0

I'm working on ways to automate the updating of .htaccess to block IP ranges that have come in and tried to hack the site.

I've been doing it manually for a while, pulling an IP address, then using a web based whois utility to find the range it's in, then manually adding the range to the blocked IP list for the site. It's a pain.

Now I'm parsing the logfile to find the IP address of suspicious entry attempts with a Perl script, and I want to find the IP address range to which that IP address belongs, and maybe pull some other descriptive information that will quickly tell me if this is a range I want to block.

I know it can be done because the web utilities provide the information. Here's an example

Example from Whois site.

I can run gethostbyaddr on them, but that's not what I need.

I've seen some whois modules that had some information, but could not find access to the range to which the IP address belongs. I'm hoping there is a module I can use to pull the address range from to help me speed up the security process.

Borodin
  • 126,100
  • 9
  • 70
  • 144
Charlie Peppler
  • 689
  • 1
  • 5
  • 6

1 Answers1

3

I suggest that you make use of the Net::Whois::Raw module. It returns just a block of text, and you will have to use regex patterns to extract the information that you need

Here's an example that displays the IP range for the same address as you use in your example. Just print $info to see the whole thing

use strict;
use warnings 'all';
use feature 'say';

use Net::Whois::Raw;

my $info = whois('95.137.240.189');

say $info =~ /NetRange:\s*(.+)/;

output

95.0.0.0 - 95.255.255.255
Borodin
  • 126,100
  • 9
  • 70
  • 144
  • I was going to recommend Net::Whois::Generic, which has a nicer interface, but it chokes on the OP's IP address. :( – ThisSuitIsBlackNot Mar 15 '17 at 22:53
  • @ThisSuitIsBlackNot: Oh? How do you mean, "chokes"? There are very many modules in the `Net::Whois::*` family and I've only ever used a couple of them. `Net::Whois::Parser` should play nicely with `Net::Whois::Raw`, but it seemed overkill in this instance. – Borodin Mar 15 '17 at 23:30
  • By "chokes" I mean it generates a bunch of warnings and even spits out a Data::Dumper dump of an internal data structure. Your version is much better. :) – ThisSuitIsBlackNot Mar 16 '17 at 16:06
  • @ThisSuitIsBlackNot: Woah. That's a bit of an overreaction! I did notice that my solution produces a different IP range from the online utility. I wonder which is correct! – Borodin Mar 16 '17 at 16:33
  • The situation is a more complicated than I thought. This [link](http://stackoverflow.com/questions/27721092/ip-to-cidr-ip-range) provides some additional details that basically the whois parsing module, to be accurate, needs to be able to recurse. You _may_ hit the write server that has the ip address, or you may not, in which case it points you toward the one that has the IP address and it's range. I used [link](http://www.perl.com/pub/2002/08/20/perlandlwp.html) this example to dump out the raw results from this query: http://rest.db.ripe.net/search?query-string=95.137.240.189 – Charlie Peppler Mar 17 '17 at 01:01
  • @CharliePepper: You need to ask a new question if you need different help. – Borodin Mar 17 '17 at 01:31
  • Thanks for the sample code using Net::Whois::Raw. Unfortunately, I think the web utility is correct with the CIDR of 95.137.192.0/18. – Charlie Peppler Mar 17 '17 at 02:03
  • @Borodin @charlie "correct" reply will change over time but right now it is: `inetnum: 95.137.224.0 - 95.137.255.255 netname: GE-fiber-P2P-block-6` as given by RIPE whois server. This is the most specific entry. The result you display in your answer is the first reply of ARIN whois server, often the default one used in scripts but not the authoritative ones for all IP blocks. The relevant data is further below the ARIN whois reply (if the whois client used if able to follow referrals) – Patrick Mevzek Jan 02 '18 at 16:19