アクセス元がどこの国か調べるスクリプト
アクセス元がどこの国か調べるスクリプト
0.改訂履歴
1.はじめに
このドキュメントでは,PerlのIP::Country::Fastを使って,任意のIPアドレスがどこの国のに割り当てられているものか,調査する. LogWatchメールなどを見ていると,pam_unixあたりに不正なアクセスの試みを行っているIPアドレスが多数記録されるが,それらがどの国のサーバなのかを,調べてみる.
応用すれば,場合によっては,その国丸ごとアクセス不可とするなどの方法をとることができる.
なお,このスクリプトは,MacOS X 10.4とRedHat Linux ES3で稼働確認を行った.
2.モジュールのインストール
- CPANを利用して,モジュールをインストールする.
- まずは,CPAN SHELLを起動する.
- CPAN SHELLを起動するのが1回目の場合は別途設定が必要.
iMacG5:/Users/shinnai root# perl -MCPAN -e shell
Terminal does not support AddHistory.
cpan shell -- CPAN exploration and modules installation (v1.7601)
ReadLine support available (try 'install Bundle::CPAN')
cpan>
|
- IP::Country::Fastをインストールする.
cpan> install IP::Country::Fast
CPAN: Storable loaded ok
LWP not available
Fetching with Net::FTP:
ftp://ftp.kddilabs.jp/CPAN/authors/01mailrc.txt.gz
Going to read /var/root/.cpan/sources/authors/01mailrc.txt.gz
CPAN: Compress::Zlib loaded ok
LWP not available
Fetching with Net::FTP:
ftp://ftp.kddilabs.jp/CPAN/modules/02packages.details.txt.gz
Going to read /var/root/.cpan/sources/modules/02packages.details.txt.gz
Database was generated on Wed, 12 Jul 2006 16:29:12 GMT
HTTP::Date not available
There's a new CPAN.pm version (v1.87) available!
[Current version is v1.7601]
You might want to try
install Bundle::CPAN
reload cpan
without quitting the current session. It should be a seamless upgrade
while we are running...
LWP not available
Fetching with Net::FTP:
ftp://ftp.kddilabs.jp/CPAN/modules/03modlist.data.gz
Going to read /var/root/.cpan/sources/modules/03modlist.data.gz
Going to write /var/root/.cpan/Metadata
Running install for module IP::Country::Fast
Running make for N/NW/NWETTERS/IP-Country-2.21.tar.gz
LWP not available
Fetching with Net::FTP:
ftp://ftp.kddilabs.jp/CPAN/authors/id/N/NW/NWETTERS/IP-Country-2.21.tar.gz
CPAN: Digest::MD5 loaded ok
LWP not available
Fetching with Net::FTP:
ftp://ftp.kddilabs.jp/CPAN/authors/id/N/NW/NWETTERS/CHECKSUMS
Checksum for /var/root/.cpan/sources/authors/id/N/NW/NWETTERS/IP-Country-2.21.
tar.gz ok
Scanning cache /var/root/.cpan/build for sizes
IP-Country-2.21/
IP-Country-2.21/INSTALL
IP-Country-2.21/CHANGES
IP-Country-2.21/MANIFEST
IP-Country-2.21/lib/
IP-Country-2.21/lib/IP/
IP-Country-2.21/lib/IP/Authority/
IP-Country-2.21/lib/IP/Authority/ipauth.gif
IP-Country-2.21/lib/IP/Authority/auth.gif
IP-Country-2.21/lib/IP/Country.pm
IP-Country-2.21/lib/IP/Country/
IP-Country-2.21/lib/IP/Country/MaxMind.pm
IP-Country-2.21/lib/IP/Country/Fast/
IP-Country-2.21/lib/IP/Country/Fast/ip.gif
IP-Country-2.21/lib/IP/Country/Fast/cc.gif
IP-Country-2.21/lib/IP/Country/Medium.pm
IP-Country-2.21/lib/IP/Country/Fast.pm
IP-Country-2.21/lib/IP/Country/Slow.pm
IP-Country-2.21/lib/IP/Authority.pm
IP-Country-2.21/dbmScripts/
IP-Country-2.21/dbmScripts/getFiles.pl
IP-Country-2.21/dbmScripts/ipauth_maker.pl
IP-Country-2.21/dbmScripts/ipauth_loader.pl
IP-Country-2.21/dbmScripts/ipcc_loader.pl
IP-Country-2.21/dbmScripts/ipcc_maker.pl
IP-Country-2.21/README
IP-Country-2.21/t/
IP-Country-2.21/t/05fast_bench.t
IP-Country-2.21/t/04auth_lookup.t
IP-Country-2.21/t/03medium_lookup.t
IP-Country-2.21/t/01object_creation.t
IP-Country-2.21/t/02fast_lookup.t
IP-Country-2.21/Makefile.PL
IP-Country-2.21/bin/
IP-Country-2.21/bin/ip2cc.PL
IP-Country-2.21/META.yml
CPAN.pm: Going to build N/NW/NWETTERS/IP-Country-2.21.tar.gz
Checking if your kit is complete...
Looks good
Writing Makefile for IP::Country
cp lib/IP/Country/Medium.pm blib/lib/IP/Country/Medium.pm
cp lib/IP/Country/Fast.pm blib/lib/IP/Country/Fast.pm
cp lib/IP/Authority.pm blib/lib/IP/Authority.pm
cp lib/IP/Country/Fast/cc.gif blib/lib/IP/Country/Fast/cc.gif
cp lib/IP/Authority/ipauth.gif blib/lib/IP/Authority/ipauth.gif
cp lib/IP/Country/MaxMind.pm blib/lib/IP/Country/MaxMind.pm
cp lib/IP/Authority/auth.gif blib/lib/IP/Authority/auth.gif
cp lib/IP/Country/Slow.pm blib/lib/IP/Country/Slow.pm
cp lib/IP/Country.pm blib/lib/IP/Country.pm
cp lib/IP/Country/Fast/ip.gif blib/lib/IP/Country/Fast/ip.gif
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" bin/ip2cc.PL bin/ip2cc
Extracting ip2cc (with variable substitutions)
cp bin/ip2cc blib/script/ip2cc
/usr/bin/perl "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/ip2cc
Manifying blib/man1/ip2cc.1
Manifying blib/man3/IP::Authority.3pm
Manifying blib/man3/IP::Country::Fast.3pm
Manifying blib/man3/IP::Country::Medium.3pm
Manifying blib/man3/IP::Country::MaxMind.3pm
Manifying blib/man3/IP::Country::Slow.3pm
Manifying blib/man3/IP::Country.3pm
/usr/bin/make -- OK
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')" t/*.t
t/01object_creation....ok
t/02fast_lookup........ok
t/03medium_lookup......ok
t/04auth_lookup........ok
t/05fast_bench.........ok 1/1 # random find (58%, 8191 lookups/sec)
t/05fast_bench.........ok
All tests successful.
Files=5, Tests=93, 11 wallclock secs ( 3.26 cusr + 0.11 csys = 3.37 CPU)
/usr/bin/make test -- OK
Running make install
Installing /Library/Perl/5.8.6/IP/Authority.pm
Installing /Library/Perl/5.8.6/IP/Country.pm
Installing /Library/Perl/5.8.6/IP/Authority/auth.gif
Installing /Library/Perl/5.8.6/IP/Authority/ipauth.gif
Installing /Library/Perl/5.8.6/IP/Country/Fast.pm
Installing /Library/Perl/5.8.6/IP/Country/MaxMind.pm
Installing /Library/Perl/5.8.6/IP/Country/Medium.pm
Installing /Library/Perl/5.8.6/IP/Country/Slow.pm
Installing /Library/Perl/5.8.6/IP/Country/Fast/cc.gif
Installing /Library/Perl/5.8.6/IP/Country/Fast/ip.gif
Installing /usr/local/man/man1/ip2cc.1
Installing /usr/local/man/man3/IP::Authority.3pm
Installing /usr/local/man/man3/IP::Country.3pm
Installing /usr/local/man/man3/IP::Country::Fast.3pm
Installing /usr/local/man/man3/IP::Country::MaxMind.3pm
Installing /usr/local/man/man3/IP::Country::Medium.3pm
Installing /usr/local/man/man3/IP::Country::Slow.3pm
Installing /usr/bin/ip2cc
Writing /Library/Perl/5.8.6/darwin-thread-multi-2level/auto/IP/Country/.packli
st
Appending installation info to //System/Library/Perl/5.8.6/darwin-thread-multi
-2level/perllocal.pod
/usr/bin/make install -- OK
cpan>
|
- 問題なくインストールできた模様.
- CPAN SHELLを終了する.
cpan> quit
Terminal does not support GetHistory.
Lockfile removed.
iMacG5:/Users/shinnai root#
|
3.スクリプトを作成する
- ライブラリをインストールしただけでは動作しないので,それを呼び出すPerlプログラムを作成する.
iMacG5:/Users/shinnai root# cat IPCountry.pl
#!/usr/bin/perl
use IP::Country::Fast;
my $reg = IP::Country::Fast->new();
print $reg->inet_atocc($ARGV[0]) . "¥n";
iMacG5:/Users/shinnai root#
iMacG5:/Users/shinnai root# chmod ogu+x IPCountry.pl
iMacG5:/Users/shinnai root# ls -la IPCountry.pl
-rwxr-xr-x 1 shinnai shinnai 117 Jul 13 15:02 IPCountry.pl
iMacG5:/Users/shinnai root#
|
iMacG5:/Users/shinnai root# /usr/bin/perl IPCountry.pl 202.232.190.90
JP
iMacG5:/Users/shinnai root#
|
4.色々と調べてみる
- ある日の,うちのサーバへの不正アクセスの試みを,LogWatchサービスから取得してみた.
--------------------- pam_unix Begin ------------------------
sshd:
Invalid Users:
Unknown Account: 202 Time(s)
Authentication Failures:
mysql (202.108.87.10 ): 2 Time(s)
ftp (202.108.87.10 ): 2 Time(s)
unknown (218.1.65.196 ): 48 Time(s)
postgres (202.108.87.10 ): 2 Time(s)
unknown (202.108.87.10 ): 154 Time(s)
root (61.185.32.47 ): 31 Time(s)
root (202.108.87.10 ): 214 Time(s)
---------------------- pam_unix End -------------------------
|
- 24時間の内に,400回近いアクセスをしているIPアドレスを,調べてみる.
- このIPアドレスの国コードを調べてみる.
iMacG5:/Users/shinnai root# /usr/bin/perl IPCountry.pl 202.108.87.10
CN
iMacG5:/Users/shinnai root#
|
- ここでわかった国コードが,実際にはどの国を示すのかは,ISOで示されたリストで確認することができる.
- ISO 3166 2-letter country codes
- English country name
- これで確認すると,CNは中国だとわかる.