Fun with ipinfo.io, Postfix and SASL
Back of the napkin use of geolocation data to help validate connections to your services
I wrote previously about some basic use-cases of the incredibly awesome REST API from ipinfo.io for getting access to IP address data. That was great and all, but how can we make use this in our day-to-day operations?
To begin, create a free account to gain access to the higher usage limit of 50,000 API requests per month. After creating an account, access your dashboard from https://ipinfo.io/account, scroll down to the bottom, and grab your access token. You’ll need this later.
When someone’s credentials get compromised by spammers, you’re sure to see an increase in logins from locations that aren’t normally seen. With a just little bash, we should be able to check these logins against where we think users should be logging in from.
Let’s look at an example where our company and all its users reside in the US. We want to send out an email whenever anyone authenticates from any IP address that isn’t based in the US.
Create a file
~/not_us.sh containing the example code below:
A couple things to be aware of:
- In this fictitious example, we are using 192.168 as our internal IP space so we do not want it checked. It’s listed after the
grep -v.Replace 192.168. with your own internal network block.
- Don’t worry about search term
sasl_username.It will be the same regardless of whether you’re using Dovecot-SASL or Cyrus-SASL for SMTP authentication.
- Make sure to replace
token=00000000000000with the token in your IPinfo account.
Save the file and make it executable
chmod +x ~/not_us.sh
Now run the script in cron to monitor your logs for compromises.
I hope to illustrate the ease and speed at which you can build something to improve your overall security awareness, using only free data provided by ipinfo.io and a few lines of bash.
Full disclosure, this purposefully simplistic example contains a few shortcomings. First one is that the script checks the entire log on every run. This uses up your request quota unnecessarily, and is not very efficient. Second, employees can go on vacation, or use VPNs, so there will be false-positives without accounting for this. Also, an email isn’t going to wake anyone up.
The folks at IPinfo have a number of libraries for popular programming languages at https://ipinfo.io/developers/libraries to help you out.
Of course, Postfix is just one service that could benefit from using geolocation data to validate connections to services within your organization. It’s definitely worth checking out.