Enter an IPv4 address (or 10,000) below and hit "Look Up IP Addresses" to find a general geographic area or city the IP is registered to. Any non-IP text is stripped, so feel free to just paste your whole log file, netstat output, or whatever pile of plain text that includes some IPs you want to check (as long as it's less than 2MB).
When a lookup reveals a high proportion of scanning, cloud, or proxy infrastructure, ip2geo offers a one-time paid report that goes deeper — giving you the data and ready-to-paste rules you need to actually block the traffic.
The sample report uses real Tor exit node data with live AbuseIPDB enrichment. Opt in to community sharing and you'll also see how many other ip2geo reports contained the same IPs this week — corroborating active threats across users.
$9 one-time. No account required.
ip2geo.org is maintained and run by me, Josh. Hi. If this tool was helpful, feel free to say hello — or help cover hosting costs if the free tools saved the day.
Ever been on the wrong end of a distributed probe hammering away at your email server, SSH port, or some other exposed service? It's chaos. Logs scroll by like a waterfall, and your tools? They're powerful, sure — but not exactly friendly when you're trying to make sense of hundreds of connections in real time.
You run a CLI command, grab the output, and paste it into your favorite text editor. You start cleaning it up, extracting IPs manually, only to hit a wall: now you're supposed to copy-paste those addresses into a web form. One by one. Seriously?
When you're facing a flood of suspicious traffic, that's just not going to cut it.
I was maintaining an aging email system with no password policies and no support — a perfect storm for account compromises. With no time or budget to overhaul it, I built this tool instead.
ip2geo.org lets you paste raw output from tools like netstat, fail2ban, or anything else that spits out IPs. It automatically extracts valid IPv4 addresses, runs a fast geolocation lookup, and gives you clean, actionable data — instantly. With one glance, I could see login attempts from every corner of the globe and quickly block entire botnets.
The free lookup is still here. But over time, ip2geo.org has grown into something more complete. When a lookup shows a high concentration of scanning or proxy infrastructure, you can now generate a full Threat Report — AbuseIPDB verification for your top IPs, ASN CIDR ranges for resilient blocking, and ready-to-run scripts for iptables, ufw, and nginx.
There's also a Community Block List — a rolling 7-day feed of CIDR ranges reported by opted-in ip2geo users. If you contribute your report, your data joins the aggregate anonymously. If you just want the list, download it and apply it directly to your firewall.
Paste any block of text. ip2geo.org scans it for IPv4 addresses, checks them against a geolocation database, and returns results you can filter by country or infrastructure category — scanning ranges, cloud exit nodes, VPN and proxy infrastructure, or residential traffic. Want to only see scanning infrastructure hits from outside the US? Done. Focus only on what matters.
This tool was built using free and open-source resources, and it's free because I wish something like this had existed when I needed it most. If it helps you too, consider buying me a coffee or tossing a few bucks toward hosting costs.