Fail2Ban – From Temporary to Permanent Bans

I had problems with SSH brute force attempts.  I installed fail2ban, but it tends to allow the users to retry “eventually”.  So I looked for more permanent solutions and really, it couldn’t be any easier to implement permanent bans.  Fail2ban allows a dive into its own log to root out culprits and you can follow it below.  My preference is permanent ban with a script through crontab which is further below.

Install fail2ban.  Edit the “/etc/fail2ban/jail.local” file and add the following to the end of the file.  Make sure the rest of the file is setup (or left default) as desired.  This reviews the fail2ban log for repeat offenders.  enabled = true to activate.


enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5

The above is great if you want to only stall the little bastards, slowing them down so much they’ll give up.  But some don’t. Soooo my preference is a more permanent solution if they don’t quit.  Create a script file, something like “” inside the /root folder or wherever only root can access.  Change it to “chmod 500” to make sure only root can do anything with it.  File contents below:

list=`grep Ban /var/log/fail2ban.log | awk '{print $7}' | awk '/:/||/^$/{next}{a[toupper($0)]++}END{for(i in a) if(a[i]>2)print i;}'`
#echo "$list"
for i in `echo "$list"`
grep "$i" /etc/hosts.deny
if [[ "$?" == "1" ]]; then
echo "ALL: $i" >> /etc/hosts.deny
#tail /etc/hosts.deny

This does nothing but tries to find “Ban” comments. If the script finds it more than 2 times then ban the turd(s).  Adjust the “>2” part to match your preferred count.  It bans them by placing them in /etc/hosts.deny folder, blocking ALL connections, not just SSH or whatever.  Of course it greps host.deny for the IP previously to eliminate duplicates.

Now as root run “crontab -e” and add the line:

0 0 * * * <path to>/

Run once to get the process started.

Hammer Storage HZD4B Personal Storage Manager PSM

No tricks, no cost.

Download the Hammer Storage HZD4B Personal Storage Manager (PSM) from us directly.  Since the file is no longer available through Zeceta, Avnet, or, we will provide it here, for free unlike those greedy people on eBay, and other sources (I bought it to provide it for you for free).  Please though, feel free to donate if you feel this site is a good service.

Hammer Storage, HZD4B Personal Storage Manager PSM PSM 1.5.4C (1754 downloads)

Setting CPU speed and governing, C-states and such, in Linux

Setting the CPU speed, governing, turbo mode, C-states and other settings in Linux is easy if enabled in the BIOS.  Use the tool i7z to verify these settings take effect

In Linux:

Enable ACPI CPU Frequency kernel module:
# modprobe acpi_cpufreq

Display number of CPUs available to modify:
# ls /sys/devices/system/cpu/

List available CPU frequencies.  If you have a Turbo CPU, you’ll have a max non-turbo speed like 1800000, and then its Turbo setting 1801000:
# cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies

Enable (1) or disable (0) core:
# echo 0|1 > /sys/devices/system/cpu/cpu[num]/online

Set Maximum Frequency of CPU to run at (keep this low to reduce power consumption and heat):
# echo [speed] > /sys/devices/system/cpu/cpu[num]/cpufreq/scaling_max_freq

Set Minimum Frequency of CPU to run at (set this to max speed, or turbo speed to always run at that speed):
# echo [speed] > /sys/devices/system/cpu/cpu[num]/cpufreq/scaling_min_freq

Get core siblings list (for Hyperthreaded core list per real core):
# cat /sys/devices/system/cpu/cpu[num]/topology/thread_siblings_list

Check what governors are available for CPU:
# cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors

Set governor for CPU:
# echo ondemand|performance|conservative|powersave|userspace > /sys/devices/system/cpu/cpu[num]/cpufreq/scaling_governor

Enable (0) or disable (1) C-States:
# echo 0|1 > /sys/devices/system/cpu/cpu[num]/cpuidle/state[num]/disable


For more information:


SSD & HDD Overprovisioning setting and removal

Sometimes a purchase of a SSD or HDD turns out to be over-provisioned.  Basically this mean some part of the drive is used for storage to replace bad spots that cause errors.  In linux this is fairly easy to check, set and remove.  Mac OSX and Windows, not so much.  Open a VM and install linux or boot to a USB key with linux to make life easier.  If I find an easy way in any other OS, I’ll post it here.

There are two methods for manual over-provisioning, HPA (Host Protected Area) and DCO (Disk Configuration Overlay), with DCO being the preferred method.  Both are configured with hdparm.

HPA method
Check HPA on disk:

# hdparm -N /dev/<disk>
max sectors = <current size>/<maximum size>, HPA is enabled (or disabled of current size = maximum size)

If enabled, lets disable it.
# hdparm -N p<maximum size from above> /dev/<disk>

If disabled, enable it:
# hdparm -N p<non-maximum size> /dev/<disk>

Lets rerun the HPA check:
# hdparm -N /dev/<disk>
max sectors = <should be set size>/<maximum size>, HPA is disabled (or enabled if not maximum)

Reboot. And recheck to verify the HPA setting stuck.

DCO Method
This should identify DCO options for a disk:

# hdparm --dco-identify /dev/<disk>

This should remove the DCO option if it is currently set (reboot afterwards):
# hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/<disk>

Set the DCO overprovisioning (reboot afterwards):
# hdparm --yes-i-know-what-i-am-doing --dco-setmax <sectors desired instead of max> /dev/sda


Added a custom hdparm that’ll handle newer drives and DCO.
Custom hdparm for linux - (119 downloads)


Removing GPT information from a drive

Removing GPT information from a drive


Method #1:

1. Press CTRL-ALT-F2 or F3.
2. Type “parted /dev/<devicename>”, usually “parted /dev/sda”.
3. Once inside parted type “mktable”:
-> Table type: msdos
-> Destroy data: yes
-> quit
4. GPT should now be removed.
5. Continue with install.

Method #2:

1. fdisk -s /dev/<devicename> — This gets the blocksize of the device.
Make the last five digits of this number zeros. Example: fdisk -s /dev/sda
Will show an error about GPT, and then the block size: 39078144
Change to 39000000 which equals our blockcount
2. dd if=/dev/zero of=/dev/devicename bs=1k seek=blockcount
3. dd if=/dev/zero of=/dev/devicename bs=1k count=20

Method #3:

1. Press CTRL-ALT-F2 or F3.
2. Type: “dd if=/dev/<devicename” of=/dev/zero bs=4k”
3. When done, continue with install.

Windows Vista/7/2008/BartPE/WinPE/WinXP Live:

Method #1:

1. Boot up to installation DVD/CD.
2. Click install but don’t follow through.
3. Press SHIFT-F10 to bring up console.
4. Type “diskpart”
5. Once inside diskpart type:
-> list disk (find the one you want to convert)
-> select disk 0 (select the one you want from the list)
-> convert mbr (should take a second or two)
-> quit
6. Continue with install

Method #2:

1. Boot up to installation DVD/CD.
2. Click install but don’t follow through.
3. Press SHIFT-F10 to bring up console.
4. Type “diskpart”
5. Once inside diskpart type:
-> list disk (find the one you want to convert)
-> select disk 0 (select the one you want from the list)
-> clean (wait an hour or so until its done)
-> quit
6. Continue with install

Network install AIX via GNU/Linux without NIMOL

Network install AIX via GNU/Linux without NIMOL.

START AIX Network Files Setup

1. Install or extract DVD/RPMS/linux/aix-res-xxx.rpm (which will install into /opt/aix-res/<aixversion>).

2. Make /export/aix71/lppsource directory, creating all parent directories as necessary (or whatever you want to name your nfs export).

3. Copy directory /DVD/installp to /export/aix71/lppsource

4. Change into /opt/aix-res/<aixversion> directory.

5. Type: tar xzf ispot.tar.Z -C /export/aix71
**This will make a directory at /export/aix71/spot.

6. Type: gunzip and then move the extracted file to your /tftpboot directory and rename it something like “aix71-kernel“.  This is the AIX kernel.

7. Copy “” to /export/aix71.  This will allow for autoinstallation if wanted in the future.

8. Copy DVD/usr to /export/aix71/SPOT/ overwriting all files.

9. Make files executable under /export/aix71/SPOT/usr/*.

10. Create an NFS export in /etc/exports like:

  1. /export/aix71             *(rw,insecure,no_root_squash,sync)
  2. /export/aix71/lppsource   *(ro,insecure,no_root_squash,sync)

11. Restart the NFS service.

12. Install AIX onto a Power system via CD/DVD.

13. After the OS is done installing log into it.

14. Configure all options as you want and install applications as desired.  I usually just change the password.

15. Within the OS mount your newly created NFS exports, say to /tmp/aix.

16. Then run the command: mksysb -e -i /tmp/aix/mksysb

17. Change /export/aix71 in the /etc/exports file to below and restart NFS:

  1. /export/aix71             *(ro,insecure,no_root_squash,sync)

Note: mksysb is a disk image creation utility.  Verify it just created an image on the nfs mount.

END AIX Network File Setup

START AIX Install file setup

For the kernel file in /tftpboot (aix71-kernel in step #6) there needs to
be a matching .info filename, .  If the kernel is renamed or soft or hard-linked to (best way for saving space and allowing for customization) the .info file needs to match.

The .info file, with the current setup, should be like the following, changing the variables to match what you have.

#—– Network Install Manager Info File —–#
export NIM_SERVER_TYPE=linux
export NIM_SYSLOG_PORT=514
export NIM_NAME=$clientname
export NIM_HOSTNAME=$clientname
export NIM_CONFIGURATION=standalone
export NIM_MASTER_HOSTNAME=$servername
export NIM_SHELL=”shell”
export RC_CONFIG=rc.bos_inst
export NIM_BOSINST_ENV=”/../SPOT/usr/lpp/bos.sysmgt/nim/methods/c_bosinst_env”
export NIM_BOSINST_RECOVER=”/../SPOT/usr/lpp/bos.sysmgt/nim/methods/c_bosinst_env -a hostname=$clientname
export SPOT=$nfsservername:/export/aix71/SPOT/usr
export NIM_BOS_FORMAT=mksysb
export NIM_HOSTS=” $clientip:$clientname $serverip:$servername$nfsserverip:$nfsservername
export NIM_MOUNTS=” $nfsservername:/export/aix71/$nfsservername:/export/aix71/mksysb:/NIM_BOS_IMAGE:file “
export ROUTES=” default:0:$serverip

#—– End of NIM Info File —–#

END AIX Install file setup

START For logging of all linux AIX/NIMoL Type Installs:

Taken from Bernard Zeller’s information
1. Edit /etc/sysconfig/syslog:
# /etc/sysconfig/syslog


2. Edit /etc/syslog.conf

# /etc/syslog.conf

#local2,local3.*              -/var/log/localmessages
local3.*                      -/var/log/localmessages
local4,local5.*               -/var/log/localmessages
local6,local7.*               -/var/log/localmessages
local2.*                      -/var/log/nimol.log

END For logging of all linux AIX/NIMoL Type Installs:

Start DHCP Setup:

pBlade uses bootp to retrieve IP information, which dhcpd already supplies bootp.  A static IP needs to be set which is fairly simple.

In the /etc/dhcpd.conf or separate file that will be “included” in dhcpd.conf should contain:

host $clientname {
fixed-address $clientip;
hardware ethernet $clientmac;
filename aix71-kernel;

The SMS Remote IPL for the blade will need to be setup to represent the configuration.
Client IP: $clientip
Server IP: $serverip
Gateway IP: $serverip
Subnet Mask: or whatever you have yours set to.


****** VIOS Installations

These are very similar to the above.  The major difference is mksysb installs vs rte.  mksysb are disk images while rte is a fresh install.  VIOS installations, I believe, can be handled the same way as AIX, but using Bernard Zeller’s installation information mksysb are used as its available on the DVD already, where AIX it is not.  MKSYSB images are easier for both VIOS and AIX.  rte and spot installs DO work, but is a hassle keeping straight between versions for me.  This works and has worked for many installs.

vi – my CLI editor of choice

My editor of choice is “vi”.    Here are some useful stuff I use often.

If you can’t use arrows to navigate, use the built in navigation of vi: h, j, k, l.  Its easy to remember the directions if you live in the US.  Not so much elsewhere.

h = Left (Think Hawaii)
j = Down (Think Jamaica)
k = Up (Think Kanada [Yeah, lame but it works])
l = Right (Think London)

To search for text, type  /<text to search for>.  To go to the [n]ext find press “n“.  To go to the previous press “N“.  The capital of next.  /crap

I like line numbers in vi.  I set them by entering in vi and typing :set number

To go to a certain line number type :<line number>.  I use this to go to the first line of a file by typing :1.  You can also use :H to go to the top or :G to go to the bottom of a file.

To “sed” (something like search and replace) type :s/<text to replace>/<replacement text>/[optional g here for global replacement, otherwise its just the first one it finds].  So :s/crap/noncrap/g

Sometimes in enter into vi or vim and don’t get the syntax highlighting (coloring) that I want.  To get it to turn on or off type :syntax on or :syntax off

Press “i” to enter insert mode, “a” to move over one and begin appending, ESC  to go back to command mode, :w to write the file, :wq  or :x to write and quit.

If you get a read-only error when saving a file AND have sudo ability, you can use the following to write the file :w !sudo tee %

To cut a line or several lines you can press “d” twice, dd.  For more than one line, do  d<number of lines>d like d23d for 23 lines to cut.  You can do the same with “y” for copying one or more lines.  Press “p” to paste.

There are plenty more useful things, but these are the ones I use the most.  Here are some cheatsheets and links for referencing:

Best vi cheatsheet
vi cheatsheet 1
vi cheatsheet 2
Download vim for many OSes including Windows.

pv – The wonderful progress bar for linux and Mac OSX

Sometimes I just would like a progress bar.  Its usefulness is only to keep me sane in the face of near certainty.  pv is a useful utility created for that purpose.


There are a lot of ways to use it, but with dd seems the most popular.
Here’s an example of how I use it.

# file="<filename>"; dd if=${file} | pv -s $(stat -c%s ${file}) | dd of=/dev/null