ucspi-tcp-geoip and ucspi-tcp-geoipmmd
ucspi-tcp-geoip is a modification of Dan Bernstien’s ucspi-tcp package. We added support to tcpserver to allow or block connections based on the GeoIP country code of the connecting IP. We also added support to save the process id to a file to help init scripts kill the service. It is based on the old GeoIP libraries
ucspi-tcp-geoipmmd is the same as ucspi-tcp-geoip except it is based on the new GeoLite2 library and database.
Download latest version based on the old GeoIP library and Databases.
Download latest version based on the new GeoIP2 Lite library and databases.
To use ucspi-tcp-geoipmmd first you need to install the new GeoIP2 library
- Download library here
- Unpack library: tar zxf libmaxminddb-1.4.2.tar.gz
- Change directory: cd libmaxminddb-1.4.2
- Configure: ./configure
- compile the library: make
- check compile: make check
- install: make install
- make sure /etc/ld.so.conf or other conf file includes /usr/local/bin/ then update with “ldconfig”
- Sign up for Access to GeoIP2 lite database Here
- Once you are approved download GeoLite2-Country.mmdb to /usr/share/GeoIP
- Then you are ready to build and run ucspi-tcp-geoipmmd
- -w path-to-pid file
- DENYCOUNTRY environment variable
- ALLOWCOUNTRY environment variable
- You can use either DENYCOUNTRY or ALLOWCOUNTRY or neither.
- 2 character country code is added to end of tcpserver log line.
- For ucspi-tcp-pid-geoipmmd-89 be sure to first install libmaxminddb-1.4.2.tar.gz
- Download the source
- Unpack the source
- go into the source directory
- build the source
- install into /usr/local/bin/
- to clean up source code (remove .o and binaries.
- GeoLite2 version requires libmaxminddb-1.4.2.tar.gz and GeoLite2-Country.mmdb database available if you sign up for a GeoLite2 account at max minds
- GeoIP package required to run
- GeoIP development package required to build the software
Features
Set DENYCOUNTRY to a comma separated list of 2 character country codes that you want to deny access to. The connecting IP is looked up in the GeoIP public database. If the country is listed in the DENYCOUNTRY enviroment variable then tcpserver drops the connection. Otherwise
the connection is allowed. For example if you want to drop connections from the United States and Canada then set DENYCOUNTRY=”US,CA”
Set ALLOWCOUNTRY to a comma separated list of 2 character country codes that you want to allow access to. If the connecting IP country code is not in the list then tcpserver drops the connection. Otherwise the connection is allowed. For example if you only want to allow connections from the United States and Canada then set ALLOWCOUNTRY=”US,CA”.
If DENYCOUNTRY and ALLOWCOUNTRY are not set then no connections will be blocked.
If DENYCOUNTRY or ALLOWCOUNTRY are set then the 2 character country code is added to the end of the tcpserver log line for ” ok ” or ” deny “. For example: tcpserver: deny 4252 mail.inter7.com:X.X.X.XX:110 :Z.Z.Z.Z::56134:US
Example start up line for qmail pop3 connections.
This will allow only connections from IPs identified to be in the AA country (fake country code) by GeoIP database.
env - PATH="/var/qmail/bin:/usr/local/bin:$PATH" \
ALLOWCOUNTRY="AA" \
tcpserver -vHRD -l$HOSTNAME -c100 -w /var/run/pop3.pid \
0.0.0.0 110 /var/qmail/bin/qmail-popup $HOSTNAME \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d \
Maildir 2>&1 | /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t n20 s1000000 /var/log/pop3 &
If the connecting IP is not identified as being in the country XX then the connection is dropped.
-w option write the process pid to /var/run/pop3.pid
To stop tcpserver you could use
kill -9 `cat /var/run/pop3.pid`
Example start up line for qmail smtp connections
This will block connections from IPs that are in (fake) countries XX, YY and ZZ
env - PATH="/var/qmail/bin:/usr/local/bin:$PATH" \
DENY_COUNTRY="XX,YY,ZZ" \
tcpserver -vRD -l$HOSTNAME -x /home/vpopmail/etc/tcp.smtp.cdb \
-c300 -w /var/run/smtpd.pid 0 25 \
/var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1 | \
/usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t n20 s4000000 /var/log/smtp &
If the connecting IP is identified as being in Russia,China or Vietnam then the connection is dropped.
-w option writes the process pid to /var/run/smtpd.pid
To stop tcpserver you could use
kill -9 `cat /var/run/smtpd.pid`
2 Digit country codes can be found on the internet or at WikiPedia
News
GeoLite2 Version 89 released April 1 2020.
Version 89 released March 15 2020.
Version 88 released March 9 2020.
reporting
You can get a report of Countries that we allowed to connect or a report of countries that were denied connections. For example
To get list of countries that were denied connections and a count for pop3 try:
grep deny /var/log/pop3/current | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr
or
grep deny /var/log/pop3/* | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr
It should have a count of the connections and the country code. For example:
520 CN
170 NL
75 CA
60 DE
42 HK
36 KR
27 RU
11 MD
4 FR
3 VN
3 CL
1 SC
1 KE
1 IR
1 EG
Or to get a list of countries that were allowed connections change deny to " ok "
grep " ok " /var/log/pop3/current | sed 's/:/ /g' | awk '{print $NF}' | sort | uniq -c | sort -nr
Output should have a count of the connections and the counntry code.
35 US
You could also run the report on any other tcpserver log files.
Installation Instructions
tar zxf ucspi-tcp-pid-geoip-0.89.tar.gz or tar zxf ucspi-tcp-pid-geoipmmd-89.tar.gz
cd ucspi-tcp-pid-geoip-0.89 or cd ucspi-tcp-pid-geoipmmd-89
make
make setup
make clean
Dependencies
On Centos install GeoIP with yum install GeoIP
On Centos install GeoIP with yum install GeoIP-devel