Skip to content

Instantly share code, notes, and snippets.

@gmodena

gmodena/locateip.py

Created March 16, 2011 10:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gmodena/872304 to your computer and use it in GitHub Desktop.
Save gmodena/872304 to your computer and use it in GitHub Desktop.
Download ZIP
Mine failed login attempts from auth.log and display them on a map (static google map or KML file)
Raw
locateip.py
import urllib2, json, re
from itertools import imap
import argparse
import simplekml
BASE = "http://freegeoip.net/json/%(ip4)s"
r1 = 'Authentication failure for .* from (?:::f{4,6}:)?(?P<host>\S+)'
r2 = '[iI](?:llegal|nvalid) user .* from (?:::f{4,6}:)?(?P<host>\S+)'
r3 = 'Failed [-/\w]+ for .* from (?:::f{4,6}:)?(?P<host>\S+)'
r4 = 'reverse mapping checking getaddrinfo .* \[(?:::f{4,6}:)?(?P<host>\S+)\]'
patterns = map(re.compile, [r1, r2, r3, r4])
def geolocate(ip=""):
"""
>>> geolocate("208.86.225.120")
{'city': 'Raleigh', 'region_code': 'NC', 'region_name': 'North Carolina', 'metrocode': '560', 'zipcode': '27608', 'longitude': '-78.646', 'latitude': '35.8116', 'country_code': 'US', 'ip': '208.86.225.120', 'country_name': 'United States'}
"""
try: loc = json.loads(urllib2.urlopen(BASE % {"ip4": ip}).read())
except: loc = {}
finally: return loc
def parse_authlog(authlog=""):
if not authlog:
yield ''
return
ips = {}
for line in authlog:
for r in patterns:
m = r.search(line)
try:
ips[m.group(1)] += 1
except KeyError:
ips[m.group(1)] = 0
yield m.group(1)
except AttributeError:
continue
def staticmap(ips):
"""
>>> staticmap(['208.86.225.120'])
'http://maps.google.com/maps/api/staticmap?center=0,0&zoom=0&size=800x800&markers=35.8116,-78.646&sensor=false'
"""
def markers(ips):
"""
>>> "|".join(m for m in get_markers(['186.22.60.105', '69.63.189.16', '122.166.60.140']))
'-34,-64|37.4429,-122.151|12.9833,77.5833'
"""
for loc in imap(geolocate, ips):
if loc.has_key("latitude") or loc.has_key("longitude"):
yield "%(lat)s,%(lon)s" % {"lat": str(loc["latitude"]), "lon": str(loc["longitude"])}
elif loc.has_key("country"):
yield loc["country"]
else:
continue
gmaps = "http://maps.google.com/maps/api/staticmap?center=0,0&zoom=0&size=800x800&markers="
return "%s%s%s" % (gmaps, "|".join(m for m in markers(ips)), "&sensor=false")
def kmlmap(ips, output="default.kml"):
kml = simplekml.Kml()
for loc in imap(geolocate, ips):
if loc:
name = ", ".join(x for x in (filter(lambda x: x, \
map(lambda u: u.encode('utf-8'), [loc["city"], loc["region_name"], loc["country_name"], loc["country_code"]]))))
kml.newpoint(name=name, coords=[(float(loc["longitude"]), float(loc["latitude"]))])
kml.save(output)
if __name__ == '__main__':
def args():
parser = argparse.ArgumentParser()
parser.add_argument("--authlog", dest="authlog", default=None)
parser.add_argument("--ip-list", dest="ip_list", default=None)
parser.add_argument("--kmlmap", dest="kml", default=None)
return parser.parse_args()
opt = args()
if opt.authlog:
logdata = parse_authlog(open(opt.authlog, 'r'))
elif opt.ip_list:
logdata = open(opt.ip_list, 'r')
if opt.kml:
kmlmap((ip for ip in logdata), output=opt.kml)
else:
print staticmap((ip for ip in logdata))
logdata.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment