Skip to content

Latest commit

 

History

History
72 lines (47 loc) · 2.88 KB

readme.md

File metadata and controls

72 lines (47 loc) · 2.88 KB

where-are-the-scanners

This tool visualizes the location of the scanners.

demo.mp4

See it in action

https://makelove.expert/tmp/where-are-the-scanners/?protocol=ssh%2Cnginx&target=2a03:4000:64:99:0:0:0:xxxx&min_cnt=2

Usage

Getting IP addresses of scanners

  • Change log paths in ./log_parsers/*.sh and execute
  • for f in ./log_parsers/*.sh; do bash "$f"; done | tee ip.csv for the convenience
  • Optionally, set SINCE_MINUTES_AGO to specify the time range of logs to parse, e.g. for f in ./log_parsers/*.sh; do SINCE_MINUTES_AGO=1440 bash "$f"; done | tee ip.csv. The default is 10 minutes.

Currently supported log parsers:

  • sshd
  • nginx
  • traefik v2 (with JSON format)

You may also get the IP addresses of scanners from other sources. The format should be <epoch_timestamp>,<target_ip>,<source_ip>,<protocol_or_service_name>.

Getting the location of the IP addresses

First you need IP databases. You can download them from https://db-ip.com/db/download/ip-to-city-lite and https://db-ip.com/db/download/ip-to-asn-lite for free (licensing terms applies).

pip install -r requirements.txt
export MMMDB_CITY_PATH=/path/to/dbip-city.mmdb
export MMMDB_ASN_PATH=/path/to/dbip-asn.mmdb
python3 ./ip2geo.py < ip.csv > data.json

Alternatively, you can use docker to run the script

docker build -t ip2geo .
docker run --rm -t ip2geo -e MMMDB_CITY_PATH=/path/to/dbip-city.mmdb -e MMMDB_ASN_PATH=/path/to/dbip-asn.mmdb < ip.csv > data.json

Or use docker-compose

docker compose build
docker compose run -T ip2geo < ip.csv > data.json

Edit MMDB paths and volume binds in docker-compose.yml if necessary.

Visualize the location of the scanners

Related discussions (not directly related to this repository)

License

Unless otherwise specified, all files in this repository are licensed under the MIT license. See the LICENSE file for more information.