Topic 212: System Security

Perteneciente a LPIC-2

Módulos:

• 212.1 Configuring a router (3)
• 212.2 Securing FTP servers (2)
• 212.3 Secure shell (SSH) (4)
• 212.4 Security tasks (3)
• 212.5 OpenVPN (2)

De cara al examen, habría que tener claro:

• Activar el enrutamiento en un servidor Linux.
• Añadir y quitar rutas estáticas.
• Configurar el filtrado con iptables.
• Configurar NAT para iptables.
• Conocer los modos de funcionamiento FTP.
• Configurar un servidor FTP.
• Gestionar las autentificaciones SSH.
• Abrir sesiones remotas con SSH y reenvío de sesiones X11.
• Establecer túneles para aplicaciones con SSH.
• Conocer los principales organismos de seguridad.
• Conocer el IDS Snort y el software de seguridad OpenVAS.
• Conocer los modos de funcionamiento OpenVPN.
• Establecer un túnel punto a punto OpenVPN.

When the default policy for the iptables INPUT chain is set to DROP, why should a rule allowing traffic to localhost exist?

• All traffic to localhost must always be allowed.
• It doesn't matter; iptables never affects packets addressed to localhost.
• Sendmail delivers emails to localhost.
• Some applications use the localhost interface to communicate with other applications. (Solución)
• syslogd receives messages on localhost.

El interfaz loopback es un interfaz virtual de red que hace una autoreferencia para que determinadas aplicaciones puedan comunicarse por red a nivel local.

To be able to access the server with the IP address 10.12.34.56 using HTTPS, a rule for iptables has to be written. Given that the client host's IP address is 192.168.43.12, which of the following commands is correct?

• iptables -A FORWARD -p tcp -s 0/0 -d 10.12.34.56 –dport 80 -j ACCEPT
• iptables -A FORWARD -p tcp -s 192.168.43.12 d 10.12.34.56:443 -j ACCEPT
• iptables -A FORWARD -p tcp -s 192.168.43.12 -d 10.12.34.56 –dport 443 -j ACCEPT (Solución)
• iptables -A INPUT -p tcp -s 192.168.43.12 - d 10.12.34.56:80 -j ACCEPT
• iptables -A FORWARD -p tcp -s 0/0 -d 10.12.34.56 –dport 443 -j ACCEPT

La regla INPUT se debería descartar porque hace referencia a paquetes que entran en el firewall y no entre dos máquinas de dos redes dentro de nuestra red interna.

What security precautions must be taken when creating a directory into which files can be uploaded anonymously using FTP?

• The directory must not have the execute permission set.
• The directory must not have the read permission set. (Solución)
• The directory must not have the read or execute permission set.
• The directory must not have the write permission set.
• The directory must not contain other directories.

Si no tiene permisos de lectura, el usuario “anónimo” no podría consultar qué más archivos hay en el directorio.

Which THREE of the following actions should be considered when a FTP chroot jail is created?

• Create /dev/ and /etc/ in the chroot enviroment. (Solución)
• Create /etc/passwd in the chroot enviroment. (Solución)
• Create /var/cache/ftp in the chroot enviroment.
• Create the user ftp in the chroot enviroment. (Solución)
• Create /usr/sbin/ in the chroot enviroment.

A security-conscious administrator would change which TWO of the following lines found in an SSH configuration file?

• Protocol 2,1 (Solución)
• PermitEmptyPasswords no
• Port 22
• PermitRootLogin yes (Solución)
• IgnoreRhosts yes

El protocolo 1 de SSH no es seguro. Tampoco es seguro permitir el acceso de root por SSH.

When connecting to an SSH server for the first time, its fingerprint is received and stored in a file, which is located at:

• ~/.ssh/fingerprints
• ~/.ssh/id_dsa
• ~/.ssh/known_hosts (Solución)
• ~/.ssh/id_dsa.pub
• ~/.ssh/gpg.txt

Guardamos la huella del servidor en el equipo del cliente.

What tool scans log files for unsuccessful login attempts and blocks the offending IP addresses with firewall rules?

• nessus
• nmap
• nc
• watchlogs
• fail2ban (Solución)

What is the name of the network security scanner project which, at the core, is a server with a set of network vulnerability tests (NVTs)?

• nmap
• OpenVAS (Solución)
• Snort
• wireshark

Which directive in the OpenVPN client.conf specifies the remote server and port that the client should connect to? (Provide only the directive, without any options or parameters)

• remote

What types of virtual network devices does OpenVPN use for connections? (Choose TWO corrects answers.)

• eth
• tap (Solución)
• lo
• tun (Solución)
• ppp

Los modos point-to-point y site-to-site utilizan los dispositivos tun. tap se utiliza en bridge.

Which of the following address ranges are PRIVATE address ranges? (Choose all that apply.) Choose the 3 correct answers:

• 172.16.0.0 to 172.31.255.255 (Solución)
• 192.168.0.0 through 192.168.255.255 (Solución)
• None of the above
• 10.0.0.0 to 10.255.255.255 (Solución)

Which of the following files is the primary configuration file for the VSFTPD service?

• /etc/vsftpd.conf
• /etc/ftp/ftp.conf
• /etc/service/vsftpd.conf
• /etc/vsftpd/vsftpd.conf (Solución)

Which of the following kernel settings, when added to the file /etc/sysctl.conf, will enable a Linux system to function as a router (forwarding IP packets)?

• net.tcp.all.forwarding 1
• net.tcp.forward 1
• ipv4.forward 1
• net.ipv4.ip_forward 1 (Solución, aunque debería tener un signo igual para asignar el valor)

The 'scp' and 'sftp' services are encrypted in the same manner as SSH and can utilize the same public/private keys for user authentication.

• Verdadero (Solución)
• Falso

The 'ssh-keygen' utility is used to generate public and private keys that can be exchanged with remote systems to authenticate the user that generated them during SSH connections.

• Verdadero (Solución)
• Falso