Fail2Ban Report


See where the Attacks against your server come from.

Report Layout

The Report will look something like this:

Server attack statistics for the SSH service

Count, IP, Country
37  CN, China
42  CN, China
37  CN, China
42  CN, China
9 CN, China
38   CN, China
44  CN, China
11  CN, China
35  CN, China
42  CN, China
31   CN, China
38  CN, China
8  RU, Russian Federation
36  CN, China
14    CN, China
16    CN, China

Report Script

Encrypting cron emails with GPG


You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.


  • You are familiar with GPG
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu
  • Cron is already configured to send emails


There are basically two ways of encrypting emails one is GPG and the other S/MIME. We will be using GPG. Further this article assumes you are familiar with GPG.

  1. Upload your public key (ending in .asc) to your server /home is a good place.
  2. that the key can actually be read by the command we will be using, it has to be slightly modified. To be precise the ASCII amor has to be removed we need the key in binary form. This is archived by the following command.
    gpg --dearmor < /home/YOURPUBLICKEY.asc > /home/YOURPUBLICKEY.asc.gpg
  3. Add this line at the top of your /etc/crontab just after You need to replace the email address and the public key path.
    GPG_CMD = "ifne /usr/bin/gpg --batch --armor --trust-model always --no-default-keyring --keyring /home/YOURPUBLICKEY.asc.gpg --recipient --encrypt"
  4. For this command to work we need the program ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne prevents this. To install it run.
    apt-get install moreutils
  5. Now in /etc/crontab you can simply pipe the output to gpg and enjoy encrypted emails.
    * * * * * root /bin/echo "gpg test" | $GPG_CMD

I got the inspiration for this from this a site that is unfortunately offline for a few days now (checked April 2021).

Server Authentication With Client Certificate X.509


Basics of setting up certificate based authentication on Apache.


Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

Creating all the files we need

Note: The key sizes and expiration dates must be adjusted to suite your need.

Create the CA

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

Create a signing request and signing it with the CA private key

openssl genrsa -out alice.key 2028
openssl req -new -key alice.key -out alice.csr
openssl x509 -sha256 -req -in alice.csr -out alice.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

openssl pkcs12 -export -clcerts -in alice.crt -inkey alice.key -out alice.p12

Convert the .p12 to .pam so tools like curl can use it

openssl pkcs12 -in alice.p12 -out alice.pem -clcerts

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add SSLCACertificateFile and SSLVerifyClient like shown below.

<IfModule mod_ssl.c>
<VirtualHost *:443>

    SSLCACertificateFile /home/CA.pem
    SSLVerifyClient require

# ..... your additional configuration here
# .....


Finally… we can use it

To use the certificate with curl

curl -E alice.pem

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.

Change OS on the Fly

How to change the OS of your Raspberry Pi while it is running.

WARNING: This guide is incomplete

  1. Download Raspbian from
  2. Burn the image to a spare SD card
  3. Boot the Pi with it and SSH into it
  4. Download Ubuntu Core from
  5. Running fdisk -l and fdisk -l ubuntu-core-16-pi3.img shows that the raspbian boot partition has only 63MiB while Ubuntu Core needs 128MiB here.

There are basically two ways of installing a noter OS while the RPi is running.

One is overriding the boot and root partitions and the other is to override the content of them. Overriding the content will result in a lot of artefacts let on the system but might be easier to implement and those artefacts can be removed in subsequent updates.

Overriding the partitions itself maybe even recreating is damn complicated while easy for the boot partition the root partition is of the EXT4 type that means it can’t be unmounted while its used. Now its not exactly fun nor possible to SSH into a machine stop the SSHD and other services which are using the partition basically locking yourself out and THEN shrinking the partition. So one way around this would be to use the boot process itself to shrink the partition while its not yet mounted this might work with the cmdline.txt on the /boot partition however I’m not sure which tools are a viable running a simple which fdisk gives /sbin/fdisk so thats on the root partition so not a viable during the boot process. A way around would probably be to use a custom initrd.img that supplies the needed tools and partitioning with that.

Basically the point where I don’t yet have a satisfying solution. If you do know a better way let me know.

Boot process

LED meanings during boot process

Red LED on: Power OK

Red LED blink or off: Problem with Power

Green LED off: bootloader.bin not found. Make sure there is a FAT32 partition with that file on the sd card. It is interesting to not that the RPi does not use a MBR (Master Boot Record) instead the firmere (in the SoC or GPU?) looks for the first FAT32 partition and looks for the bootloader.bin file there. This means that no nasty placing to a specific disk sector has to be made the file can just be copied over which is nice.

Green LED blink 5 times periodically : bootloader.bin found. Problems with the next stage (missing or invalid?) start.elf.

Green LED blink 7 times periodically: kernel.img not found.

Green LED blink 2 times only once on startup: (fixup.dat or cmdline.txt or config.txt not found? / everything ok turning off led for later sd card access indicator?)

Helpful links

RPi boot error led blink codes: