ucspi-tcp-geoip and ucspi-tcp-geoipmmd

ucspi-tcp-geoip is a modification of Dan Bernstien’s ucspi-tcp package. We added support to tcpserver to allow or block connections based on the GeoIP country code of the connecting IP. We also added support to save the process id to a file to help init scripts kill the service. It is based on the old GeoIP libraries

ucspi-tcp-geoipmmd is the same as ucspi-tcp-geoip except it is based on the new GeoLite2 library and database.

Download latest version based on the old GeoIP library and Databases.

Download latest version based on the new GeoIP2 Lite library and databases.

To use ucspi-tcp-geoipmmd first you need to install the new GeoIP2 library

  • Download library here
  • Unpack library: tar zxf libmaxminddb-1.4.2.tar.gz
  • Change directory: cd libmaxminddb-1.4.2
  • Configure: ./configure
  • compile the library: make
  • check compile: make check
  • install: make install
  • make sure /etc/ld.so.conf or other conf file includes /usr/local/bin/ then update with “ldconfig”
  • Sign up for Access to GeoIP2 lite database Here
  • Once you are approved download GeoLite2-Country.mmdb to /usr/share/GeoIP
  • Then you are ready to build and run ucspi-tcp-geoipmmd
  • Features

    • -w path-to-pid file
    • DENYCOUNTRY environment variable
    • Set DENYCOUNTRY to a comma separated list of 2 character country codes that you want to deny access to. The connecting IP is looked up in the GeoIP public database. If the country is listed in the DENYCOUNTRY enviroment variable then tcpserver drops the connection. Otherwise
      the connection is allowed. For example if you want to drop connections from the United States and Canada then set DENYCOUNTRY=”US,CA”

    • ALLOWCOUNTRY environment variable
    • Set ALLOWCOUNTRY to a comma separated list of 2 character country codes that you want to allow access to. If the connecting IP country code is not in the list then tcpserver drops the connection. Otherwise the connection is allowed. For example if you only want to allow connections from the United States and Canada then set ALLOWCOUNTRY=”US,CA”.

    • You can use either DENYCOUNTRY or ALLOWCOUNTRY or neither.
    • If DENYCOUNTRY and ALLOWCOUNTRY are not set then no connections will be blocked.

    • 2 character country code is added to end of tcpserver log line.
    • If DENYCOUNTRY or ALLOWCOUNTRY are set then the 2 character country code is added to the end of the tcpserver log line for ” ok ” or ” deny “. For example: tcpserver: deny 4252 mail.inter7.com:X.X.X.XX:110 :Z.Z.Z.Z::56134:US

    Example start up line for qmail pop3 connections.

    This will allow only connections from IPs identified to be in the AA country (fake country code) by GeoIP database.

    env - PATH="/var/qmail/bin:/usr/local/bin:$PATH" \
    ALLOWCOUNTRY="AA" \
    tcpserver -vHRD -l$HOSTNAME -c100 -w /var/run/pop3.pid \
    0.0.0.0 110 /var/qmail/bin/qmail-popup $HOSTNAME \
    /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d \
    Maildir 2>&1 | /usr/local/bin/setuidgid qmaill \
    /usr/local/bin/multilog t n20 s1000000 /var/log/pop3 &

    If the connecting IP is not identified as being in the country XX then the connection is dropped.

    -w option write the process pid to /var/run/pop3.pid

    To stop tcpserver you could use

    kill -9 `cat /var/run/pop3.pid`

    Example start up line for qmail smtp connections

    This will block connections from IPs that are in (fake) countries XX, YY and ZZ

    env - PATH="/var/qmail/bin:/usr/local/bin:$PATH" \
    DENY_COUNTRY="XX,YY,ZZ" \
    tcpserver -vRD -l$HOSTNAME -x /home/vpopmail/etc/tcp.smtp.cdb \
    -c300 -w /var/run/smtpd.pid 0 25 \
    /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1 | \
    /usr/local/bin/setuidgid qmaill \
    /usr/local/bin/multilog t n20 s4000000 /var/log/smtp &

    If the connecting IP is identified as being in Russia,China or Vietnam then the connection is dropped.

    -w option writes the process pid to /var/run/smtpd.pid

    To stop tcpserver you could use

    kill -9 `cat /var/run/smtpd.pid`

    2 Digit country codes can be found on the internet or at WikiPedia

    News

    GeoLite2 Version 89 released April 1 2020.

    Version 89 released March 15 2020.

    Version 88 released March 9 2020.

    reporting

    You can get a report of Countries that we allowed to connect or a report of countries that were denied connections. For example

    To get list of countries that were denied connections and a count for pop3 try:
    grep deny /var/log/pop3/current | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr

    or

    grep deny /var/log/pop3/* | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr

    It should have a count of the connections and the country code. For example:
    520 CN
    170 NL
    75 CA
    60 DE
    42 HK
    36 KR
    27 RU
    11 MD
    4 FR
    3 VN
    3 CL
    1 SC
    1 KE
    1 IR
    1 EG

    Or to get a list of countries that were allowed connections change deny to " ok "
    grep " ok " /var/log/pop3/current | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr

    Output should have a count of the connections and the counntry code.
    35 US

    You could also run the report on any other tcpserver log files.

    Installation Instructions

    • For ucspi-tcp-pid-geoipmmd-89 be sure to first install libmaxminddb-1.4.2.tar.gz
    • Download the source
    • Unpack the source
    • tar zxf ucspi-tcp-pid-geoip-0.89.tar.gz or tar zxf ucspi-tcp-pid-geoipmmd-89.tar.gz

    • go into the source directory
    • cd ucspi-tcp-pid-geoip-0.89 or cd ucspi-tcp-pid-geoipmmd-89

    • build the source
    • make

    • install into /usr/local/bin/
    • make setup

    • to clean up source code (remove .o and binaries.
    • make clean

    Dependencies

  • GeoLite2 version requires libmaxminddb-1.4.2.tar.gz and GeoLite2-Country.mmdb database available if you sign up for a GeoLite2 account at max minds
  • GeoIP package required to run
  • On Centos install GeoIP with yum install GeoIP

  • GeoIP development package required to build the software
  • On Centos install GeoIP with yum install GeoIP-devel

Copyright © 2012