# Update #10 - Fail2Ban IP Geolocation Lookup Script with Auto Filtering

#### **Date:** May 11, 2025  
**Category:** Security / Automation  
**Backlink:** [Update #9 – Syncthing UFW Log Monitoring with Active Fail2Ban Enforcement](https://docs.natenetworks.com/books/02-project-notes/page/update-9-syncthing-ufw-log-monitoring-with-active-fail2ban-enforcement)

### **Overview**

This update improves visibility into the origin of IP addresses actively banned by Fail2Ban on the VPS. The goal was to enrich situational awareness for brute-force SSH attempts and UFW-blocked Syncthing port scans by fetching country, city, and provider data for each offender.

### **What Was Implemented**

- A Bash script named `fail2ban-ip-lookup.sh` was written to:
    
    
    - Pull current banned IPs from the `sshd` and `ufw-block` jails
    - Skip link-local IPv6 addresses (`fe80::/10`)
    - Query [ipinfo.io](https://ipinfo.io) for geolocation and network information
    - Format and display the results cleanly with color-coded output (when using `jq`)
- Optional `jq` integration was added to format the JSON neatly
- The script can easily be expanded to:
    
    
    - Save results to logs
    - Exclude private IPv4 ranges (`10.*`, `192.168.*`, etc.)
    - Run on a cron schedule for daily snapshots

### **Example Output**

```text
📍 IP: 116.110.12.54
"116.110.12.54"
"Thanh Khê"
"Da Nang"
"VN"
"AS24086 Viettel Corporation"

📍 IP: 8.222.230.39
"8.222.230.39"
"Singapore"
"Singapore"
"SG"
"AS45102 Alibaba (US) Technology Co., Ltd."
```

---

### **Script Location**

Stored at:

```bash
~/fail2ban-ip-lookup.sh
```

### **Dependencies**

`curl` (usually preinstalled)  
`jq`: Install using:

```bash
sudo apt install jq -y
```

```bash
sudo apt install jq -y

```

### **Future Improvements**

- Add logging with timestamps
- Auto-reporting for suspicious regions
- Integration into BookStack as a daily monitored report