Encrypting cron emails with S/MIME

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

Assumptions

  • You have a S/MIME Certificate
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. Refer to Encrypting cron emails with GPG if you prefer GPG. If you don’t know GPG I highly recommend checking that out as well since I personally consider it way more secure.

  1.  Upload your S/MIME certificate to /home/smime.pem
  2. Create a file /home/smimecron.sh with following content
  3. Make the script executable  chmod a+x /home/smimecron.sh
  4. For this script to work we need the program  ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying  ifne  prevents this. To install it run.
  5. Add the line  SMIME_CMD = /home/smimecron.sh  somewhere at the top of your /etc/crontab
  6. Now you can use it by adding  | $SMIME_CMD  after a command something like this:

     
  7. WARNING: Everyone with write access to /home/smimecron.sh could GAIN ROOT ACCESS. So make sure only root can write to it.

Fail2Ban Report

Introduction

See where the Attacks against your server come from.

 

Report Layout

The Report will look something like this:

 

Report Script