====== Topic 212: System Security ======

Perteneciente a [[informatica:certificaciones:lpic:lpic-2|LPIC-2]]

Módulos:

  * [[informatica:certificaciones:lpic:lpic-2:212_system_security:212.1_configuring_a_router|212.1 Configuring a router]] (3)
  * [[informatica:certificaciones:lpic:lpic-2:212_system_security:212.2_securing_ftp_servers|212.2 Securing FTP servers]] (2)
  * [[informatica:certificaciones:lpic:lpic-2:212_system_security:212.3_secure_shell_ssh|212.3 Secure shell (SSH)]] (4)
  * [[informatica:certificaciones:lpic:lpic-2:212_system_security:212.4_security_tasks|212.4 Security tasks]] (3)
  * [[informatica:certificaciones:lpic:lpic-2:212_system_security:212.5_openvpn|212.5 OpenVPN]] (2)

===== Recomendaciones =====

De cara al examen, habría que tener claro:

  * Activar el enrutamiento en un servidor Linux.
  * Añadir y quitar rutas estáticas.
  * Configurar el filtrado con iptables.
  * Configurar NAT para iptables.
  * Conocer los modos de funcionamiento FTP.
  * Configurar un servidor FTP.
  * Gestionar las autentificaciones SSH.
  * Abrir sesiones remotas con SSH y reenvío de sesiones X11.
  * Establecer túneles para aplicaciones con SSH.
  * Conocer los principales organismos de seguridad.
  * Conocer el IDS Snort y el software de seguridad OpenVAS.
  * Conocer los modos de funcionamiento OpenVPN.
  * Establecer un túnel punto a punto OpenVPN.

**When the default policy for the iptables INPUT chain is set to DROP, why should a rule allowing traffic to localhost exist?**

  * All traffic to localhost must always be allowed.
  * It doesn't matter; iptables never affects packets addressed to localhost.
  * Sendmail delivers emails to localhost.
  * Some applications use the localhost interface to communicate with other applications. (**Solución**)
  * ''syslogd'' receives messages on localhost.

El interfaz //loopback// es un interfaz virtual de red que hace una autoreferencia para que determinadas aplicaciones puedan comunicarse por red a nivel local.

**To be able to access the server with the IP address 10.12.34.56 using HTTPS, a rule for iptables has to be written. Given that the client host's IP address is 192.168.43.12, which of the following commands is correct?**

  * ''iptables -A FORWARD -p tcp -s 0/0 -d 10.12.34.56 --dport 80 -j ACCEPT''
  * ''iptables -A FORWARD -p tcp -s 192.168.43.12 d 10.12.34.56:443 -j ACCEPT''
  * ''iptables -A FORWARD -p tcp -s 192.168.43.12 -d 10.12.34.56 --dport 443 -j ACCEPT'' (**Solución**)
  * ''iptables -A INPUT -p tcp -s 192.168.43.12 - d 10.12.34.56:80 -j ACCEPT''
  * ''iptables -A FORWARD -p tcp -s 0/0 -d 10.12.34.56 --dport 443 -j ACCEPT''

La regla ''INPUT'' se debería descartar porque hace referencia a paquetes que entran en el firewall y no entre dos máquinas de dos redes dentro de nuestra red interna.

**What security precautions must be taken when creating a directory into which files can be uploaded anonymously using FTP?**

  * The directory must not have the execute permission set.
  * The directory must not have the read permission set. (**Solución**)
  * The directory must not have the read or execute permission set.
  * The directory must not have the write permission set.
  * The directory must not contain other directories.

Si no tiene permisos de lectura, el usuario "anónimo" no podría consultar qué más archivos hay en el directorio.

**Which THREE of the following actions should be considered when a FTP chroot jail is created?**

  * Create ''/dev/'' and ''/etc/'' in the chroot enviroment. (**Solución**)
  * Create ''/etc/passwd'' in the chroot enviroment. (**Solución**)
  * Create ''/var/cache/ftp'' in the chroot enviroment. 
  * Create the user ''ftp'' in the chroot enviroment. (**Solución**)
  * Create ''/usr/sbin/'' in the chroot enviroment.

**A security-conscious administrator would change which TWO of the following lines found in an SSH configuration file?**

  * ''Protocol 2,1'' (**Solución**)
  * ''PermitEmptyPasswords no''
  * ''Port 22''
  * ''PermitRootLogin yes'' (**Solución**)
  * ''IgnoreRhosts yes''

El protocolo 1 de SSH no es seguro. Tampoco es seguro permitir el acceso de root por SSH.

**When connecting to an SSH server for the first time, its fingerprint is received and stored in a file, which is located at:**

  * ''~/.ssh/fingerprints''
  * ''~/.ssh/id_dsa''
  * ''~/.ssh/known_hosts'' (**Solución**)
  * ''~/.ssh/id_dsa.pub''
  * ''~/.ssh/gpg.txt''

Guardamos la huella del servidor en el equipo del cliente.

**What tool scans log files for unsuccessful login attempts and blocks the offending IP addresses with firewall rules?**

  * ''nessus''
  * ''nmap''
  * ''nc''
  * ''watchlogs''
  * ''fail2ban'' (**Solución**)

**What is the name of the network security scanner project which, at the core, is a server with a set of network vulnerability tests (NVTs)?**

  * nmap
  * OpenVAS (**Solución**)
  * Snort
  * wireshark

**Which directive in the OpenVPN client.conf specifies the remote server and port that the client should connect to? (Provide only the directive, without any options or parameters)**

  * ''remote''

**What types of virtual network devices does OpenVPN use for connections? (Choose TWO corrects answers.)**

  * ''eth''
  * ''tap'' (**Solución**)
  * ''lo''
  * ''tun'' (**Solución**)
  * ''ppp''

Los modos **point-to-point** y **site-to-site** utilizan los dispositivos ''tun''. ''tap'' se utiliza en **bridge**.

**Which of the following address ranges are PRIVATE address ranges? (Choose all that apply.)
Choose the 3 correct answers:**

  * 172.16.0.0 to 172.31.255.255 (**Solución**)
  * 192.168.0.0 through 192.168.255.255 (**Solución**)
  * None of the above 
  * 10.0.0.0 to 10.255.255.255 (**Solución**)

**Which of the following files is the primary configuration file for the VSFTPD service?**

  * ''/etc/vsftpd.conf''
  * ''/etc/ftp/ftp.conf''
  * ''/etc/service/vsftpd.conf''
  * ''/etc/vsftpd/vsftpd.conf''  (**Solución**)

**Which of the following kernel settings, when added to the file /etc/sysctl.conf, will enable a Linux system to function as a router (forwarding IP packets)?**

  * ''net.tcp.all.forwarding 1''
  * ''net.tcp.forward 1''
  * ''ipv4.forward 1''
  * ''net.ipv4.ip_forward 1'' (**Solución**, aunque debería tener un signo igual para asignar el valor)

**The 'scp' and 'sftp' services are encrypted in the same manner as SSH and can utilize the same public/private keys for user authentication.**

  * Verdadero (**Solución**)
  * Falso 

**The 'ssh-keygen' utility is used to generate public and private keys that can be exchanged with remote systems to authenticate the user that generated them during SSH connections.**

  * Verdadero (**Solución**)
  * Falso