Study Guide
Study Guide
Linux
Professional
Institute
Certification
Level 2 Exam
2
Contents
Prerequisites 1
207.2 Create and Maintain DNS Zones (Zone Files and Record
Types) 6
/etc/nsswitch.conf 61
/etc/security/limits.conf 62
/etc/pam.d/passwd 63
/etc/pam.d/system-auth 63
/var/named/named.localhost 67
Prerequisites
Linux - CentOS 6, CentOS 7 (or Other SysVInit or Systemd
Distribution)
Topic 207 - Domain Name Server
207.1 Basic DNS Server Configuration (DNS Overview)
• DNS (Domain Name Service)
• used to provide translation of IP addresses to names and is part of the TCP/IP standards that
provide this type of functionality
• additional name resolution protocols are LDAP and NIS, although DNS is unique in that is
provides ONLY name resolution (unlike the other two)
• /etc/resolv.conf
• nameserver [IP Address] • one or more lines indicating the IP address of a server
configured to respond to DNS queries from the client (typically up to three nameserver values
are supported, order of appearance is the order they will be queried)
• search [domain] • the default domain that will be searched for member names
• domain [domain] • the default domain that all names will be assumed to be a member
of unless specified by a FQDN
• root servers
• these servers are the “end point,” where DNS queries are passed off to by all other DNS servers
• currently, there are 13 root server entries (described by default in the BIND zone files - see
configuration further down)
• key terms
• Domain name • valid names registered in a DNS server (they can be public, private or both)
• Top-level domain • referred to by the “.” (dot) character in a domain, the final portion of a
domain name (i.e. .com, .net, .int, .gov, .edu, .mil - the original top level domains)
• FQDN (fully qualified domain name) • the host name followed by the domain it belongs to
(i.e. user1.mylabserver.com is the FQDN for one of the Linux Academy lab servers with the host
name ‘user1’)
-1-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Zone files and records • this file stores the translation from IP to name and a record is the
individual line that represents one such translation
• caching name server • a DNS server that returns address information received from another
DNS server, used to speed DNS queries by caching those results for a period of time
• TTL (time to live) • the amount of time a cached DNS record will be returned before a query
is sent back out to obtain a fresh copy (generally by default, it is 24 hours but can be set to any
value desired, see subsequent BIND server setup later)
• DNS forwarder • simply forwards DNS requests from one network to another (often internal
network to external network DNS)
• Reverse lookup • domain name to IP (most DNS servers provide in addition to forward
lookups)
• BIND (Berkley Internet Name Domain) • most common DNS server, specific configuration
tested during LPIC-2 Exam 2
• dnsmasq • additional DNS server that functions as a forwarding DNS server and/or for
DHCP
• PowerDNS • load balanced DNS server (service) that was originally proprietary but later
open sourced
• djbdns • developed as a more secure alternative to the BIND DNS server, more popular on
Debian/Ubuntu systems
• /etc/named.conf
• the default settings are for a caching name server (part of the LPIC-2 requirements), simply
starting the default configuration with the ‘named’ service will start a fully configured and
functional caching only DNS server
-2-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• would listen on the localhost IP and 10.1.0.100 over port 53 for DNS requests
• Directory • by default, will be /var/named, but can be defined to any location (taking
SELinux into consideration) for the working directory of the server (except for chroot jails,
covered in a later topic)
• dump-file • directory of the file created with the rndc dumpdb command
• allow-query • indicates the systems the server will respond to (semicolon delimited
list of allowed/disallowed systems)
• will allow queries from localhost, and the entire 10.1.0/24 network EXCEPT
10.1.0.100
• dnssec-enable • set to yes will enable the DNSSEC (Secure DNS Extension), for
securing/authenticating DNS data (again, covered in a later topic in more detail)
• logging • allows the definition of logging locations as well as the level of messages that
are written (called severity)
• zone • although not an essential setting for a caching nameserver, will specify the type
and location of zone files for a hosted DNS service
• include • specifies additional files (containing other settings) that can be included when
the service is started (be careful about placement since its location will determine the exact
place the included files rules are inserted)
-3-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /etc/rndc.conf
• NOTE: Comments about the rndc key at the bottom of this configuration file need to be
copied to /etc/named.conf and uncommented (and named restarted if already running)
• can be used to perform certain actions on the ‘named’ service (the BIND server)
• rndc-confgen • creates a default configuration file for the rndc utility (will display to
terminal by default, redirect to the file /etc/rndc.conf for persistence)
• if the configuration file is generated, by sure to change group ownership of the file
to ‘named’ and set permissions to 0640 to prevent reading of the secret key used to
control the service
• dumpdb • creates a dump file of server cache and/or zone files for the server
• flushname [domain] • flush just the cached information for the indicated domain
• reconfig • reload the /etc/named.conf file and new zone files (note: does not
reload existing zone files, even if changed)
• dig
• would provide all information for the mylabserver.com domain using the domain server at
address 10.0.1.100
• host
• would provide the address of the user.mylabserver.com host as well as other info (like mail
server, if available)
-4-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• uses the values as specified in the /etc/resolv.conf file unless you indicate an alternate
nameserver
• would use the Google Public DNS nameserver at 8.8.8.8 rather than any nameserver in
/etc/resolv.conf under the nameserver directive
• files here define the host to address translation for the domains the BIND server is responsible
for
• /var/named/named.ca
• root server listing (will generally never modify the values in this file)
• /var/named/named.localhost
• zone files
• Example • for the zone called ‘mydomain.com’, your entries would look like:
• zone “mydomain.com” {
type master;
file “named.mydomain.com”;
};
• this is a ‘forward’ zone file (translates names to addresses), indicating the type ‘master’
means that the current host is where changes to the zone file will be made and the file is the
named of the file containing that zone information for the indicated domain
• ‘reverse’ zone files (optional) translate addresses to names (sometimes is required for mail
services)
• Example • for the zone called ‘mydomain.com’, your entries in /etc/named.conf for
reverse zone would look like:
• zone “0.1.10.in-addr.arpa” {
type master;
file “db.10.1.0”;
-5-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
};
• the format of the definition “0.1.10.in-addr.arpa” is the reverse of the first three octets
of the domain address, this helps to indicate that it is a reverse lookup zone and is a
standard naming convention
• often set up as a backup of the master, also contains zone information for the indicated domain
• see ‘Appendix A - Sample Configuration Files’ for an example of the ‘0.1.10.db’ file in our
configuration
• record types
• SOA • start of authority, defines the authoritative information about a zone, contains:
• Name server • domain name of the master name server (in our example - named.
mydomain.com)
• Email • DNS admin email (note: can be anything, but substitute a ‘.’ dot character for
‘@’ in the address)
• Serial number • a number that indicates whether a zone needs to be updated to a slave,
anytime you make a change to a zone file, this serial number should be incremented by some
value (if a slave is configured, it will then initiate a zone transfer to update the zone)
• Refresh • determines the frequency a slave server queries the master to determine if
updates are needed
• Retry • how long a slave will wait to retry a master query for an update
• Expiry • when the slave server stops responding to DNS query requests if the master
-6-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
continue to be unavailable
• address type
• canonical name
• allows you to define a host with more that one name (or role) in your domain
• this would indicate that the name “logs.mydomain.com” translates to the name
“prod.mydomain.com” (which then translates to the IP 10.1.0.101)
• name server
• as every domain can have one (or more) name servers, they are defined as a NS (name
server) record
• although the master name server is defined in the SOA record (see Appendix A for the full
listing), that server must still contain a NS definition
• Example • @ IN NS named.mydomain.co m.
• mail exchange
• sending email services (called MTA - mail transfer agents) have to be able to figure out
which host will handle inboud email for the mydomain.com domain, this is done by creating
one or more MX (mail exchange) records
• Example • @ IN MX 10 prodmail.mydomain.com
@ IN MX 20 bkupmail.mydomain.com
-7-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• these two records define two mail servers, where the number indicates the priority
(order) they should be tried (they can be different, as in the case of a primary and
backup, or the same, as in the case of a load balanced mail environment)
• pointer
• used in reverse lookup zone files so that the IP can be translated into the name
• note the IP for the host is given in the reverse order of the IP in a forward lookup
• there are other record types, but these are by far the most common and the only ones you
have to know for the exam
• see Appendix A for a full listing of the sample configuration for our ‘mydomain.com’ example
• allow-query • add networks that are allowed to query the DNS server (default from
caching nameserver setup is localhost only, in our example, we would add ‘10.1.0.0/24’ to allow the
entire network to query the server)
• forward zone
• zone “mydomain.com” IN {
type master;
file “fwd.mydomain.co m.db”;
allow-update { none; };
};
• reverse zone
• zone “0.1.10.in-addr.arpa” IN {
type master;
file “0.1.10.db”;
allow-update { none; };
};
-8-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /var/named/0.1.10.db
• named-checkconf
• NOTE: if no errors are detected, then no output will be displayed, if error, will provide a line
number and some information about what may be wrong
• the utility is a ‘smart’ utility in that it knows which options are valid or invalid and will indicate
such as encountered
• named-checkzone
• errors reported are not always the easiest to ascertain (most common error is a missing ‘.’ at
the end of certain lines - see Appendix A for examples of lines needing a trailing ‘.’ character at
the end of a name)
• dig
• utility to check DNS (forward lookup), can specify a different nameserver other than the default
defined in /etc/resolv.conf
-9-
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• will query the nameserver ‘localhost’ for the name ‘prod.mydomain.com’, returning ALL
DNS record information on it
• nslookup
• similar to dig in that it can return forward zone lookups, but can also return reverse lookups,
specifying the nameserver to use
• will use the nameserver ‘localhost’ to return the name associated with IP ‘10.0.1.101’
(if there is one)
• NOTE: this command is being retired (deprecated) but is an objective on the LPIC-2 exam
• NOTE: for the LPIC-2 exam, you will need to know the older ‘chroot’ method, most modern
Linux distributions (CentOS 6+, Debian 6+, Ubuntu 11.04+, use a special package for the named
process (called bind-chroot), this is not part of the exam, you are expected to know this older
method)
• running a process or service that is normally a ‘root’ level process or service as a ‘non-root’
user (sometimes called running with a service account) can still sometimes present security
concerns (such as when system level files have read writes associated with them)
• the solution is to place this process in a ‘jail,’ wholly contained in a subdirectory where the
process can only see the filesystem in the subdirectory it is in (i.e. the subdirectory appears to be the
root directory of the filesystem to the process)
• an alternative to chroot jails is the SELinux security system; however, that is not an exam
objective but is covered in great detail in other Linux Academy Linux certification preparation
courses
• decide the directories that will serve as the jailed filesystem outside of the ‘chroot’ root
filesystem
• /chroot/named/var/run • the location where process data is stored (i.e. PID file)
• recursively sets user and group ownership to the ‘named’ user account and group
• mknod /chroot/named/dev/random c 1 8
• mknod /chroot/named/dev/null c 1 3
• the ability to provide both internal and external DNS queries from one or more servers
• some servers on your network are available publicly (web servers for example), while others on
your network are not (HR or accounting for example)
• configuration implementation is the same as single DNS server set ups, one with the domain
internally and all hosts belonging to it (both internal AND external hosts) while the other with the
domain externally and hosts intended for public access ONLY (partial zone information)
• NOTE: very often, the internal DNS server will use the external DNS server as a forwarding
DNS service (in your /etc/named.conf), this is a security tactic to abstract the internal network
addresses from the external DNS servers (or any others that may be listening)
- 11 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• both private and public signatures are used to verify that the DNS response is coming from the
right/trusted source
• implemented most commonly with DNSSEC (Domain Name System Security Extensions)
• dnssec-keygen
• -b [#] • the size of the key, in bytes, between 1 and 4096, depending on the key type
• would generated a ‘RSASHA256’ 2048 bit key type for the ZONE called mydomain.
com
• NOTE: entropy (/dev/random) is used and can take some time, particularly on headless/
virtual systems, refill entropy with the /dev/urandom device by issuing a rngd -r /dev/
urandom -o /dev/random -b command
• dnssec-signzone
• uses the private key (created above) to sign a zone file, which can then only be verified using
the public key
• create the zone file first, then sign it with the private key
• [private key] • the private key file to sign the zone with
- 12 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• would create a new zone file called ‘fwd.mydomain.com.db.signed’ using the private
key file ‘Kmydomain.com.+001+010203’
• this file would then be used (with DNSSEC turned on in the /etc/named.conf file)
as the zone file for the domain ‘mydomain’
• httpd.conf/apache2.conf
• Listen [IP:Port] • binds the Apache service to the IP and port (IP is optional, omitted
would be for all addresses)
• DocumentRoot “[directory]” • the default system wide directory where content files
are located (can be overridden in individual virtual hosts - covered later)
• LogLevel [level] • the amount and type of messages that will be logged in the error_log
• valid levels are alert, emerg, crit, warn, error, info, debug, and notice
• directives
• sections within the configuration file that contain one or more values defined for use
• service
- 13 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /var/www/html
• the default location (without making any change) that apache will access to to display site
content
• /var/log/httpd
• default logging location for the Apache access and error logs (access_log and error_log)
• names of files and locations can be overridden in vhost files or changed in the primary
configuration file
• apache-mod-perl or libapache2-mod-perl2
• the numbered configuration file should contain the line LoadModule perl_module
modules/mod_perl.so
• NOTE: an include statement for loading configuration files needs to be added to the main
configuration file
• <Directory /var/www/html/perl-cgi>
AllowOverride All
SetHandler perl-script
PerlHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
• when a Perl script is called for, it will look in /var/www/html/perl-cgi (or whatever other
directory you indicate)
• PHP module(s)
• the numbered configuration file should contain the line LoadModule php5_module
modules/libphp5.so
• NOTE: an include statement for loading the configuration files needs to be added to the
main configuration file
• unlike Perl, the PHP files will exist in the same directory as other content files are
• StartServers [#] • by default, a single process is started owned by root, that does not
handle web requests, this setting will determine how many Apache user owned processes are started
to handle client requests
• MaxSpareServers • will allow the Apache process to kill processes that are not serving
requests once they exceed this number
• MaxClients • this is the maximum number or Apache servers that can be started (effectively
limiting the number of client requests that can be handled at any one time)
• htpasswd
• allows you to secure specific directories and/or files on a site, requiring user authentication
before granting access
• will create a new password file called ‘passwdfile’ and prompt for a password for the
‘linuxacademy’ user
• <Directory /var/www/html/secure_dir>
AuthName “Secure folder”
AuthType Basic
AuthUserFile /etc/httpd/passwdfile
Require valid-user
</Directory>
• .htaccess
• <Directory /var/www/html/secured_2>
AllowOverride AuthConfig
</Directory>
• allows you to host more than one website on a single Apache host/instance/server
• name-based virtual hosts - the most common method where all domains share a single IP and
are differentiated by the site name
• IP-based virtual hosts - each domain has a separate IP (either IP aliases or multiple network
devices)
• <VirtualHost www.mydomain.com>
ServerAdmin admin@mailprod.mydomain.com
DocumentRoot /var/www/html/mydomain
- 16 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
ServerName www.mydomain.com
ErrorLog /var/log/mydomain/error_log
</VirtualHost>
• <VirtualHost www.extradomain.com>
ServerAdmin admin@mailprod.extradomain.com
DocumentRoot /var/www/html/extradomain
ServerName www.extradomain.com
ErrorLog /var/log/extradomain/error_log
</VirtualHost>
• restart of the apache/httpd service to load the virtual hosts and make the sites available
• NameVirtualHost 10.1.0.110
<VirtualHost 10.1.0.100>
ServerName www.mydomain.com
DocumentRoot /var/www/html/mydomain
</VirtualHost>
<VirtualHost 10.1.0.100>
ServerName www.extradomain.com
DocumentRoot /var/www/html/extradomain
</VirtualHost>
• restart of the apache/httpd service to load the virtual hosts and make the sites available
• using public and private keys, encrypts the transactions that take place between a client and a
web server
1. Self signed • this is when the site/server that generates the certificate ‘signs’ it, there
is no independent certificate authority involved and browsers will warn or block a client
from reaching a site with a self signed certificate, these are often used in non-production/test
environments (like our demo will be)
- 17 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• the primary method of implementing SSL certificates on the standard Apache server (and the
method that you can expect to see on the exam)
• loaded in the primary Apache configuration file with LoadModule ssl_module modules/
mod_ssl.so
• openssl
• used to generate the key, certificate signing request and/or the self signed certificate on your
system
• genrsa • the key type (RSA) to generate, DSA is available, but RSA is the preference for
security
• -des3 • the algorithm used that specifies the encryption type (triple DES)
• will generate a RSA Triple DES encrypted 2048bit key called ‘mydomain.key’ in the
current directory
• req -new • will request a new certificate or certificate signing request
• -key [keyname] • the key to use for generating the certificate signing request (CSR)
• will generate a new certificate signing request called ‘mydomain.csr’ using the key called
‘mydomain.key’
• openssl-perl
• used to self sign a certificate (creating a full path - key, signing request and certificate)
• /etc/pki/tls/misc/CA.pl (NOTE: exact path to this script may be different for your
distribution)
- 18 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /etc/pki/tls/misc/CA.pl -newca
• for self-signed certificates, most are optional except the password for the key
• /etc/pki/tls/misc/CA.pl -newreq
• for self-signed certificates, most are optional except the password for the key
• /etc/pki/tls/misc/CA.pl -signreq
• for self signed certificates, most are optional except the password for the key
• in the working directory (in our example, /root/httpd), will be three files
• newreq.pem (the signing request - not needed after the certificate is generated)
• /etc/ssl
- 19 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• SSLCertificateKeyFile /etc/httpd/ssl/mydomain.com-privatekey.pem
• SSLCertificateFile /etc/httpd/ssl/mydomain.com-selfcert.pem
• SSLCACertificatePath • part of authenticating clients, in this case, you would place all
files in a directory rather than a single file combining them all
• SSLProtocol • specifies the protocol to use and the version, often used for backward
compatibility (valid values are SSLv2, SSLv3, ALL, TLSv1, TLSv1.1 or TLSv1.2)
• SSLEngine • used to turn SSL support for sites on or off as part of the virtual hosts (if used)
• SSLCipherSuite • indicates the cipher used to create the keys (like RSA)
• Forward proxy • client proxy that can block access to certain public resources, abstracts a
client connection as the requested service sees a request as though it comes from the proxy rather
than the client requesting it, some data can also be cached (static data - icons, images, etc) as well
as providing logs of client network activity/requests
• Reverse proxy • server proxy that can provide load balancing, caching of static data,
offloading of SSL based traffic, abstraction of the server environment as the client only see the
proxy and can compress data for increased speed
• tunnel proxy • acts as an intermediary between two network connections (not an LPIC-2
- 20 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
objective)
• nginx • can function as a web server, load balancer and reverse proxy server
• /etc/squid/squid.conf
• http_port [port] • the port that the proxy will listen to for connections (default
is 3128)
• http_access • indicates the ACL name that is permitted to use the proxy as a
forward proxy
• acl • allows the grouping of source and destination networks, ports, addresses and/
or security settings and associate those settings with a name that can be referred to in the
configuration (access control list)
• default configuration
• both acl and http_access examples are listed in the configuration file
• acl (format)
• [type] • src (source), dst (destination), time (allow access during), Safe_ports (http
ports allowed), SSL_ports (SSL ports allowed)
• definitions in use
destination
• localhost • destination IP address of the local machine, used if localhost is the source
• http_access
• /etc/nginx/nginx.conf
• primary configuration file for nginx web server (and later, proxy configuration)
• ‘server’ section
• load balancing
• acceleration
• client authentication
• bandwidth management
• nginx
• /etc/nginx/nginx.conf
• primary configuration file for the nginx reverse proxy server (as well as web server from
previous example)
• proxy configuration
• /usr/share/doc/samba-3.x.x/htmldocs
• /etc/samba/smb.conf
- 23 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /etc/samba/smb.conf.example
• server string • text description of the server, can be whatever you want
• load printers • yes/no for sharing all CUPS printers available on the server
• browseable • yes/no, determines if the home share is visible from client tools or
utilities when displaying available samba shares remotely (no would keep the share from
showing, but it is still available by name)
• [printers] • determines if printers are available through the CUPS printing system
• browseable • yes/no, determines if the home share is visible from client tools or
utilities when displaying available samba shares remotely (no would keep the share from
showing, but it is still available by name)
• guest ok • yes/no, permits printing access to the guest account (if defined, see
below)
- 24 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• guest ok • yes/no, permits the guest account access to the share (if defined, see
below)
• writeable • yes/no, determines read only or read/write access of the share (NOTE:
filesystem permissions will still
• Example • mkdir /myshare && chown 777 /myshare (relying on the permissions set
in the share section of the configuration)
• testparm
• services to start
• nmblookup [WORKGROUP]
• utility to add a user account and password to the samba user database
• -a [user] • add the user after prompting for a password (NOTE: the user MUST have a
system account or be mapped in the usermap file, see below)
• username map
• file created to map system accounts and samba accounts (important for Windows users without
system accounts)
- 25 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• NOTE: the aforementioned ‘guest account’ is not defined in the usermap, but rather
in the section that defines the share the guest account should have access to (i.e. in the
[custom share] section, set ‘guest account = guest’ and then create the ‘guest’ account
using ‘smbpasswd -a guest’ as normal)
• smbclient
• will be placed at the smb:\> command prompt, help will display a list of valid commands
(cd, ls, dir, etc, similar to FTP commands)
• smbstatus
• shows the status of the server, its account connections and shares being accessed
• smbclient
• will be placed at the smb:\> command prompt, help will display a list of valid commands
(cd, ls, dir, etc, similar to FTP commands)
• mounting a share
- 26 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• would mount the samba filesystem at 10.1.0.100 called myshare locally on the /mnt/
sambashare directory, prompting for the password for the ‘user’ account
• username=user
password=secret
• /etc/exports
• file that provides information about the directory to be shared, what network/client addresses
can access it and what options are available to each
• general format:
• would provide an exported share called /nfsshare as read/write to the host user1
and user2, default options to user3 (notice the space between host and options), read/write
access to any client on the 10.1.0.0/24 network and global read only to every other host
• other options:
- 27 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• rw • read/write
• ro • read only
• async • file writes are made to memory and flushed to disk periodically (can increase
chances of corruption)
• root_squash • do not map the client root account to the server root account (done for
security to prevent local root account from being a share root account)
• no_root_squash • map the local and remote root account IDs so they have the same
permissions
• to preserve permissions (and not have UIDs conflicting or causing other users to have different
user’s file access), it is important to map the UID/GID of each account intended to use NFS shares
so they are the same on both the server and the client system
• typically the reason that NFS is not a public share system, used privately on private networks
because of the management (there are methods of automating this synchronization, like OpenLDAP,
covered later in the course)
• will create the user and group called ‘user1’ with a UID/GID of 1101 and create the home
directory for that user
• services to start
• rpc.statd • recovery of files (in the event server is rebooted while clients are connected
and accessing files)
• rpc.mountd • for client mount requests (NOTE: may just be called mountd)
• nfsd • primary server process handling clients (can also see rpc.nfsd or nfsd4/rpc.nfsd4 for
hybrid systems)
• rpcbind (portmap)
• portmap informs client connections how to reach a resource (like rpc) port, literally maps the
port
- 28 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• rpcinfo -p
• portmap
• generally used to restrict access to a small list of hosts while denying everything else (ALL)
• hosts.allow takes precendence (whatever is in this file gets access, regardless of what is in
hosts.deny)
• exportfs
• can also be used to export a new share not defined in the /etc/exports file (as long as
service is running)
• will provide global read only access to the /newshare directory on the server
10.1.0.110 (same server as run on)
• changes made to /etc/exports directly are active after a reboot OR on issuing exportfs
-a to reload configuration
• nfsstat
• showmount
- 29 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• NOTE: for the demo, be sure you have created a local host entry for the remote client name and
private IP in order to meet the configuration (we used private IP in the configuration)
• df -h
mount
cat /proc/mounts | grep nfs
• /etc/fstab
• will mount the ‘nfsshare’ from server 10.1.0.110 on the local directory /mnt/nfsshare as an
nfs filesystem with default access rights
• soft or hard • if unavailable, soft will stop trying to mount, hard will continue trying
(see timeo option)
• fg or bg • determines if the attempt to mount happens in the foreground (waits for mount
to succeed/fail) or background (boot can continue while silently attempting in the background -
used with ‘hard’ above to prevent boot hanging)
• timeo=[#] • timeout value before mount attempt fails (in tenths of a second)
• retrans=[#] • how many times the system will retry mounting a share
• rsize=[#] • maximum read size request allowed of the remote server (default 8192 or
8mb)
• wsize=[#] • maximum write size request allowed to the remote server (default 8192 or
8mb)
- 30 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Specifically, it is a network protocol that provides the ability for a router (or in this case, a
Linux server) to automatically assign an IP address to a client system from a pre-determined range
of IP addresses.
• A client comes online and sends out a broadcast over the network, which is intercepted by the
DHCP, and then an address is provided from the pool of addresses (either the next available address
OR an assigned address ‘reserved’ for that client under specific configurations).
• DHCP packages (outside of client functionality) is not typically installed by default in most
distributions (outside of specific ‘server spins’ of some enterprise class distributions like Red Hat or
CentOS).
• dhcp
• dhcp-server
• isc-dhcp-server (older)
• dhcp4-server
• /etc/dhcpd.conf
• The configuration can be boiled down to the following directives for our exam purposes:
• ddns-update-style [style];
• ignore client-updates;
- 31 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Router/switch forwards the DHCPDISCOVER to the proper DHCP server (as configured).
• Server receives DHCPDISCOVER and, based on the configuration of available addresses, the
client’s hardware address and/or hostname and the configuration of the DHCP server software,
determines the appropriate address to assign to the machine originating the request.
• The address is (temporarily) reserved for the client machine and the DHCP server sends the
client a DHCPOFFER with the address information contained within.
• The client, upon receipt, will respond with a DHCPREQUEST, to inform the DHCP server it
intends to use the address.
• The server responds with a final DHCPACK, confirming the client and assigning a lease on the
provided address for the specified (configured) period of time.
• A special agent that can listen on subnets that do not have a DHCP server for DHCP requests
(or BOOTP requests) and then forward those on to a specific DHCP server on another network.
• Determines whether you want the DHCP server to attempt to update the requesting clients
DNS server addresses. Valid values are:
• none • no attempt to update DNS servers is made
• standard • newest method (DHCP v4), incorporates new standards for Dynamic
DNS services
• Key Directives
• option routers [ip(s)];
• domain-name [“domain”];
• domain-name-servers [ip(s)];
- 32 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• default-lease-time [seconds];
• max-lease-time [seconds];
• Logging
• The implementation of PAM allows you to control that authentication process by making
changes to the associated PAM configuration file(s) without having to alter the tools or utilities
directly (abstracting the security so it remains separated from the tools).
• Benefits
• Password Control
• Environment Control
• Session variables
• User Control
• each file will contain one or more lines, each three columns across:
• 1st Column (Type) – valid values are ’auth, account, session, password’
- 33 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• 2nd Column (Control Value) – valid values are ‘required, sufficient, requisite, required,
optional, include’
• Once the 2nd column is reached, the evaluation will either be ‘successful’ or
’unsuccessful’ and the action in the 3rd column is applied
• 3rd Column – the action of the line takes place here, there are a large number of valid
actions identified by the *.so (shared object/library) or by another category included by key
word
• This keyword indicates that you can include the rules in any other file (set of PAM values)
already defined (common inclusion is ‘system-auth’)
• This line will determine if an account has been provided (it is required by the rule), if
unsuccessful, it will deny login (determined by the pam_nologin.so module). If an account
has been provided, it is successful and will move to the next line in the module for any further
evaluation.
• /etc/pam.d/passwd
• /etc/pam.d/system-auth
• uses the pam_unix.so module with options to determine how passwords are managed
(i.e. md5 to determine the encryption type)
• Example • add remember=3 at the end of the file to remember the last three user
passwords and prevent their reuse
• remember=[#] • remember previous passwords (up to ‘x’) and deny passwords that are
the same as those remembered
• nullok • allow root to provision accounts with no password
• pam_cracklib.so
• modify how passwords are changed on the system (what users can choose as a password)
• retry=[#] • the number of times a password can be retried before system stops
attempts
• pam_limits.so
• exception to the module configuration options rule, values are altered outside of the /etc/
pam.d files
• /etc/security/limits.conf
• configuration file to apply various limits that can be applied more specifically
(since any values modified in /etc/pam.d/system-auth would be applied to ALL
configurations that include it - LOTS)
• item • core, data, fsize, memlock, nofile, rss, stack, cpu, nproc, as, maxlogins,
maxsyslogins, priority, locks, sigpending, msgqueue, nice, rtprio
• value • the value assigned to the item when the limit applies
• this would limit the ‘user’ account to three simultaneous logins to the server at any
one time
• pam_listfile.so
• file=[/path/to/file] • access to the indicated users file (user names are within this
file)
• determines the order that files/services are used to perform authentication on your system
• nisplus • se NIS+ v3
• OpenLDAP is most commonly used in Linux, but can be compared to Active Directory on
Windows as a service provided hierarchical based user information much the same as OpenLDAP.
• definitions
• Object
- 36 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Sometimes referred to as a record or an entry, represents a single item in the directory. This
object provides a description based on the structure of the schema.
• Schema
• This is the structure that is built to define the characteristics (or attributes) of an object. It
also defines what can be stored in each attribute.
• Attribute
• This is part of an object. One or more attributes make up an object, as defined by the
schema.
• LDIF
• Stands for LDAP Interchange Format. It is used to create objects within the OpenLDAP
directory. These values are placed into a file and can be loaded into the directory with the
slapadd command.
• DN
• Stands for Distinguished Name. Each object in your directory has to have a unique
name in order to provide structure. It is build with a CN and one or more DC (example –
cn=user,dc=linuxacademy,dc=com)
• CN
• Stands for Common Name and is the name of the object (often a username, but not always).
• SSSD
• Stands for System Security Services Daemon. This provides authentication of user accounts
for OpenLDAP (you want to use a different authentication service – i.e. who authenticates the
authenticator?)
• NOTE: Configuration of this items is NOT an exam objective, only that you know what it
is.
• /etc/openldap
- 37 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /etc/openldap/ldap.conf
• /etc/openldap/slapd.conf
• rootpwd • admin account password plain text value OR encrypted value (preferred, see
slappasswd below)
• loglevel • (1 through 32768, doubling) for example - 32768 only logs messages that get
logged no matter what the loglevel setting is (more than one, list of numbers, space delimited)
• slappasswd
• generates the encrypted value for the /etc/openldap/slapd.conf file rootpw value
• /var/lib/ldap
• slaptest
• -v • verbose messages
• process start
• ldapsearch
• client utility, allows the searching of the directory, in this context, testing our DN
- 38 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• -b [searchbase] • starts search at indicated level (`’’`, for example, starts at top level)
• -s base [type of object class=value] [context] • the return order and
values
• LDIF file
• using a small example for the domain “domain.com”, a basic LDIF file consists of the
following:
• dn: dc=my-domain,dc=com
dc: my-domain
description: our test LDIF
objectClass: dcObject
objectClass: organization
o: mydomain example
• schema
• organizes how data (objects and attributes) are stored in your directory
• objectClass: [class] • refers to an object class and its definition in one of the included
schema in the /etc/openldap/slapd.conf file
• each object definition has a Object ID associated with it (globally unique and assigned/
maintained by Internet Assigned Numbers Authority - IANA)
• list of attributes that are required (MUST) and which are allowed but not required (MAY)
• a schema that provides information about accounts/users (telephone company book reference)
• ldapadd
• allows you to add your LDIF file definitions/objects to the directory server
- 39 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• -W • the ldapadd command query for the supplied rootdn account password
• will take the records defined in the LDIF file called ‘myfile.ldif’ and add them to the
directory
• slapcat
• output is in LDIF
• HINT: copy/paste this output as a template for creation of additional objects as needed
• need to be aware of
• slapindex • optimizes existing records (by creating an index) for reading data more quickly
• access control
• complex implementation
• -W • the ldapadd command query for the supplied rootdn account password
- 40 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• ldapsearch
• -x • simple authentication
• would search and display all records in the ‘people’ OU (organizational unit) in the dc my-
domain and com, for all objectclasses and fields within them
• would search and display the record in the ‘people’ OU in the dc my-domain and com for
the CN of ‘Bruce Wayne’ and then display the UID field
• ldappasswd
• -x • simple authentication
• -D [base] • the base that the admin/root record exists in that has authorization to make
changes (i.e. Manager or root record as defined in your /etc/openldap/slapd.conf file)
• ldapdelete
• -D [base] • the base that the admin/root record exists in that has authorization to make
changes (i.e. Manager or root record as defined in your /etc/openldap/slapd.conf file)
- 41 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• would delete the UID (or CN if indicated) ‘bwayne’ from our director
• Simple Mail Transfer Protocol. It is a protocol that really defines how e-mail is transferred and
saved and is part of the TCP/IP application layer as well as settings rules that e-mail applications
follow.
• MUA
• Mail User Agent. This is whatever application you use to create and send e-mail (Thunderbolt,
Evolution, SquirrelMail, etc).
• MSA
• Mail Submission Agent. Acts as an intermediary or gateway between the MUA and an MTA to
start the transfer of e-mail.
• MTA
• Mail Transfer Agent. Accepts e-mail from the MUA and sends it (if needed) to the receiving
mail server (another MTA if this is not the destination). There are a number of MTA server in Linux
(Postfix, which we will use, sendmail and more).
• MDA
• Mail Delivery Agent. Receives e-mail from the MTA and then delivers it to the local mail spool
for retrieval by any of dozens of client e-mail applications. Sometimes an MTA can also function
as an MDA, but often (procmail for example), they are independent applications that can also filter
mail (like spam).
• POP
• Post Office Protocol. Used by MUAs to get e-mail (covered in more detail later).
• IMAP
- 42 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Internet Message Access Protocol. Used by MUAs to get e-mail (covered in more detail later).
• MX Record
• These are the mail DNS records we created earlier in this course. These records are used by
MTAs to determine the authoritative mail server for any particular e-mail message.
• exim
• newer than sendmail as an MTA, less complex configuration (awareness of for exam)
• postfix
• a mail transfer agent (server) that we will configure to send and receive e-mail
• /var/spool/postfix
• /etc/postfix/main.cf
• postconf
• utility that can be used to make postfix configuration settings rather than directly by editing the
configuration file
• [specific setting] • will display JUST the indicated setting (if exists)
• key settings
• myhostname • FQDN of the system (server postfix is running on), should be detected by
postfix by default
address mining
• myorigin • when a client does not indicate its hostname, this value will be used, if nothing
is set, the hostname is used
• mydestination • set to myhostname by default, this is a list of all the domains (or systems/
hosts) that this postfix server will accept e-mail for
• relay_domains • a comma delimited list of one or more domains that postfix can function
as a relay for (if desired)
• relayhost • if messages are being forwarded to an outbound SMTP server, this will be the
destination of the server
• a list of e-mail aliases and their intended destination addresses used by postfix for routing
e-mail
• newaliases
• command line utility for taking new alias entries and adding them/creating them in the w/etc/
aliases.db file used by postfix
• /etc/postfix/virtual
• similar to aliases, but used to redirect e-mail to virtual destinations (common in multiple
domain e-mail implementations)
ckent@thedailyplanet.com clarkkent
- 44 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• if you are using the virtual file, edit the virtual_alias_maps setting in the /etc/
postfix/main.cf file and set it to hash:/etc/postfix/virtual
• this file must then be converted to binary using the ‘postmap’ utility
• restarting postfix will then allow the configured virtual settings to take effect
• mailx
• /var/log/maillog
• default mail logging location, all email transactions and service information contained within
• may be installed by default, but if not, procmail package is available for every distribution type
and version
• can apply filters for spam, automatic backups of user emails, filters based on address, etc
• awareness of what it is, configuration for the LPIC-2 exam is out of scope
• sieve
• language for complex filtering and sorting rules that can be applied to headers, size, senders and
recipients
• can provide IMAP and POP functionality (courier-pop and courier-imap packages)
- 45 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• combination of SMTP, POP, IMAP, LDAP, SSL and HTTP all in one (MTA, MDA, directory
and web)
• configuration and set up is outside the scope of the LPIC-2 exam, awareness of what it is is all
we need to know
• dovecot
• supports the IMAP and POP protocols as well as both major mailbox types (Maildir and mbox)
• /etc/dovecot/dovecot.conf
• dovecot
• key settings
• listen • which interface dovecot will bind to (‘*’ equals all IPv4 interfaces)
• will include all configuration files in the relative path conf.d/ directory
• indicated that the ‘mbox’ mailbox is in each user’s home directory, in a subdirectory
called ‘maildir’
• %u • username
• %d • domain
- 46 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• /etc/dovecot/conf.d
• external configuration files for dovecot, that are typically included in the configuration
• NOTE: caution, changes made to parameters in any of these files that are duplicate settings
from the dovecot.conf configuration file will be overridden by what is in dovecot.conf over these
configuration files if after the !include statement (if before, the configuration setting in the external
file will take precedent)
• the numbers in front of some of the files indicate the order they are loaded/applied in the
service
• testing
• doveconf
• -f [filter] • display only the indicated value for the filtered condition
• -m [module] • only show settings for the indicated module (protocols - imap, pop3, lmtp)
• doveadm
• -f [formatter] • formatter of output (values are flow for key/value, pager for key: value
on own line, tab for table header with tab separated lines, table for table header with adjust value
lines)
• certificates/SSL/TLS configuration
• generate certificate and key with OpenSSL as demonstrated in Apache portion of course
- 47 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• valid certificate will show certificate info, self signed will connect but will show an
error as a result of self-signed certificate
• IP Forwarding
• Kernel Setting
• sysctl.conf
• net.ipv4.ip_forward = 1
• Private network ranges have been set aside for use inside corporate networks. They are not able
to communicate directly with internet hosts and require a firewall or similar device to ‘translate’
(NAT – Network Address Translation) the originating IP to a public IP that can forward the traffic
on their behalf.
• Ranges are:
• 192.168.0.0 to 192.168.255.255
• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
- 48 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Modify (mangle) network traffic (packets), including change the packet headers (if needed
based on configured rules)
• Rules are configured and applied based upon certain conditions that each packet meets within
one or more defined zones in the firewall.
• Filtering Points
• Each point, you can create rules (sometimes referred to as a chain) that can apply to the
packet passing through.
1. PREROUTING • configured to block, redirect or allow the packet to the next filtering
point. Commonly, used to redirect the packet to another address and/or port (DNAT –
Destination NAT).
2. Destination Point • If destination is local to the firewall’s address (this machine), sent to
the INPUT filtering point. If bound for another network, sent to the FORWARD filtering point.
5. POSTROUTING • make changes to the packet as it exits the firewall, commonly used to
do masquerading.
6. OUTPUT • packet is sent from the firewall out to the network to its final destination
(NOTE: rules are not generally applied at this filter point).
• NOTE: at each point, there are different rules (chains) and those rules are applied in the
order they appear in the chain.
• Tables that can be present in filter points are called FILTER, NAT, MANGLE.
• Not every filter point has all three tables represented (see below)
- 49 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• As a result of the tables in each filter point, you can define rules (chains). For example, at the
filter point of FORWARD a set of rules designed to MANGLE packets would be the FORWARD-
MANGLE chain.
• IPTABLES – Definitions
• Rule
• Something that is applied to a network packet (an action). The result of which is boolean
(true or false).
• True result – a target tells the firewall what to do with the packet next, additionally, no
further rules are evaluated and the ruleset (chain) will exit.
• False result – the packet moves to the next rule in the chain or the next chain to be
evaluated further.
• NOTE: this is an important concept since the order of rules in a chain can have a
large impact on how the packet is affected by them, getting the order correct is the most
important step.
• Rule Examples
• Options
• Sample
- 50 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• Now we have three rules in our chain to evaluate each packet until matched (although because
of the first rule - block everything - these other two rules would never be evaluated).
• IPTABLES – Options
• -P • changes the default policy for the chain (can be set to DROP or ACCEPT)
• Your firewall can be used to forward a connection port to another server and port. For example:
• iptables –t nat –A PREROUTING –p tcp –dport 80 –j DNAT --to-
destination 10.1.0.220:80
• The -j DNAT option tells your firewall to use DNAT (Destination NAT) so that the
originating host is not aware of the final address of the packet, which is only known to the
firewall. IPTABLES maintains responsibility for ‘remembering’ the redirect and handling
it.
• NOTE: the interface will depend on the IPTABLES system interface name and
- 51 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
configuration and may differ from the example (but it needs to be the internal network/
private interface).
• although considered ‘safer’ than standard FTP because of the way the process uses the
underlying filesystem, it is still not an encrypted transaction/community from client to server
• /etc/vsftpd/vsftpd.conf
• anon_max_rate • rate limit (in bytes) per second that an anonymous user can transfer
files
• local_enable • yes/no, disables local user accounts from logging in, common if
anonymous access is allow (default is NO)
• userlist_enable • yes/no, allows you to define a file that will allow or block users
access to the server (default is NO)
• userlist_deny • yes/no, specifies whether the users in the ‘user_list’ file are allowed
or denied access, if YES, the users in the account are DENIED access, if NO, ONLY the users
in the file can access the server
• note this is an alternative method to the PAM implementation that gives the flexibility
to allow only a few people access in a big organization (so in an organization of 1000
where only 3 should have access, it is not necessary to add 997 to the PAM list for denying
- 52 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
access)
• banner_file • allows the setting of a text file with a custom message to display, default
if not set is the vsftpd version information
• ftpd_banner • text (not a file) that can be displayed, short message under 64 characters
• chroot_local_users • yes/no, will place local user accounts in a chroot jail so they
can access ONLY their home directory
• max_per_ip • limit how many FTP clients per IP can connect at one time
• local_max_rate • the rate limit (in bytes) per second that local users can transfer files
• /etc/vsftpd.ftpusers
• adding a user account to this file prevents their access regardless of whether ‘local_enable’
is set to YES (NOTE: exists to support /etc/pam.d/vsftpd file as demonstrated earlier in the PAM
section of the course)
• pure-ftpd
• no configuration file is required, all configuration is done when launching the service at the
command line
- 53 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• proftpd
• another ftp server (configuration and setup outside the LPIC-2 objectives)
• active connections
• by default, ftp uses ‘active’ connections, your host will use a ‘random’ unprivileged port
(>1023) to connect to the server on port 21
• once transfer begins, those transactions take place on server port 20 and client ports >1023
• all commands from client to server (and responses back) are sent on the original ports
(established when connected) while file transfers use the new port (20) while the client picks a new
random port >1023 each time
• passive connections
• the server does not start data transfer communication, it waits for the host to establish a
connection (and as a result, performance is slightly better for the client and much easier on the
firewall)
• active connections are default, passive connections are initiated by using the ‘passive’ command
once logged into the server
• /etc/ssh/sshd_config
• key settings
- 54 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• LogLevel [value] • the level of logging that SSH will generate (valid values in
order of verbosity are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1,
DEBUG2, DEBUG3)
• PermitRootLogin [yes/no] • allow root to login over SSH (force su for root
access)
• AllowUsers [user [user]] • one or more user accounts (space delimited) that
are allowed access
• NOTE: these settings are one or the other, if both are defined, DenyUsers will take
precedence
• wildcards (? *) can be used for partial accounts (i.e. joh* will represent any name
beginning with ‘joh’)
• Banner [file] • text file whose contents are displayed BEFORE user login
• PrintMotd [yes/no] • when set to yes, the /etc/motd contents will be display
AFTER authentication
• /etc/ssh/ssh_config
• ~/.ssh/config
• user directory SSH configuration file that overrides conflicting settings with the system
client utility configuration file
- 55 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• many settings are related (or identical) to those found in the sshd_config file (see
below)
• NOTE: regardless of the existence of a home directory SSH configuration or a setting in the
system SSH configuration file, command line options OVERRIDE those settings
• order of precedence
1. command line
• -l [username] [server name] • allows you to log in as the named user (instead of the
current user) to a remote system
• [server name] [command(s)] • allows the remote execution of the indicated command
(with the right credentials)
• scp
• copy utility that allows secure transfer of files to/from remote servers running openssh-server
• will copy the local file ‘test.txt’ to the remote server ‘10.1.0.100’ and place it in the ‘/home/
user’ directory on that server (NOTE: the user copying the file must have write access to the
home directory)
• will copy the remote file, connecting as ‘user’ to ‘10.1.0.100’ and copying the ‘myfile.txt’
to the local ‘/home/user’ directory (NOTE: the user used to login to the remote system must
have read access to the file and directory being copied)
• -r • recursive copy
• -v • verbose messaging
- 56 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• sftp
• allows connections and transfers of files to a remote server running openssh-server, using
commands similar to those used by ftp clients
• using typical filesystem/ftp commands, you will have access to the same files/directories on
the remote system as the account would if logged in via SSH
• ~/.ssh/known_hosts
• adds connection information (IP, hostname and associated RSA key fingerprint) for future
connections
• first attempt asks for confirmation to connect and add the information
• NOTE: if the key information changes, an error will be displayed and the attempt to
connect will fail
• utility to generate a public/private key that can be used to authenticate a user on a remote
system without providing an authentication password (if a password was not used during generation
- something that is often done for two factor authentication)
• ~/.ssh
• directory where public (id_rsa.pub) and private keys (id_rsa) are stored
• ssh-copy-id
• method of copying a public key for use in remote authentication to a remote server
• will automatically prompt for login and copy the key to the remote ~/.ssh/authorized_keys
file
• ~/.ssh/authorized_keys
• file containing the hostname/IP and public key of systems that are authorization to provide a
- 57 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• manual method
• in the event the ssh-copy-id utility is not available, the following command can be used to
copy a public key to a remote host
• ssh-agent
• allows you to associate a key with a session so that the first connection (if a passphrase is
configured) will be the only prompted password
• Example • ssh-agent /bin/bash (creates the shell with the agent associated)
ssh-add [~/.ssh/id_rsa] (path not needed if default location and name)
prompt for password - subsequent connections will not need it
• update your system - checking and installing daily updates is optimal, however, weekly is at a
minimum, especially for key remote access utilities
• monitoring
• periodic manual auditing provides valuable information, but automated monitoring and alerts
on key system performance and access is essential to providing a secure system to your users
• daemon that can scan log files, identifying IPs that are repeatedly attempted connections
• /etc/fail2ban/jail.conf
• NOTE: recommended by the utility author NOT to use the system wide configuration file
as it will be overwritten any time the tool is updated, the use of jail.local or jail.d/
- 58 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
• key settings
• bantime [#] • how long (seconds) the host gets banned for
• findtime [#] • the amount of time the maxretry setting will use to track the
maximum number (i.e. a value of 300 would mean ‘N’ failures within 5 minutes would
result in a ban)
• ignoreip [IP] • white list (ignore) attempts from the indicated IP(s)
• action = [action command] • run the indicated command when the ban is
triggered (like sending root an email)
• Example • [sshd]
enabled = true
bantime = 300
findtime = 180
maxretry = 5
action = sendmail-whois[name=SSH,dest=root,sender=fail2
ban@localhost]
• this would configure the jail for sshd and enable it, setting the time an address
is banned to 5 minutes, when 5 retries happen from that same address inside of any 3
minute window and notify root with an email containing the host information
• OpenVAS
• specific configuration, setup and use is outside the scope of the LPIC-2 exam
• Snort
• specific configuration, setup and use is outside the scope of the LPIC-2 exam
1. packet logging
3. IDS
• CERT
• provides tools for vulnerability assessment and analysis, comprehensive list of known
vulnerabilities and attack vectors
• often works with goverment organizations (or private institutions) regarding computer
security
• http://www.cert.org
• US-CERT
• http://www.us-cert.gov
• BugTraq
• http://www.securityfocus.com
• moderated (and detailed) mailing list for the discussion of (and announcements of new)
security vulnerabilities
• provides details on when discovered, what is affected (versions and types), what the
vulnerability is and any known exploits
- 60 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
- 61 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
/etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - “soft” for enforcing the soft limits
# - “hard” for enforcing hard limits
- 62 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20,
19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
/etc/pam.d/passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password substack system-auth
-password optional pam_gnome_keyring.so
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so try_first_pass use_authtok nullok
- 63 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
- 64 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
DNS
// server as a caching only nameserver (as a localhost DNS resolver
only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration
files.
//
// See the BIND Administrator’s Reference Manual (ARM) for details about
the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.ht ml
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
+/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;
managed-keys-directory “/var/named/dynamic”;
pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
- 65 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
- 66 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
};
zone “mydomain.com” IN {
type master;
file “fwd.mydomain.co m.db”;
allow-update { none; };
};
zone “0.1.10.in-addr.arpa” IN {
type master;
file “0.1.10.db”;
allow-update { none; };
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
/var/named/named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
- 67 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
10020 ;S erial
3600 ;Refresh
1800 ;Retry
604800 ;E xpire
86400 ;Minimum TTL
)
;Name Server Information
@ IN NS named.mydomain.co m.
;Reverse lookup for Name Server
101 IN PTR named.mydomain.co m.
;PTR Record IP address to HostName
102 IN PTR server2.mydomain.co m.
- 68 -
Linux Professional Institute Certification Level 2 Exam 2 Linux Academy
- 69 -