Fun with ipinfo.io

Back of the napkin use of geolocation data for fun and profit

I wrote previously about some basic use-cases of the incredibly awesome REST API from ipinfo.io for getting access to IP address data. Here we are creating a little check to send an email when successful SASL authentications originate from untrusted countries.

To begin, create a free account to gain access to the higher usage limit of 50,000 API requests per month. After creating an account, access your dashboard from https://ipinfo.io/account, scroll down to the bottom, and grab your access token. You’ll need this later.

When email credentials are compromised you’ll likely see an increase in logins from multiple geographic locations at the same time. With a just little bash, we should be able to catch this and alert right away.

Let’s look at an example where our company and all its users reside in the US, and seldomly login from other countries. We want to send out an email whenever anyone authenticates from any IP address that isn’t US based.

Create a file ~/not_us.sh containing the example code below:

A couple things to be aware of:

• In this fictitious example we are using 192.168 as our internal IP space, so we don’t want to check it. List your own internal network space after the grep -v.
• Don’t worry about search term sasl_username. It will be the same regardless of whether you’re using Dovecot-SASL or Cyrus-SASL for SMTP authentication.
• Make sure to replace token=00000000000000 with the token in your IPinfo account.

Save the file and make it executable

chmod +x ~/not_us.sh

Now run the script in cron to monitor your logs for compromises.

Pretty quickly and easily you have something useful using only free data provided by ipinfo.io and a few lines of bash.

The folks at IPinfo have a number of libraries for popular programming languages at https://ipinfo.io/developers/libraries to help you out.