Earlier this year, I posted a tutorial for configuring the NGINX web server to permit access based on IP geolocation, using the Maxmind database. This tutorial covers the complete setup of the Maxmind database on CentOS.
The Maxmind database was chosen because it installs natively in RedHat and CentOS. For a great list of other geolocation APIs and how to choose the right one, check out this article on Hackernoon.
Why Use GeoLocation?
The most common uses for geolocation services fall under sales and marketing, and include language and currency localization, content personalization, targeted advertising and analytics. However, geolocation also plays a major role in compliance (e.g. embargo restriction enforcement), digital rights management, and fraud detection. By using geolocation to make routing decisions, it also play a role in business continuity and operational efficiency.
In cybersecurity, geolocation is commonly used as a variable trait in behavioral analytics and can be used to detect "impossible logins" and other anomalous behavior. For applications that don't necessarily require global access, it can also be used to easily eliminate large swaths of automated scanners and botnet traffic (geolocation should never be the only defense against these).
Start by installing the packages listed below using the yum command.
yum install GeoIP geoipupdate
Create an Account
Sign up for an account on the Maxmind website. For those short on budget, Maxmind offers a free, albeit limited, option called GeoLite2. Once an account is created, log in and select "My License Key" from the menu and generate a new key. Note that different types of keys must be selected depending on the version of Geo IP Update that is installed. Run geoipupdate -V on the CentOS system to figure out the currently installed version. Once the key is created, make note of the account number and license key.
Edit /etc/GeoIP.conf to include AccountID and LicenseKey generated on the Maxmind website. Also make sure that https communications to updates.maxmind.com are allowed through any firewalls. If a proxy is required, be sure to additionally edit the Proxy and ProxyUserPassword parameters in the configuration file.
Test the setup by running the geoipupdate command as root. If successful, there will be no output and the mmdb files in /usr/share/GeoIP should have an updated timestamp.
Leverage cron in order to update the database on a regular basis, as needed and in line with licensing allowance. The free version of GeoLite2 updates on Tuesdays, so a cron that runs on Wednesday morning makes sense. Run crontab -e as root and install the job.
0 3 * * 3 /bin/geoipupdate
If using Aide, edit /etc/aide.conf in order to avoid generating alerts every time the location database is updated. Don't forget to update the Aide database after making the change.
Final Todo: Centralize
If using location services across a large number of devices, it is more efficient and manageable to centralize the location database locally and distribute as needed to all others devices. Alternatively, it is also possible to host a single copy of the database on a local web server and alter the Host directive in /etc/GeoIP.conf on other devices such that dynamic lookups are performed against the local database.
Using geolocation in creative ways? Comment below or tag me on Twitter @technicalciso