UJP - 技術情報1

アクセス元がどこの国か調べるスクリプト

０．改訂履歴

2006.07.13　新規作成

１．はじめに

　このドキュメントでは，PerlのIP::Country::Fastを使って，任意のIPアドレスがどこの国のに割り当てられているものか，調査する．　LogWatchメールなどを見ていると，pam_unixあたりに不正なアクセスの試みを行っているIPアドレスが多数記録されるが，それらがどの国のサーバなのかを，調べてみる．

　応用すれば，場合によっては，その国丸ごとアクセス不可とするなどの方法をとることができる．

　なお，このスクリプトは，MacOS X 10.4とRedHat Linux ES3で稼働確認を行った．

２．モジュールのインストール

CPANを利用して，モジュールをインストールする．
まずは，CPAN SHELLを起動する．
- CPAN SHELLを起動するのが1回目の場合は別途設定が必要．

iMacG5:/Users/shinnai root# perl -MCPAN -e shell
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.7601)
ReadLine support available (try 'install Bundle::CPAN')

cpan>

IP::Country::Fastをインストールする．

cpan> install IP::Country::Fast
CPAN: Storable loaded ok
LWP not available
Fetching with Net::FTP:
  ftp://ftp.kddilabs.jp/CPAN/authors/01mailrc.txt.gz
Going to read /var/root/.cpan/sources/authors/01mailrc.txt.gz
CPAN: Compress::Zlib loaded ok
LWP not available
Fetching with Net::FTP:
  ftp://ftp.kddilabs.jp/CPAN/modules/02packages.details.txt.gz
Going to read /var/root/.cpan/sources/modules/02packages.details.txt.gz
  Database was generated on Wed, 12 Jul 2006 16:29:12 GMT
  HTTP::Date not available

  There's a new CPAN.pm version (v1.87) available!
  [Current version is v1.7601]
  You might want to try
    install Bundle::CPAN
    reload cpan
  without quitting the current session. It should be a seamless upgrade
  while we are running...

LWP not available
Fetching with Net::FTP:
  ftp://ftp.kddilabs.jp/CPAN/modules/03modlist.data.gz
Going to read /var/root/.cpan/sources/modules/03modlist.data.gz
Going to write /var/root/.cpan/Metadata
Running install for module IP::Country::Fast
Running make for N/NW/NWETTERS/IP-Country-2.21.tar.gz
LWP not available
Fetching with Net::FTP:
  ftp://ftp.kddilabs.jp/CPAN/authors/id/N/NW/NWETTERS/IP-Country-2.21.tar.gz
CPAN: Digest::MD5 loaded ok
LWP not available
Fetching with Net::FTP:
  ftp://ftp.kddilabs.jp/CPAN/authors/id/N/NW/NWETTERS/CHECKSUMS
Checksum for /var/root/.cpan/sources/authors/id/N/NW/NWETTERS/IP-Country-2.21.
tar.gz ok
Scanning cache /var/root/.cpan/build for sizes
IP-Country-2.21/
IP-Country-2.21/INSTALL
IP-Country-2.21/CHANGES
IP-Country-2.21/MANIFEST
IP-Country-2.21/lib/
IP-Country-2.21/lib/IP/
IP-Country-2.21/lib/IP/Authority/
IP-Country-2.21/lib/IP/Authority/ipauth.gif
IP-Country-2.21/lib/IP/Authority/auth.gif
IP-Country-2.21/lib/IP/Country.pm
IP-Country-2.21/lib/IP/Country/
IP-Country-2.21/lib/IP/Country/MaxMind.pm
IP-Country-2.21/lib/IP/Country/Fast/
IP-Country-2.21/lib/IP/Country/Fast/ip.gif
IP-Country-2.21/lib/IP/Country/Fast/cc.gif
IP-Country-2.21/lib/IP/Country/Medium.pm
IP-Country-2.21/lib/IP/Country/Fast.pm
IP-Country-2.21/lib/IP/Country/Slow.pm
IP-Country-2.21/lib/IP/Authority.pm
IP-Country-2.21/dbmScripts/
IP-Country-2.21/dbmScripts/getFiles.pl
IP-Country-2.21/dbmScripts/ipauth_maker.pl
IP-Country-2.21/dbmScripts/ipauth_loader.pl
IP-Country-2.21/dbmScripts/ipcc_loader.pl
IP-Country-2.21/dbmScripts/ipcc_maker.pl
IP-Country-2.21/README
IP-Country-2.21/t/
IP-Country-2.21/t/05fast_bench.t
IP-Country-2.21/t/04auth_lookup.t
IP-Country-2.21/t/03medium_lookup.t
IP-Country-2.21/t/01object_creation.t
IP-Country-2.21/t/02fast_lookup.t
IP-Country-2.21/Makefile.PL
IP-Country-2.21/bin/
IP-Country-2.21/bin/ip2cc.PL
IP-Country-2.21/META.yml

  CPAN.pm: Going to build N/NW/NWETTERS/IP-Country-2.21.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for IP::Country
cp lib/IP/Country/Medium.pm blib/lib/IP/Country/Medium.pm
cp lib/IP/Country/Fast.pm blib/lib/IP/Country/Fast.pm
cp lib/IP/Authority.pm blib/lib/IP/Authority.pm
cp lib/IP/Country/Fast/cc.gif blib/lib/IP/Country/Fast/cc.gif
cp lib/IP/Authority/ipauth.gif blib/lib/IP/Authority/ipauth.gif
cp lib/IP/Country/MaxMind.pm blib/lib/IP/Country/MaxMind.pm
cp lib/IP/Authority/auth.gif blib/lib/IP/Authority/auth.gif
cp lib/IP/Country/Slow.pm blib/lib/IP/Country/Slow.pm
cp lib/IP/Country.pm blib/lib/IP/Country.pm
cp lib/IP/Country/Fast/ip.gif blib/lib/IP/Country/Fast/ip.gif
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" bin/ip2cc.PL bin/ip2cc
Extracting ip2cc (with variable substitutions)
cp bin/ip2cc blib/script/ip2cc
/usr/bin/perl "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/ip2cc
Manifying blib/man1/ip2cc.1
Manifying blib/man3/IP::Authority.3pm
Manifying blib/man3/IP::Country::Fast.3pm
Manifying blib/man3/IP::Country::Medium.3pm
Manifying blib/man3/IP::Country::MaxMind.3pm
Manifying blib/man3/IP::Country::Slow.3pm
Manifying blib/man3/IP::Country.3pm
  /usr/bin/make  -- OK
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 
'blib/lib', 'blib/arch')" t/*.t
t/01object_creation....ok                                                    
t/02fast_lookup........ok                                                    
t/03medium_lookup......ok                                                    
t/04auth_lookup........ok                                                    
t/05fast_bench.........ok 1/1 # random find (58%, 8191 lookups/sec)          
t/05fast_bench.........ok                                                    
All tests successful.
Files=5, Tests=93, 11 wallclock secs ( 3.26 cusr +  0.11 csys =  3.37 CPU)
  /usr/bin/make test -- OK
Running make install
Installing /Library/Perl/5.8.6/IP/Authority.pm
Installing /Library/Perl/5.8.6/IP/Country.pm
Installing /Library/Perl/5.8.6/IP/Authority/auth.gif
Installing /Library/Perl/5.8.6/IP/Authority/ipauth.gif
Installing /Library/Perl/5.8.6/IP/Country/Fast.pm
Installing /Library/Perl/5.8.6/IP/Country/MaxMind.pm
Installing /Library/Perl/5.8.6/IP/Country/Medium.pm
Installing /Library/Perl/5.8.6/IP/Country/Slow.pm
Installing /Library/Perl/5.8.6/IP/Country/Fast/cc.gif
Installing /Library/Perl/5.8.6/IP/Country/Fast/ip.gif
Installing /usr/local/man/man1/ip2cc.1
Installing /usr/local/man/man3/IP::Authority.3pm
Installing /usr/local/man/man3/IP::Country.3pm
Installing /usr/local/man/man3/IP::Country::Fast.3pm
Installing /usr/local/man/man3/IP::Country::MaxMind.3pm
Installing /usr/local/man/man3/IP::Country::Medium.3pm
Installing /usr/local/man/man3/IP::Country::Slow.3pm
Installing /usr/bin/ip2cc
Writing /Library/Perl/5.8.6/darwin-thread-multi-2level/auto/IP/Country/.packli
st
Appending installation info to //System/Library/Perl/5.8.6/darwin-thread-multi
-2level/perllocal.pod
  /usr/bin/make install  -- OK

cpan>

問題なくインストールできた模様．
CPAN SHELLを終了する．

cpan> quit
Terminal does not support GetHistory.
Lockfile removed.
iMacG5:/Users/shinnai root#

３．スクリプトを作成する

ライブラリをインストールしただけでは動作しないので，それを呼び出すPerlプログラムを作成する．

iMacG5:/Users/shinnai root# cat IPCountry.pl 
#!/usr/bin/perl
use IP::Country::Fast;

my $reg = IP::Country::Fast->new();
print $reg->inet_atocc($ARGV[0]) . "￥n";
iMacG5:/Users/shinnai root# 
iMacG5:/Users/shinnai root# chmod ogu+x IPCountry.pl 
iMacG5:/Users/shinnai root# ls -la IPCountry.pl 
-rwxr-xr-x   1 shinnai  shinnai  117 Jul 13 15:02 IPCountry.pl
iMacG5:/Users/shinnai root#

首相官邸のIPアドレスを実行してみる．

iMacG5:/Users/shinnai root# /usr/bin/perl IPCountry.pl 202.232.190.90 
JP
iMacG5:/Users/shinnai root#

JPは日本なので合っていることがわかる．

４．色々と調べてみる

ある日の，うちのサーバへの不正アクセスの試みを，LogWatchサービスから取得してみた．

--------------------- pam_unix Begin ------------------------ 

sshd:
   Invalid Users:
      Unknown Account: 202 Time(s)
   Authentication Failures:
      mysql (202.108.87.10 ): 2 Time(s)
      ftp (202.108.87.10 ): 2 Time(s)
      unknown (218.1.65.196 ): 48 Time(s)
      postgres (202.108.87.10 ): 2 Time(s)
      unknown (202.108.87.10 ): 154 Time(s)
      root (61.185.32.47 ): 31 Time(s)
      root (202.108.87.10 ): 214 Time(s)


 ---------------------- pam_unix End -------------------------

24時間の内に，400回近いアクセスをしているIPアドレスを，調べてみる．
このIPアドレスの国コードを調べてみる．

iMacG5:/Users/shinnai root# /usr/bin/perl IPCountry.pl 202.108.87.10 
CN
iMacG5:/Users/shinnai root#

ここでわかった国コードが，実際にはどの国を示すのかは，ISOで示されたリストで確認することができる．
ISO 3166 2-letter country codes
- http://www.w3.org/International/O-misc-iso3166.html
English country name
- http://www.iso.org/iso/en/prods-services/iso3166ma/02iso-3166-code-lists/list-en1.html
これで確認すると，CNは中国だとわかる．