attacks are coming from. There are plenty of resources out there that help geo-locating IP addresses. One of them is
https://www.geolocation.com/
For instance, if I wanted to find out the location of one of Microsoft Name Server:
40.90.4.205
I could go to the website and type and get the results like that:
But when I hit enter, the url field shows the exact query sent to their server.
The query looks like this:
https://www.geolocation.com/?ip=40.90.4.205#ipresult
And that can be easily automated in Bash.
The best way is to use an example. Let's say I want to find the location of Microsoft NS servers.
Step 1 - Obtain IP addresses
jr@rat $ host -t ns microsoft.com
microsoft.com name server ns3-205.azure-dns.org.
microsoft.com name server ns1-205.azure-dns.com.
microsoft.com name server ns4-205.azure-dns.info.
microsoft.com name server ns2-205.azure-dns.net.
jr@rat $
Okay. Not exactly what I want is it? Let's 'cut' the output and get just the name of the servers:
jr@rat $ host -t ns microsoft.com | cut -d " " -f4 > microsoft-ns.txt
jr@rat $ cat microsoft-ns.txt
ns3-205.azure-dns.org.
ns1-205.azure-dns.com.
ns4-205.azure-dns.info.
ns2-205.azure-dns.net.
jr@rat $
Better. But I need IPs rather than names.
jr@rat $ while read ip; do host $ip; done < microsoft-ns.txt
ns3-205.azure-dns.org has address 13.107.24.205
ns3-205.azure-dns.org has IPv6 address 2a01:111:4000::cd
ns1-205.azure-dns.com has address 40.90.4.205
ns1-205.azure-dns.com has IPv6 address 2603:1061::cd
ns4-205.azure-dns.info has address 13.107.160.205
ns4-205.azure-dns.info has IPv6 address 2620:1ec:bda::cd
ns2-205.azure-dns.net has address 64.4.48.205
ns2-205.azure-dns.net has IPv6 address 2620:1ec:8ec::cd
jr@rat $
Well, I'd rather have IPv4 addresses only. One more shot at this:
jr@rat $ while read ip; do host $ip | grep "has address" | cut -d " " -f4; done < microsoft-ns.txt > ip.txt jr@rat $ cat ip.txt 13.107.24.205 40.90.4.205 13.107.160.205 64.4.48.205 jr@rat $
With this ip.txt file and only IP addresses in it, I can proceed to step 2.
Step 2 - Use IP Geolocation Server
So, the script could look like this:
jr@rat $ while read ip; do host $ip | grep "has address" | cut -d " " -f4; done < microsoft-ns.txt > ip.txt jr@rat $ cat ip.txt 13.107.24.205 40.90.4.205 13.107.160.205 64.4.48.205 jr@rat $
The last line will fire up the web browser and get me the information I wanted:
jr@rat $ firefox & jr@rat $ while read ip; do firefox -new-tab https://www.geolocation.com/?ip=$ip#ipresult;done < ip.txt jr@rat $
In Bash it is very easy to automate those boring tasks.
