Geolocate Fail2Ban IP Using IP2Location

This tutorial will show you how to retrieve the geolocation information for the banned IP addresses reported inside the fail2ban log file. Depending on the IP2Location BIN data that you are using for the lookup, you could get very detailed information like below if you are using the IP2Location DB26 BIN data to geolocate Fail2Ban IP address.

  • Country
  • Region
  • City
  • Latitude & Longitude
  • ZIP Code
  • ISP
  • Domain
  • Time Zone
  • Net Speed
  • Area Code
  • Weather Station Information
  • Mobile Information
  • Elevation
  • Usage Type
  • Address Type
  • Category
  • District
  • ASN

In this tutorial, we will use the IP2Location DB11 BIN data, which will display information regarding the country, region, city, latitude & longitude, ZIP code and time zone. For the BIN data lookup, we will use the IP2Location Python Library. However, you may use other Open Source Libraries, e.g. C, Perl or others, whichever you may prefer.

First of all, you will need to install the IP2Location Python library if you haven’t done so. Follow the instructions at to install the IP2Location Python library.

Next, you will need to download the IP2Location DB11 BIN data. Login to your account and download the file.


This simple script will read the IP information from the fail2ban log file and retrieve the location information from the IP2Location BIN data

Create a Python script as below:

import re
import IP2Location;
IP2LocObj = IP2Location.IP2Location();"PATH/TO/IP2LOCATION/BIN/DATABASE");
f = open('/var/log/fail2ban.log', 'r')
pattern = r".*?Ban\s*?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"
p = re.compile(pattern)
for i in f:
    m = p.match(i)
    if m:
        ip =
        rec = IP2LocObj.get_all(ip);
        print "%s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (ip, rec.country_short, rec.country_long, rec.region,, rec.latitude, rec.longitude, rec.zipcode, rec.timezone)

Then, you can run this script to review IP addresses that have been banned by Fail2Ban.


You will see the below output: (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)


You can also enable Geolocation information in Fail2Ban logs. Edit the file /usr/share/fail2ban/server/

Add the following lines after import time, logging

import IP2Location;
IP2LocObj = IP2Location.IP2Location();"PATH/TO/IP2LOCATION/BIN/DATABASE");

Find the following line:

logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))

And replace with following lines:

rec = IP2LocObj.get_all(aInfo["ip"]);
logSys.warn("[%s] Ban %s (%s, %s, %s, %s [%s, %s] ZIP: %s TZ: %)" % (self.jail.getName(), aInfo["ip"], rec.country_short, rec.country_long, rec.region,, rec.latitude, rec.longitude, rec.zipcode, rec.timezone))

Your Fail2Ban log will now looks more informative as below:

2016-09-14 20:01:23,650 fail2ban.actions[17751]: WARNING [ssh] Ban (US, United States, California, Mountain View [37.405992, -122.078515] ZIP: 94043 TZ: -07:00)


Find a solution that fits.

Was this article helpful?

Related Articles