Why IP Geolocation Matters for Security
Every connection to your server comes from an IP address. Knowing where that IP is geographically located, which ISP owns it, and what organization operates it gives you critical context for security decisions. Is that login attempt from your company VPN or from a country where you have no employees? Is that scanning traffic from a legitimate security researcher or a known botnet?
IP geolocation and WHOIS lookups are essential tools for incident response, firewall rule creation, abuse reporting, and network forensics. While web-based tools exist, they require manual lookups and do not integrate with your scripts or automation pipelines.
dargslan-ip-geo provides geolocation, WHOIS, and reverse DNS lookups with zero external dependencies. It works entirely from the Python standard library, making it safe to install on production servers.
Install dargslan-ip-geo
pip install dargslan-ip-geoNo external dependencies. Uses ip-api.com for geolocation (free tier: 45 requests/minute) and standard WHOIS protocol (port 43) for registration data.
CLI Usage: IP Lookup
# Full geolocation report
dargslan-ip 8.8.8.8
# Multiple IPs
dargslan-ip 1.1.1.1 8.8.8.8 9.9.9.9
# Include WHOIS data
dargslan-ip 8.8.8.8 --whois
# Reverse DNS only
dargslan-ip 8.8.8.8 --reverse
# JSON output for scripting
dargslan-ip 8.8.8.8 --jsonPython API: Programmatic Lookups
from dargslan_ip_geo import IPGeo
ig = IPGeo()
# Full lookup: geolocation + reverse DNS
info = ig.lookup("8.8.8.8")
print(f"Country: {info[\"country\"]}")
print(f"City: {info[\"city\"]}")
print(f"ISP: {info[\"isp\"]}")
print(f"Hostname: {info[\"hostname\"]}")
# WHOIS lookup
whois = ig.whois("8.8.8.8")
print(f"Organization: {whois[\"parsed\"].get(\"organization\", \"N/A\")}")
# Bulk lookup
ips = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
results = ig.bulk_lookup(ips)
for r in results:
print(f"{r[\"query\"]}: {r[\"country\"]} ({r[\"isp\"]})")Use Cases in Security Operations
Incident Response: When you detect suspicious SSH login attempts, quickly identify the source country, ISP, and whether the IP belongs to a cloud provider, residential ISP, or known proxy service.
Firewall Rules: Create country-based blocking rules. If your service only operates in Europe, block connections from unexpected geolocations.
Log Analysis: Enrich your web server or application logs with geolocation data for pattern analysis. Identify coordinated attacks from the same ASN or ISP.
Abuse Reporting: Use WHOIS data to find the abuse contact email for an IP range and report malicious activity to the correct network operator.
Understanding WHOIS Data
WHOIS (pronounced "who is") is a protocol for querying registration databases. For IP addresses, WHOIS returns the Regional Internet Registry (RIR) that allocated the block, the organization that holds it, abuse contacts, and network range information.
The tool automatically follows referrals: it starts at IANA, discovers which RIR (ARIN, RIPE, APNIC, LACNIC, AFRINIC) manages the block, and queries the appropriate server for detailed information.
Download the IP Geolocation Cheat Sheet
Get our IP Geolocation & WHOIS Cheat Sheet ā covering geolocation APIs, WHOIS servers, private IP ranges, and CLI commands.
Related Tools
Browse our complete collection of Python CLI tools for Linux security and networking. For deeper coverage, explore our networking and security eBooks at dargslan.com.
