Preguntas de repaso del módulo LPI-202 para la certificación LPIC-2.

Which of the following rules based scripting languages is commonly used with Postfix and Dovecot email servers?

• sieve (Solución)
• python
• perl
• procmail

By default, when you generate SSH public and private keys, they use what type of encryption?

• DSA
• SSL
• RSA (Solución)
• SHA256

Which of the following are mail agents? (Check all that apply.) Choose the 3 correct answers:

• MDA (Solución)
• MUA (Solución)
• MSA (Solución)
• MLA

MSA es el acrónimo de Mail Submission Agent

The PAM module called 'pam_unix.so' is often used to apply external rules to what kind of authentication?

• login
• system
• user
• password (Solución)

Which Postfix mail server utility will allow you to display ONLY custom configuration settings on your mail server?

• postcustom
• postdisp
• postcustom
• postconf (Solución)

Which of the following Apache configuration directives determines the limit on the number of web clients that can access the site at any one time?

• ClientLimit
• MaxServers
• ConcurrentLimit
• MaxClients (Solución)

In the '/etc/named.conf' DNS server configuration file, which of the following are valid directives? (Choose all that apply.) Choose the 3 correct answers:

• dnssec-validation (Solución)
• managed-keys-directory (Solución)
• None of the above
• zone (Solución)

Once you have created the /etc/aliases file for your email server, what do you have to do before the contents are active in your configuration?

• restart the postfix service
• run the newaliases command to convert to binary DB format (Solución)
• reload the postfix configuration
• reload the aliases daemon

Which of the following does the /etc/nsswitch.conf file determine the order of authentication types for? (Choose all that apply.) Choose the 3 correct answers:

• services (Solución)
• directories
• DNS (Solución)
• files (Solución)

Which of the following SAMBA utilities will show the status of the service along with connections and shares that are being actively shared?

• sharestatus
• status smbd –show
• smbd -show
• smbstatus (Solución)

The amount of time that a DNS record can be cached is configured on your server with what setting?

• None of the above
• expiration
• end time
• time to live (Solución)

The 'rndc-confgen' utility can be used to create a default (initial) configuration file for the 'rndc' utility with what command?

• rndc-confgen -n /etc/rndc.conf
• rndc-confgen -r /dev/urandom > /etc/rndc.conf (Solución)
• rndc-confgen -x -f /etc/rndc.conf
• None of the above

When creating a configuration file to load the PHP module, which directive will actually call the appropriate module for inclusion?

• LoadModule php5 modules/libphp5.so (Solución)
• Load php modules/php*.so
• LoadMod php_mod modules/libphp.so
• None of the Above

Which of the following OpenLDAP utilities will allow you to modify a user's password in your organization?

• ldapmodify
• ldapedit
• None of the above
• ldappasswd (Solución)

Within the DHCP configuration file at /etc/dhcpd.conf, which directive section defines the network and range of IPs that will be provided on client request?

• clientIP_pool
• dhcp_client_response
• range
• subnet (Solución)

Which of the following options, when used in the /etc/fstab file for mounting an NFS share, will keep the system from waiting for the mount to succeed when accessing a remote system that is taking time to respond?

• hard
• bg (Solución)
• waitfor
• timeo

Which of the following record types in a DNS zone file identifies a mail server?

• A Record
• CNAME Record
• MX Record (Solución)
• NS Record

Which of the following PAM authentication modules is used to modify how passwords are changed on the system?

• pam_listfile.so
• pam_unix.so
• pam_cracklib.so (Solución)
• pam_limits.so

To isolate the DNS server process so that it does not have access to other system files or services, you would create what configuration type to place it within?

• isolation process
• docker container
• chroot jail (Solución)
• lxc process

When using the 'doveconf' utility to display your configuration in more 'human readable' format, which command line parameter will show all settings and their current values?

• –all
• -all
• -a (Solución)
• –all-modules

Which of the following external configuration files would define the appropriate SSL settings to enable TLS for your mail server?

• /etc/dovecot/conf.d/10-ssl.conf (Solución)
• /etc/dovecot/conf.d/certs.conf
• None of the above
• /etc/dovecot/config.d/10-ssl.conf

Within the primary Apache configuration file (which could be apache2.conf or httpd.conf, depending on version and distribution), which of the following directives defines the server's configuration directory?

• ConfigDirectory
• ServerRoot (Solución)
• RootLocation
• RootDirectory

Which of the following SSH utilities will allow you to copy files from your host to a remote host over an encrypted connection?

• ssh
• None of the above
• ecp
• scp (Solución)

Which OpenLDAP configuration file contains the basic schemas that are necessary to create a directory server?

• /etc/openldap/slapd.conf (Solución)
• /etc/openldap/schemas.conf
• /etc/openldap.ldap.conf
• None of the Above

Which of the following SSH utilities will allow you to create a public and private key to exchange with other servers for user authentication?

• ssh-genkey
• ssh-keygen (Solución)
• ssh-make-ids
• ssh-make-keys

All zone files are stored in this directory (default configuration):

• /var/zone.d
• /var/conf.d/zones
• /var/named (Solución)
• /var/zones/conf.d

An 'alias' in a DNS zone is defined as what kind of record?

• Alias Record
• None of the Above
• Reference Record
• Canonical Name (Solución)

Which of the following VirtualHost headers would indicate an IP based virtual host definition in an Apache Web Server?

• Host *
• VirtualHost 10.1.0.100 (Solución)
• None of the Above
• VirtualHost *

Which of the following directives in a DHCP configuration file will define the name server(s) that are to be provided to the client when the IP assignment is made?

• option DNS [IP(s)]
• option nameservers [IP(s)]
• domain-name-servers [IP(s)] (Solución)
• option routers [IP(s)]

Which NFS export setting, when added to a share in the /etc/exports file, will prevent the client's root user from having root level access to the server's shared files and directories?

• userlist[root]
• usermap(root=local)
• no_root_squash
• root_squash (Solución)

What is the default location directory for the Apache server access and error logs?

• /var/log/messages
• /var/log/httpd (Solución)
• /var/log/audit
• /var/log/apache2

When creating a SAMBA credentials file to abstract authentication credentials during a client share mount, which parameters have to be included?

• None of the Above
• client, passwd
• domain, user, password
• user, passwd (Solución)

Which of the following log file locations will contain client and server DHCP messages in a Red Hat/CentOS-based distribution?

• /var/log/audit
• /var/log/daemon.log
• /var/log/dhcpd
• /var/log/messages (Solución)

Which of the following directories contains all of the externally referenced Dovecot configuration files?

• /etc/dovecot/conf.d
• /etc/dovecot/conf.d (Solución)
• /etc/dovecot/config.d
• /etc/dovecot/m.d

Which of the following is an IPTABLES firewall NOT responsible for?

• Performing network address translation
• Forwarding network traffic to the local machine or network
• Restricting user authentication (Solución)
• Restricting incoming/outgoing network traffic

When configuring your NFS server, which service, once installed, provides the portmap functionality for client access?

• None of the above Incorrecta
• nfs-server
• nmb
• rpcbind (Solución)

Which of the following IP ranges are private networks (not publicly routable)? (Check all that apply.) Choose the 2 correct answers:

• 172.16.0.0 through 172.31.255.255 (Solución)
• 10.0.0.0 through 10.255.255.255 (Solución)
• 190.160.1.0 through 190.160.255.255
• 92.91.68.1 through 92.91.68.255

When working within the Postfix main configuration file, what setting would you typically find (or place) in the 'myorigin' directive?

• hostname of the originating email server
• the value to be used if a client does not indicate its hostname (Solución)
• IP of the mail client
• None of the above

Which of the following files is the primary SAMBA configuration file?

• /etc/samba.conf
• /etc/sambad/samba.conf
• /etc/smb.conf
• /etc/samba/smb.conf (Solución)

The DNS 'root servers' are defined in which of the following files?

• named.ca (Solución)
• backbone.ca
• root.ca
• rootsrv.ca

Which of these locations is the default file for the IPTABLES persistent rules?

• /etc/iptables/ruleset
• /etc/sysconfig/iptables (Solución)
• /etc/firewalld/ruleset
• /etc/sysconfig/filterpointrules

When using the 'openssl-perl' package to generate SSL keys, signing requests and certificates, which of the following represents the proper order of options that will leave you with a self-signed SSL certificate?

• None of the Above Incorrecta
• newreq, signreq, gencert
• newkey, newreq, gencert, signkey
• newca, newreq, signreq (Solución)

Which of the following provides a subscription based mailing list with a variety of security announcements around exploits, vulnerabilities and mitigation strategies?

• Snort
• US-CERT
• BugTraq (Solución)
• OpenVAS

Which command(s) would enable your Linux server to function as a router on your network? (Check all that apply)? Choose the 2 correct answers:

• export net.ipv4.ip_forward = 1
• echo “1” > /proc/sys/net/ipv4/ip_forward (Solución)
• echo “1” > /proc/sys/net/ipv6/conf/all/forwarding (Solución)
• export net.ipv6.ip_forward = 1

Which of the following lines would indicate a base distinguished name?

• Non
• dn:mydomain:com
• dn: dc=mydomain,dc=com (Solución)
• dn=mydomain.com

Which of the following file system types, when used in conjunction with the 'mount' command or within the /etc/fstab file, allow you to mount a SAMBA share?

• cifs (Solución)
• smbd
• smbfs
• sambafs

Which of the following utilities is used for applying filter rules to emails before they are delivered to a client? (Choose all that apply.)

• procmail (Solución)
• None of the above
• mailx
• sendmail

When using many of the OpenLDAP utilities (ldapadd, ldapdelete, etc), which command line parameters is used to indicate simple authentication?

• -x (Solución)
• Non
• -s
• -D

Which of the following methods are valid SSH connection strings? (Choose all that apply.)

• ssh -l user serv1.mydomain.com (Solución)
• ssh user@serv1.mydomain.com (Solución)
• ssh -username=user -host-serv1.mydomain.com
• ssh user://serv1.mydomain.com

Which of the following commands would enable NAT on your IPTABLES firewall where the network interface assigned to the internal network is called 'eth1'?

• iptables -t nat -A PREROUTING -o eth1 -j ACCEPT
• None of the above
• iptables -t filter -A NAT -i eth1
• iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE (Solución)

Which of the following SAMBA utilities will read and test your server share configuration for errors and display available shares?

• sharecfg -show
• chickenparm
• parmtest
• testparm (Solución)

Which of the following examples of an Nginx configuration would result in the ability of Nginx to answer a request by forwarding it to another URI?

• Load Balancer
• Reverse Proxy (Solución)
• Caching Proxy
• Forwarding Agent

Which of the following libraries does portmap use in conjunction with NFS to determine which client IPs have access to or are denied access to the NFS service?

• nsswitch
• TCP Wrappers (Solución)
• None of the above
• ACL

Which of the following is NOT a filter point in an IPTABLES firewall?

• INPUT
• PREROUTING
• OUTPUT
• TRANSFER (Solución)

Which of the following are legacy mail servers (similar in function to Postfix)? (Check all that apply.) Choose the 2 correct answers:

• sendmail (Solución)
• postmaster
• mailserv
• exim (Solución)

When enabling an SSL Certificate within a virtual host, which of the following directives is required to enable SSL in general?

• SecureCerts on
• SSL on
• SSLEngine on (Solución)
• Certificates on

Which of the following are valid settings within the client DNS configuration file /etc/resolv.conf (Choose All That Apply)? Choose the 2 correct answers:

• gateway
• hostname
• nameserver (Solución)
• search (Solución)

When using the 'ldapadd' command to add a record to an OpenLDAP organization, which parameter would provide the 'rootdn' or admin account information?

• -A “dc=mydomain,dc=com” rootdn
• -x admin=rootdn
• None of the above
• -D “cn=Manager,dc=mydomain,dc=com” (Solución)

Which of the following Dovecot mail utilities can be used to view the configuration of your mail server?

• None of the above
• dispconf
• doveadm
• dovecot (Solución)

A 'name based' virtual host configuration is used in the Apache web server where ¿?¿?¿?¿?

• the hostname will be used in the site URL
• the IP address of the server is unknown
• all domains share a single IP and are differentiated by name (Solución)
• the server name will be used in the site URL

Which of the following modules is the correct module to reference when enabling Perl CGI functionality in your Apache web server configuration?

• mod_perl.so (Solución)
• perl-cgi.so
• perl_mod.so
• perl.so

Which parameter, when used with the SAMBA client utility 'smbclient', will allow you to connect as a user other than the one you are logged in as?

• –USER=[name]
• -u
• -U (Solución)
• –user=[name]

When using 'slapcat' to display the contents of your OpenLDAP directory, what format is the output provided in?

• csv
• LDIF (Solución)
• json
• plain text

The Apache utility 'htpasswd' is used to create a secure file that contains a list of users that are granted to certain site resources (files or directories).

• Verdadero (Solución)
• Falso

An alternative to the 'htpasswd' configuration for site authentication and access is the creation of a local .htaccess file in the protected directory.

• Verdadero (Solución)
• Falso

The DHCP utility called 'dhcrelay' allows a server on another network segment to forward DHCP client requests to a defined DHCP server not on that same network.

• Verdadero (Solución)
• Falso

The DNS term 'SOA' stands for 'Start of Authority'.

• Verdadero (Solución)
• Falso

OpenLDAP can be considered a distributed directory service.

• Verdadero (Solución)
• Falso

The SAMBA protocol allows you to share directory content with both Linux and Windows clients.

• Verdadero (Solución)
• Falso

OpenVAS is a service and logging utility that can provide reporting on known security vulnerabilities.

• Verdadero (Solución)
• Falso

DHCP stands for Dynamic Host Configuration Protocol.

• Verdadero (Solución)
• Falso

The /etc/postfix/virtual file contains users and addresses to redirect email to using virtual destinations.

• Verdadero (Solución)
• Falso

CERT stands for Computer Emergency Response Team.

• Verdadero (Solución)
• Falso

The default content directory for the Apache web server is /var/www.

• Verdadero
• Falso (Solución)

POP stands for Post Office Protocol.

• Verdadero (Solución)
• Falso

When enabling SSL certificate within the Apache web server configuration, both the 'SSLCertificateKeyFile and SSLCertificateFile' are required directives.

• Verdadero (Solución)
• Falso

Each zone that a DNS server is going to be authoritative for must be referenced in the 'named.localhost' file in /var/named directory.

• Verdadero
• Falso (Solución)

The OpenSSL server is required to generate SSL certificates, keys and signing requests.

• Verdadero
• Falso (Solución)

The VSFTPD service offers user management with both a PAM module as well as a service configuration setting.

• Verdadero (Solución)
• Falso

The Nginx server can function as a reverse proxy, load balancer and traditional HTTP server.

• Verdadero (Solución)
• Falso

DNS stands for Dynamic Name Service.

• Verdadero
• Falso (Solución)

The command 'host www.cnn.com 8.8.8.8' will use the DNS Server at address '8.8.8.8' to lookup the domain 'www.cnn.com' rather than the locally configured DNS server in /etc/resolv.conf.

• Verdadero (Solución)
• Falso

The network range 192.168.0.0 through 192.168.255.255 is a private network range that is not publicly routable.

• Verdadero (Solución)
• Falso

Squid is an example of a forward proxy server (only).

• Verdadero
• Falso (Solución)

A 'Split Server' configuration for DNS refers to a multiple DNS server setup where one server functions as an internal DNS server (private domain requests) and another functions as an external DNS server (public domain requests only).

• Verdadero (Solución)
• Falso

The 'courier' email server is able to provide SMTP, POP, IMAP, LDAP, SSL and HTTP functions all in the same package.

• Verdadero (Solución)
• Falso

IMAP stands for Internet Mail Aggregation Protocol.

• Verdadero
• Falso (Solución)

What is a significant difference between host and zone keys generated by dnssec-keygen?

• There is no difference.
• Both zone key files( .key/.private ) contain a public and private key. (Solución)
• Both host keys files( .key/. private) contain a public and private key.
• Host Keys must always be generated if DNSSEC is used; zone keys are optional
• Zone Keys must always be generated if is used; host keys are optional

According to the configuration below, what is the e-mail address of the administrator for this domain?

$TTL 86400
$ORIGIN certkiller.com
@ IN SOA mars.certkiller.com hostmaster.certkiller.com (
2005050801
10800
3600
604800
86400)

• hostmaster@certkiller.com

Which of these would be the simplest way to configure BIND to return a different version number to queries?

• Compile BIND with the option -blur-version=my version.
• Set version-string “my version” in BIND's configurationfile.
• Set version "my version" in BIND's configurationfile. (Solución)
• Set version=my version in BIND's configuration file.
• Ser version-bind “my version” in BIND's configuration file.

According to the configuration below:

options {
  directory "/var/named";
  allow-query { any; };
  allow-recursion { 127.0.0.1; 10.0.0.0/24; };
  forwarders { 192.168.0.4; };
  forward firs;
};

zone "." {
  type hint;
  file "named.ca";
};

• Any host, from any network, may use this server as its main DNS server.
• If the server doesn't know the answer to a query, it sends a recursive query to 192.168.0.4 (Solución)
• If the server doesn't know the answer to a query, it sends a query to a root DNS server.
• Hosts in the network 10.0.0.0/24 will be able to ask for zone transfers.
• If the server doesn't know the answer to a query, it sends a recursive query to 192.168.0.4 and, if this fails, it returns a failure.

DNSSEC is used for?

• Encrypted DNS queries between nameservers.
• Cryptographic authentication of DNS zones. (Solución)
• Secondary DNS queries for local zones.
• Defining a secure DNS section.
• Querying a secure DNS section.

Using only commands included with named, what is the command, with options or parameters, to make named re-read its zone files? (Correct Text)

• rndc reload

Which type of DNS record defines which server(s) email for a domain should be sent to?

• MX

Some users are unable to connect to specific local hosts by name, while accessing hosts in other zones works as expected. Given that the hosts are reachable by their IP addresses, which is the default log file that could provide hints about the problem?

• /var/named/log
• /var/lib/named/dev/log
• /var/log/bind_errors
• /var/log/bind/errors
• /var/log/messages (Solución)

A BIND server should never answer queries from certain networks or hosts. Which configuration directive could be used for this purpose?

• deny-query{ …; };
• no-answer{ …; };
• deny-answer{ …; };
• deny-access{ …; };
• blackhole{ …; }; (Solución)

What is the purpose of a PTR record?

• To provide name to IP resolution.
• To provide IP to name resolution. (Solución)
• To direct email to a specific host.
• To provide additional host information.
• To direct clients to another nameserver.

Performing a DNS lookup with dig results in this answer: What might be wrong in the zone definition?

;;Question SECTION:
;5.123.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
5.123.168.192.in-addr.arpa. 600 IN PTR linuserv.example.net.123.168.192.in-addr.arpa.

;;AUTHORITY SECTION:
123.168.192.in-addr.arpa. 600 IN NS linuserv.example.net.

;; ADDITIONAL SECTION:
linuserv.example.net. 600 IN A 192.168.123.5

• Nothing. All seems to be good. Incorrecta
• There's no “.” after linuserv.example.net in the PTR record in the forward lookup zone file.
• There's no “.” after linuserv in the PTR record in the forward lookup zone file.
• There's no “.” after linuserv.example.net in the PTR record in the reverse lookup zone file. (Solución)
• The “.” in the NS definition in reverse lookup zone has to be removed.

What directive can be used in named.conf to restrict zone transfers to the 192.168.1.0/24 network?

• allow-transfer{ 192.168.1.0/24; }; (Solución)
• allow-transfer{ 192.168.1.0/24 };
• allow-axfr{ 192.168.1.0/24; };
• allow-axfr{ 192.168.1.0/24 };
• allow-xfer{ 192.168.1.0/24; };

To securely use dynamic DNS updates, the use of TSIG is recommended. Which TWO statements about TSIG are true?

• TSIG is used for zone data encryption
• TSIG is a signal to start a zone update
• TSIG is used in zone files
• TSIG is used only in server configuration (Solución)
• Servers using TSIG must be in sync (time zone!) (Solución)

The users of the local network complain that name resolution is not fast enough. Enter the command, without the path or any options, that shows the time taken to resolve a DNS query.

• dig

A DNS server has the IP address 192.168.0.1. Which TWO of the following need to be done on a client machine to use this DNS server?

• Add nameserver 192.168.0.1 to /etc/resolv.conf (Solución)
• Run route add nameserver 192.168.0.1
• Run ifconfig eth0 nameserver 192.168.0.1
• Run echo “nameserver 192.168.1.1” » /etc/resolv.conf (Solución)
• Runbind nameserver 192.168.1.1

Which port must be open on a firewall, to allow a DNS server to receive queries? (Enter only the port number).

• 53

There is a restricted area in an Apache site, which requires users to authenticate against the file /srv/www/security/site-passwd. Which command is used to CHANGE the password of existing users, without losing data, when Basic authentication is being used.

• htpasswd -c /srv/www/security/site passwd user
• htpasswd /srv/www/security/site-passwd user (Solución)
• htpasswd -n /srv/www/security/site-passwd user
• htpasswd -D /srv/www/security/site-passwd user
• None of the above.

Consider the following / srv/www/ default/html/ restricted/.htaccess

AuthType Basic
AuthUserFile / srv/www/ security/ site-passwd
AuthName Restricted
Require valid-user
Order deny,allow
Deny from all
Allow from 10.1.2.0/24
Satisfy any

Considering that DocumentRoot is set to /srv/www/default/html, which TWO of the following sentences are true?

• Apache will only grant access to http://server/restricted/to authenticated users connecting from clients in the 10.1.2.0/24 network Incorrecta
• This setup will only work if the directory /srv/www/default/html/restricted/ is configured with AllowOverride AuthConfig Limit (Solución)
• Apache will require authentication for every client requesting connections to http://server/restricted/
• Users connecting from clients in the 10.1.2.0/24 network won't need to authenticate themselves to access http://server/restricted/ (Solución)
• The Satisfy directive could be removed without changing Apache behaviour for this directory

A web server is expected to handle approximately 200 simultaneous requests during normal use with an occasional spike in activity and is performing slowly. Which directives in httpd.conf need to be adjusted?

• MinSpareServers & MaxSpareServers.
• MinSpareServers, MaxSpareServers, StartServers & MaxClients. (Solución)
• MinServers, MaxServers & MaxClients.
• MinSpareServers, MaxSpareServers, StartServers, MaxClients & KeepAlive.

Which statements about the Alias and Redirect directives in Apache's configuration file are true?

• Alias can only reference files under DocumentRoot
• Redirect works with regular expressions
• Redirect is handled on the client side (Solución)
• Alias is handled on the server side (Solución)
• Alias is not a valid configuration directive

Which file, in the local file-system, is presented when the client requests http://server/~joe/index.html and the following directive is present in server's Apache configuration file?

UserDir site/html

Given that all users have their home directory in /home, please type in the FULL file name including the path.

• /home/joe/site/html/index.html

When Apache is configured to use name-based virtual hosts:

• it's also necessary to configure a different IP address for each virtual host.
• the Listen directive is ignored by the server.
• it starts multiple daemons (one for each virtual host).
• it's also necessary to create a VirtualHost block for the main host. (Solución)
• only the directives ServerName and DocumentRoot may be used inside a block.

Enter one of the Apache configuration file directives that defines where log files are stored.

• ErrorLog

Which Apache directive is used to configure the main directory for the site, out of which it will serve documents?

• ServerRoot
• UserDir
• DirectoryIndex
• Location
• DocumentRoot (Solución)

Which Apache directive allows the use of external configuration files defined by the directive AccessFileName?

• AllowExternalConfig
• AllowAccessFile
• AllowConfig
• IncludeAccessFile
• AllowOverride (Solución)

Which of the following is recommended to reduce Squid's consumption of disk resources?

• Disable the use of access lists.
• Reduce the size of cache_dir in the configuration file. (Solución)
• Rotate log files regularly.
• Disable logging of fully qualified domain names.
• Reduce the number of child processes to be started in the configuration file.

Which ACL type in Squid's configuration file is used for authentication purposes?

• proxyAuth
• proxy_auth (Solución)
• proxy_passwd
• auth
• auth_required

The listing below is an excerpt from a Squid configuration file:

[...]
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 443 1025-65535
acl CONNECT method CONNECT
acl localhost src 10.0.0.0/24

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
[...]

• Users connecting from localhost will be able to access web sites through this proxy.
• It's necessary to includea http_access rule denying access to all, at the end of the rules.
• It's possible to use this proxy to access SSL enabled web sites listening on any port.
• This proxy can't be used to access FTP servers listening on the default port. (Solución)
• This proxy is misconfigured and no user will be able to access web sites through it.

In the file /var/squid/url_blacklist is a list of URLs that users should not be allowed to access. What is the correct entry in Squid's configuration file to create an acl named blacklist based on this file?

• acl blacklist urlpath_regex /var/squid/url_blacklist
• acl blacklist file /var/squid/url_blacklist
• acl blacklist “/var/squid/url_blacklist”
• acl blacklist urlpath_regex “/var/squid/url_blacklist” (Solución)
• acl urlpath_regex blacklist /var/squid/url_blacklist

Users in the acl named 'sales_net' must only be allowed to access to the Internet at times specified in the time_acl named 'sales_time'. Which is the correct http_access directive, to configure this?

• http_access deny sales_time sales_net
• http_access allow sales_net sales_time
• http_access allow sales_net and sales_time
• allow http_access sales_net sales_time (Solución)
• http_access sales_net sales_time

With which parameter in the smb.conf file can a share be hidden?

• $

Which TWO of the following options are valid, in the /etc/exports file?

• rw (Solución)
• ro (Solución)
• rootsquash
• norootsquash
• uid

nfsd, portmap and ¿?¿?¿?¿?¿? daemons must be running on an NFS server.

• mountd

Which of the following is needed, to synchronize the Unix password with the SMB password, when the encrypted SMB password in the smbpasswd file is changed?

• Nothing, because this is not possible.
• Run netvamp regularly, to convert the passwords.
• Rin winbind –sync, to synchronize the passwords.
• Add unix password sync = yes to smb.conf. (Solución)
• Add smbunix password = sync to smb.conf.

What command can be used to check the Samba configuration file?

• testconfig
• testsmbconfig
• smbtestcfg
• smbtestparm
• testparm (Solución)

The new file server is a member of the Windows domain “foo”. Which TWO of the following configuration sections will allow members of the domain group “all” to read, write and execute files in “/srv/smb/data”?

• [data] comment = data share path = /srv/smb/data write list = @foo+all force group = @foo+all create mask = 0550 directory mask = 0770
• [data] comment = data share path = /srv/smb/data write list = @foo+all force group = @foo+all create mask = 0770 directory mask = 0770 (Solución)
• [data] path = /srv/smb/data write list = @foo+all force group = @foo+all create mask = 0770 directory mask = 0770 (Solución)
• [data] comment = data share path = /srv/smb/data write list = @foo+all force group = @foo+all directory mask = 0770
• [data] comment = data share path = /srv/smb/data write list = @foo+all force group = all create mask = 0550 directory mask = 0770

Which command can be used to list all exported file systems from a remote NFS server:

• exportfs
• nfsstat
• rpcinfo
• showmount (Solución)
• importfs

Which of the following configuration lines will export /usr/local/share/ to nfsclient with read-write access, ensuring that all changes are straight to the disk?

• /usr/local/sharenfsclient(rw) written
• nfsclient: /usr/local/share/:rw,sync
• /usr/local/share nfsclient:rw:sync
• /usr/local/share nfsclient(rw,sync) (Solución)
• nfsclient(rw,sync) /usr/local/share

Which Samba-related command will show all options that were not modified using smb.conf and thus are set to their default values? Please enter the command and its parameter(s):

• testparm -v

After changing /etc/exports on a server, remote hosts are still unable to mount the exported directories. What should be the next action?

• Restart the NFS daemon
• Run showmount -a on the server
• Restart the remote hosts
• Run exportfs -f on the server
• Run exportfs -a on the server (Solución)

Which directive in the OpenVPN client.conf specifies the remote server and port that the client should connect to? (Provide only the directive, without any options or parameters)

• remote

Which of the following are valid OpenVPN authentication modes? (Choose TWO correct answers)

• S/Key
• Kerberos
• Static Key (Solución)
• Password
• TLS (Solución)

What is the default UDP port for OpenVPN traffic?

• 1194

In which of the following scenarios MUST an administrator use ethernet bridging instead of routing when configuring an OpenVPN sites? (Select TWO correct answers)

• Some OpenVPN clients will be installed on laptops and must be able to connect from different locations.
• NetBIOS traffic must be able to traverse the VPN without implementing a WINS server. (Solución)
• The IPv4 protocol is required.
• It will be necessary to use an MTU setting other than the default.
• The IPX protocol is required. (Solución)

Which of the following lines in the OpenVPN server.conf file will supply a DNS server for DHCP clients to use?

• push “dhcpoption DNS 10.142.232.4” (Solución)
• push “dhcp DNS 10.142.232.4”
• push “options DNS 10.142.232.4”
• push “dhcpoptions DNS 10.142.232.4”

What information can be found in the log file specified by the status parameter in OpenVPN's server.conf? (Select TWO correct answers)

• Errors and warnings generated by the openvpn daemon.
• Routing information. (Solución)
• Statistical information regarding the currently running openvpn daemon.
• A list of currently connected clients. (Solución)
• A history of all clients who have connected at some point.

What types of virtual network devices does OpenVPN use for connections? (Choose TWO corrects answers.)

• eth
• tap (Solución)
• lo
• tun (Solución)
• ppp

What is the name of the network security scanner project which, at the core, is a server with a set of network vulnerability tests (NVTs)?

• nmap
• OpenVAS (Solución)
• Snort
• wireshark

An administrator has just configured an OpenVPN client. Upon starting the service, the following message is displayed: TLS Error: TLS key negotiation failed to occur witnin 60 seconds. Which of the following statements is true?

• The client was unable to establish a network connection with the server. (Solución)
• The client was able to establish a network connection with the server, however TLS key negotiation failed, resulting in a fallback to SSL.
• The client was able to establish a network connection with the server, however TLS and SSL security aren't enabled.
• The client was able to establish a network connection with the server, however TLS key negotiation took longer than 60 seconds, indicating that there may be a problem with network performance.

The following is an excerpt from a procmail configuration file:

:0 c
* ! ^To: backup
! backup

Which of the following is correct?

• All mails will be backed up to the path defined by $MAILDIR .
• All mails to the local email address backup will be stored in the directory backup.
• A copy of all mails will be stored in file backup.
• A copy of all mails will be send to the local email address backup. (Solución)
• Mails not addressed to backup are passed through a filter program named backup

Which TWO /etc/hosts.allow entries will allow access to sshd from the class C network 192.168.1.0?

• sshd : 192.168.1. (Solución)
• sshd : 192.168.1
• sshd : 192.168.1.0 netmask 255.255.255.0
• sshd : 192.168.1.0/255.255.255.0 (Solución)
• sshd : 192.168.1.0

According to the dhcpd.conf file below, which domain name will clients in the 172.16.87.0/24 network get?

default-lease-time 1800;
max-lease-time 7200;
option domain-name “certkiller.com”;

subnet 172.16.87.0 netmask 255.255.255.0 {
range 172.16.87.128 172.16.87.254;
option broadcast-address 172.16.87.255;
option domain-name-servers 172.16.87.1;
option domain-name “lab.certkiller.com”;
}
subnet 172.16.88.0 netmask 255.255.255.0 {
range 172.16.88.128 172.16.88.254;
option broadcast-address 172.16.88.255;
option domain-name-servers 172.16.88.1;
}

• lab.certkiller.com

Which of the following sentences is true about ISC DHCP?

• It can't be configured to assign addresses to BOOTP clients.
• Its default behavior is to send DHCPNAK to clients that request inappropriate addresses.
• It can't be used to assign addresses to X - terminals.
• It can be configured to only assign addresses to known clients. (Solución)
• None of the above.

The host, called “ Certkiller ”, with the MAC address “08:00:2b:4c:59:23”, should always be given the IP address of 192.168.1.2 by the DHCP server. Which of the following configurations will achieve this?

• host Certkiller { hardware-ethernet 08:00:2b:4c:59:23; fixed-address 192.168.1.2; }
• host Certkiller { mac=08:00:2b:4c:59:23; ip= 192.168.1.2; }
• host Certkiller =08:00:2b:4c:59:23 192.168.1.2
• host Certkiller { hardware ethernet 08:00:2b:4c:59:23; fixed-address 192.168.1.2; } (Solución)
• host Certkiller { hardware-address 08:00:2b.4c:59:23; fixed-ip192.168.1.2; }

Which dhcpd.conf option defines the DNS server address(es) to be sent to the DHCP clients?

• domain-name-servers (Solución)
• domainname
• domain-nameserver
• domain-name-server

A malicious user has sent a 35MB video clip, as an attachment, to hundreds of recipients. Looking in the outbound queue reveals that this is the only mail there. This mail can be removed with the command rm ¿?¿?¿?* . Complete the path below.

• /var/spool/mqueue/

The syntax of the procmail configuration file is?

• :0[flags][:[lockfile]] [* condition] action (Solución)
• [* condition] action :0[flags][:[lockfile]]
• :0[flags][:[lockfile]] [* condition] action
• :0[flags][:[lockfile]]:[* condition] action
• :0[flags][:[lockfile]]:[* condition]:action

What is the missing keyword in the following configuration sample for dovecot which defines which authentication types to support? (Specify only the keywork)

auth default {
______ = plain login cram-md5
}

• auth_order
• mechanisms (Solución)
• methods
• supported

A procmail recipe is required to delete all emails marked as spam. Please complete the recipe.

:0:
* X-Spam-Status: Yes

• /dev/null

Where is the user foo's procmail configuration stored, if home directories are stored in /home? Please enter the complete path to the file.

• /home/foo/.procmailrc

On a newly-installed mail server with the IP address 10.10.10.1, ONLY local networks should be able to send email. How can the configuration be tested, using telnet, from outside the local network?

• telnet 10.10.10.1 25 MAIL FROMadmin@example.com RECEIPT TO:someone@example.org
• telnet 10.10.10.1 25 RCPT FROM:admin@example.com MAIL TO:someone@example.org
• telnet 10.10.10.1 25 HELLO bogus.example.com MAIL FROM:anyone@example.org RCPT TO:someone@example.net
• telnet 10.10.10.1 25 HELO bogus.example.com MAIL FROM:anyone@example.org RCPT TO:someone@example.net (Solución)
• telnet 10.10.10.1 25 HELO: bogus.example.com RCPT FROM:anyone@example.org MAIL TO:someone@example.net

What is the path to the global postfix configuration file? (Please specify the complete directory path and file name)

• /etc/postfix/main.cf

What security precautions must be taken when creating a directory into which files can be uploaded anonymously using FTP?

• The directory must not have the execute permission set.
• The directory must not have the read permission set. (Solución)
• The directory must not have the read or execute permission set.
• The directory must not have the write permission set.
• The directory must not contain other directories.

What is the correct format for an ftpusers file entry?

• Use only one username on each line. (Solución)
• Add a colon after each username.
• Add a semicolon after each username.
• Add ALLOW after each username.
• Add DENY after each username.

A security-conscious administrator would change which TWO of the following lines found in an SSH configuration file?

• Protocol 2,1 (Solución)
• PermitEmptyPasswords no
• Port 22
• PermitRootLogin yes (Solución)
• IgnoreRhosts yes

A system monitoring service checks the availability of a database server on port 5432 of destination.example.com. The problem with this is that the password will be sent in clear text. When using an SSH tunnel to solve the problem, which command should be used?

• ssh -1 5432:127.0.0.1:5432 destination.example. com
• ssh -L 5432:destination.example.com:5432 127.0.0.1
• ssh -L 5432:127.0.0.1:5432 destination.example.com (Solución)
• ssh -x destination.example.com:5432
• ssh -R 5432:127.0.0.1:5432 destination.example.com

What must be done on a host to allow a user to log in to that host using an SSH key?

• Add their private key to ~/.ssh/authorized_keys
• Reference their public key in ~/.ssh/config
• Run ssh-agent on that host
• Add their public key to ~/.ssh/authorized_keys (Solución)
• Reference their private key in ~/.ssh/config

What command must be used to create an SSH key-pair? Please enter the command without the path or any options or parameters.

• ssh-keygen

To allow X connections to be forwarded from or through an SSH server, what line must exist in the sshd configuration file?

• X11Forwarding yes

A network client has an ethernet interface configured with an IP address in the subnet 192.168.0.0/24. This subnet has a router, with the IP address 192.168.0.1, that connects this subnet to the Internet. What needs to be done on the client to enable it to use the router as its default gateway?

• Run route add defaultgw 192.168.0.1 eth1 (Solución)
• Run route addgw 192.168.0.1 eth1
• Run ifconfig eth0 defaultroute 192.168.0.1
• Add “defaultroute 192.168.0.1” to /etc/resolv.conf
• Run route add defaultgw=192.168.0.1 if=eth0

A server with 2 network interfaces, eth0 and eth1, should act as a router. eth0 has the IP address 192.168.0.1 in the subnet 192.168.0.1/24 and eth1 has the IP address 10.0.0.1 in the subnet 10.0.0.0/16. The routing table looks fine, but no data is traversing the networks. Which TWO of the following need to be done?

• Enable IP forwarding with echo “1” > /proc/sys/net/ipv4/ip_forward (Solución)
• Add new firewall chains to handle inbound & outbound traffic on both interfaces.
• Reconfigure the firewall rules to allow traffic to traverse the networks. (Solución)
• The routing table needs to be restarted, for the changes to take effect.
• The server needs to be restarted, for the changes to take effect.

Which of the following sentences is true, when using the following /etc/pam.d/login file?

#%PAM-l.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix.so shadow nullok md5 use_authtok
auth required /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_ldap.so use_first_pass
session optional /lib/security/pam_console.so
session sufficient /lib/security/pam_unix.so
session required /lib/security/pam_ldap.so

• All users will be authenticated against the LDAP directory
• This is the only file needed to configure LDAP authentication on Linux
• Only local users will be able to log in, when the file/etc/nologin exists
• Ordinary users will be able to change their password to be blank (Solución)
• If the control flags for auth were changed to required, local users wouldn't be able to log in

LDAP-based authentication against a newly-installed LDAP server does not work as expected. The file /etc/pam.d/login includes the following configuration parameters. Which of them is NOT correct?

• password required /lib/security/pam_ldap.so
• auth sufficient /lib/security/pam_ldap.so use_first_pass
• account sufficient /lib/security/pam_ldap.so
• password required /lib/security/pam_pwdb.so
• auth required /lib/security/pam_ldap.so (Solución)

What is the advantage of using SASL authentication with OpenLDAP?

• It can prevent the transmission of plain text passwords over the network. (Solución)
• It disables anonymous access to the LDAP server.
• It enables the use of Access Control Lists.
• It allows the use of LDAP to authenticate system users over the network.
• All of the above.

In which directory are the PAM modules stored?

• /lib/security

Which of the following is true, when a server uses PAM authentication and both /etc/pam.conf & /etc/pam.d/ exist?

• It causes error messages.
• /etc/pam.conf will be ignored. (Solución)
• /etc/pam.d/ will be ignored.
• Both are used, but /etc/pam.d/ has a higher priority.
• Both are used, but /etc/pam.conf has a higher priority.

To configure an LDAP service in the company “ Certkiller Ltd”, which of the following entries should be added to slapd.conf, in the Database Directives section, to set the rootdn so that the common name is Manager and the company's domain is Certkiller .

• rootdn cn=Managerdc=Certkillerdc=com
• rootdn “cn=Manager,dc=Certkiller,dc=com” (Solución)
• rootdn cn=Certkiller,dc=com,dc=Manager
• rootdn “cn=Certkiller,dc=com,dc=Manager”
• rootdn “cn=Managerdc=Certkillerdc=com”

Which command can be used to change the password for an LDAP entry?

• ldappasswd

To be able to access the server with the IP address 10.12.34.56 using HTTPS, a rule for iptables has to be written. Given that the client host's IP address is 192.168.43.12, which of the following commands is correct?

• iptables - A FORWARD -p tcp -s 0/0 -d 10.12.34.56 –dport 80 -j ACCEPT
• iptables - A FORWARD -p tcp -s 192.168.43.12 d 10.12.34.56:443 -j ACCEPT
• iptables - A FORWARD -p tcp -s 192.168.43.12 -d 10.12.34.56 –dport 443 -j ACCEPT (Solución)
• iptables - A INPUT -p tcp -s 192.168.43.12 - d 10.12.34.56:80 -j ACCEPT
• iptables - A FORWARD -p tcp -s 0/0 -d 10.12.34.56 –dport 443 -j ACCEPT

What tool scans log files for unsuccessful login attempts and blocks the offending IP addresses with firewall rules?

• nessus
• nmap
• nc
• watchlogs
• fail2ban (Solución)

A user requests a “hidden” Samba share, named confidential, similar to the Windows Administration Share. How can this be configured?

• [$confidential] comment = hidden share path = /srv/smb/hidden write list = user create mask = 0700 directory mask = 0700
• [#confidential] comment = hidden share path = /srv/smb/hidden write list = user create mask = 0700 directory mask = 0700
• [confidential] comment = hidden share path = /srv/smb/hidden write list = user create mask = 0700 directory mask = 0700
• [%confidential] comment = hidden share path = /srv/smb/hidden write list = user create mask = 0700 directory mask = 0700
• [confidential$] comment = hidden share path = /srv/smb/hidden write list = user create mask = 0700 directory mask = 0700 (Solución)

How must Samba be configured such that it can check CIFS passwords against those found in /etc/passwd and /etc/shadow?

• Delete the smbpasswd file and create a symbolic link to the passwd and shadow file
• Set the parameters encrypt passwords = yes, password file = /etc/passwd and password algorithm = crypt
• Set the parameters encrypt passwords = yes and password file = /etc/passwd
• It is not possible for Samba to use /etc/passwd and /etc/shadow directly (Solución)
• Run smbpasswd to convert /etc/passwd and /etc/shadow to a Samba password file

In a BIND zone file, what does the @ character indicate?

• It’s an alias for the e-mail address of the zone master
• It’s the name of the zone as defined in the zone statement in named.conf (Solución)
• It’s used to create an alias between two CNAME entries
• It’s the fully qualified host name of the DNS server

In order to protect a directory on an Apache HTTPD web server with a password, this configuration was added to an .htaccess file in the respective directory:

AuthType Basic
AuthName "Protected Directory"
AuthUserFile /var/www/dir/.htpasswd
Require valid-user

Furthermore, a file /var/www/dir/.htpasswd was created with the following content: usera:S3cr3t

Given that all these files were correctly processed by the web server processes, which of the following statements is true about requests to the directory?

• The browser prompts the visitor for a username and password but logins for usera do not seem to work
• Accessing the directory as usera raises HTTP error code 442 (User Not Existent)
• The web server delivers the content of the directory without requesting authentication
• The user usera can access the site using the password s3cr3t (Solución)
• Requests are answered with HTTP error code 500 (Internal Server Error)

In which CIFS share must printer drivers be placed to allow Point’n’Print driver deployment on Windows?

• The name of the share is specified in the option print driver share within each printable share in smb.conf
• NETLOGON
• winx64drv$
• print$ (Solución)
• pnpdrivers$

The content of which local file has to be transmitted to a remote SSH server in order to be able to log into the remote server using SSH keys?

• ~/.ssh/id_rsa.pub
• ~/.ssh/authorized_keys (Solución)
• ~./ssh/known_hosts
• ~/.ssh/id_rsa
• ~/.ssh/config

The program vsftpd, running in a chroot jail, gives the following error:

/bin/vsftpd: error while loading shared libraries: libc.so.6: cannot open shared object file:

No such file or directory

Which of the following actions would fix the error?

• The file /etc/ld.so.conf in the root filesystem must contain the path to the appropriate lib directory in the chroot jail
• Run the program using the command chroot and the option –static_libs
• Copy the required library to the appropriate lib directory in the chroot jail (Solución)
• Create a symbolic link that points to the required library outside the chroot jail

What option for BIND is required in the global options to disable recursive queries on the DNS server by default?

• recursion { none; };
• recursion { disabled; };
• recursion no; (Solución)
• allow-recursive-query off;
• allow-recursive-query ( none; );

What option in the client configuration file would tell OpenVPN to use a dynamic source port when making a connection to a peer?

• dynamic-bind
• remote
• source-port
• nobind (Solución)
• src-port

In response to a certificate signing request, a certification authority sent a web server certificate along with the certificate of an intermediate certification authority that signed the web server certificate. What should be done with the intermediate certificate in order to use the web server certificate with Apache HTTPD?

• The intermediate certificate should be used to verify the certificate before its deployment on the web server and can be deleted
• The intermediate certificate should be stored in its own file which is referenced in SSLCaCertificateFile
• The intermediate certificate should be archived and resent to the certification authority in order to request a renewal of the certificate
• The intermediate certificate should be improved into the certificate store of the web browser used to test the correct operation of the web server
• The intermediate certificate should be merged with the web server’s certificate into one file that is specified in SSLCertificateFile (Solución)

What word is missing from the following excerpt of a named.conf file?

__________ friends {
    10.10.0.0/24; 192.168.1.0/24;
};

options {
    allow-query { friends; };
}

• networks
• acl (Solución)
• list
• group
• net

When the default policy for the netfilter INPUT chain is set to DROP, why should a rule allowing traffic to localhost exist?

• It doesn’t matter; netfilter never affects packets addressed to localhost
• syslogd receives messages on localhost
• The iptables command communicates with the netfilter management daemon netfilterd on localhost to create and change packet filter rules
• All traffic to localhost must always be allowed
• Some applications use the localhost interface to communicate with other applications (Solución)

When using mod_authz_core, which of the following strings can be used as an argument to Require in an Apache HTTPD configuration file to specify the authentication provider? (Choose three.)

• expr (Solución)
• all (Solución)
• header
• method (Solución)
• regex

Which Apache HTTPD directive enables HTTPS protocol support?

• StartTLS on
• SSLEngine on (Solución)
• HTTPSEnable on
• HTTPSEngine on
• SSLEnable on

Which BIND option should be used to limit the IP addresses from which slave name servers may connect?

• allow-transfer (Solución)
• allow-queries
• allow-slaves
• allow-secondary
• allow-zone-transfer

Which command is used to configure which file systems a NFS server makes available to clients?

• exportfs (Solución)
• mount
• mkfs.nfs
• nfsservct1
• telinit

Which global option in squid.conf sets the port number or numbers that Squid will use to listen for client requests?

• port
• http_port (Solución)
• squid_port
• client_port
• server_port

Which http_access directive for Squid allows users in the ACL named sales_net to only access the Internet at times specified in the time_acl named sales_time?

• http_access allow sales_net sales_time (Solución)
• http_access sales_net sales_time
• allow http_access sales_net sales_time
• http_access allow sales_net and sales-time
• http_access deny sales_time sales_net

Which Linux user is used by vsftpd to perform file system operations for anonymous FTP users?

• The Linux user that owns the root FTP directory served by vsftpd
• The Linux user with the same user name that was used to anonymously log into the FTP server
• The Linux user which runs the vsftpd process
• The Linux user root, but vsftpd grants access to anonymous users only to globally read-/writeable files
• The Linux user specified in the configuration option ftp_username (Solución)

Which of the following DNS records could be a glue record?

• ns1.lab GLUE 198.51.100.53
• lab NS 198.51.100.53
• ns1.lab NS 198.51.100.53
• ns1. A 198.51.100.53
• ns1.lab A 198.51.100.53 (Solución)

Which of the following lines in the sshd configuration file should, if present, be changed in order to increase the security of the server? (Choose two.)

• Port 22
• PermitRootLogin yes (Solución)
• PermitEmptyPasswords no
• Protocol 2, 1 (Solución)
• IgnoreRhosts yes

Which of the following nmap parameters scans a target for open TCP ports? (Choose two.)

• -sT (Solución)
• -sS (Solución)
• -sZ
• -sU
• -sO

Which of the following Samba configuration parameters is functionally identical to the parameter read only=yes?

• writeable=no (Solución)
• read write=no
• browseable=no
• write only=no
• write access=no

Which of the following Samba services handles the membership of a file server in an Active Directory domain?

• admemb
• samba (Solución)
• nmbd
• msadd
• winbindd

Which of the following sshd configuration should be set to no in order to fully disable password based logins? (Choose two.)

• PermitPlaintextLogin
• UsePasswords
• PasswordAuthentication (Solución)
• PAMAuthentication
• ChallengegeResponseAuthentication (Solución)

Which of the following statements is true regarding the NFSv4 pseudo file system on the NFS server?

• It must be called /exports
• It must be a dedicated partition on the server
• It usually contains bind mounts of the directory trees to be exported (Solución)
• It is defined in the option Nfsv4-Root in /etc/pathmapd.conf
• It usually contains symlinks to the directory trees to be exported

Which of the statements below are correct regarding the following commands, which are executed on a Linux router? (Choose two.)

Ip6tables -A FORWARD -s fe80::/64 -j DROP

p6tables -A FORWARD -d fe80::/64 -j DROP

• Packets with source or destination addresses from fe80::/64 will never occur in the FORWARD chain
• ip6tables returns an error for the second command because the affected network is already part of another rule
• The rules suppress any automatic configuration through router advertisements or DHCPv6 (Solución)
• The rules disable packet forwarding because network nodes always use addresses from fe80::/64 to identify routers in their routing tables
• Both ip6tables commands complete without an error message or warning (Solución)

Which of these tools, without any options, provides the most information when performing DNS queries?

• named-checkconf
• nslookup
• named-checkzone
• dig (Solución)
• host

On a Linux router, packet forwarding for IPv4 has been enabled. After a reboot, the machine no longer forwards IP packets from other hosts. The command: echo 1 > /proc/sys/net/ipv4/ip_forward temporarily resolves this issue. Which one of the following options is the best way to ensure this setting is saved across system restarts?

• In /etc/rc.local add net.ipv4.ip_forward = 1
• In /etc/sysconfig/iptables-config add ipv4.ip_forward = 1
• In /etc/sysctl.conf change net.ipv4.ip_forward to 1 (Solución)
• Add echo 1 > /proc/sys/net/ipv4/ip_forward to any user login script
• Add echo 1 > /proc/sys/net/ipv4/ip_forward to the root user login script

Which tool creates a Certificate Signing Request (CSR) for serving HTTPS with Apache HTTPD?

• certgen
• openssl (Solución)
• cartool
• httpsgen
• apachect1

With fail2ban, what is a ‘jail’?

• The chroot environment in which fail2ban runs
• A group of services on the server which should be monitored for similar attack patterns in the log files
• A netfilter rules chain blocking offending IP addresses for a particular service
• A filter definition and a set of one or more actions to take when the filter is matched (Solución)

Which directive in a Nginx server configuration block defines the TCP ports on which the virtual host will be available, and which protocols it will use? (Specify ONLY the option name without any values.)

• listen

A company is transitioning to a new DNS domain name and wants to accept e-mail for both domains for all of its users on a Postfix server.

• mylocations
• mydomains
• mydestination (Solución)
• mydomain
• myhosts

After the installation of Dovecot, it is observed that the dovecot processes are shown in ps ax like this:

31248 ?    S    0:00 dovecot/imap
31253 ?    S    0:00 dovecot/imap-login

In order to associate the processes with users and peers, the username, IP address of the peer and the connection status, which of the following options must be set?

• sys.ps.allow_descriptions = 1 in sysctl.conf or /proc
• –with-linux-extprocnames for ./configure when building Dovecot
• verbose_proctitle = yes in the Dovecot configuration (Solución)
• proc.all.show_status = 1 in sysctl.conf or /proc

For what purpose is TCP/IP stack fingerprinting used by nmap?

• It is used to masquerade the responses of remote servers.
• It is used to identify duplicate responses from the same remote server.
• It is used to filter out responses from specific servers.
• It is used to determine the remote operating system. (Solución)
• It is used to uniquely identify servers on the network for forensics.

Given the following Squid configuration excerpt:

cache_dir ufs /var/spool/squid3/ 1024 16 256

Which of the following directories will exist directly within the directory: /var/spool/squid3/? (Choose two.)

• 0F (Solución)
• A0
• FF
• 0b (Solución)
• 00

How is the LDAP administrator account configured when the rootdn and rootpw directives are not present in the slapd.conf file?

• The account is defined in the file /etc/ldap.root.conf
• The account is defined in the file /etc/ldap.secret
• The account is defined by an ACL in slapd.conf (Solución)
• The default account admin is used without a password
• The default account admin with the password admin are used

If there is no access directive, what is the default setting for OpenLDAP?

access to *
    by anonymous write
    by *         read

Solución:

access to *
    by anonymous none
    by *         read

access to *
    by *         read

access to *
    by anonymous auth
    by *         read

In a PAM configuration file, which of the following is true about the required control flag?

• If the module returns failure, no more modules of the same type will be invoked
• The module is not critical and whether it returns success or failure is not important
• If the module returns success, no more modules of the same type will be invoked Incorrecta
• The success of the module is needed for the module-type facility to succeed. However, all remaining modules of the same type will be invoked (Solución)
• The success of the module is needed for the module-type facility to succeed. If it returns a failure, control is returned to the calling application

In order to join a file server to the Active Directory domain intra.example.com, the following smb.conf has been created:

[global]
    workgroup = intra.example.com
    netbios name = Fileserver
    server role = member server
    idmap config * : backend = tdb
    idmap config * : range = 10000-199999
    winbind enum users = yes
    winbind enum group = yes

The command net ads join raises an error and the server is not joined to the domain. What should be done to successfully join the domain?

• Add realm = intra.example.com to the smb.conf and change workgroup to the domain’s netbios workgroup name.
• Change server role to ad member server to join an Active Directory domain instead of an NT4 domain.
• Remove all idmap configuration stanzas since the id mapping is defined globally in an Active Directory domain and cannot be changed on a member server. (Solución)
• Manually create a machine account in the Active Directory domain and specify the machine account’s name with –U when starting net ads join.
• Remove the winbind enum users and winbind enum groups since winbind is incompatible with

Active Directory domains.

It has been discovered that the company mail server is configured as an open relay. Which of the following actions would help prevent the mail server from being used as an open relay while maintaining the possibility to receive company mails? (Choose two.)

• Restrict Postfix to only accept e-mail for domains hosted on this server
• Configure Dovecot to support IMAP connectivity
• Upgrade the mailbox format from mbox to maildir
• Configure netfilter to not permit port 25 traffic on the public network (Solución)
• Restrict Postfix to only relay outbound SMTP from the internal network (Solución)

Select the Samba option below that should be used if the main intention is to setup a guest printer service?

• security = ldap
• security = printing
• security = cups
• security = share (Solución)
• security = pam

The following Apache HTTPD configuration has been set up to create a virtual host available at www.example.com and www2.example.com:

<VirtualHost *:80>
    ServerName www.example.com
    ServerName www2.example.com
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/
    <Directory /srv/www/>
        Require all granted
    </Directory>
</VirtualHost>

Even though Apache HTTPD correctly processed the configuration file, requests to both names are not handled correctly. What should be changed in order to ensure correct operations?

• The configuration must be split into two VirtualHost sections since each virtual host may only have one name.
• Both virtual host names have to be placed as comma separated values in one ServerName declaration. (Solución)
• The port mentioned in opening VirtualHost tag has to be appended to the ServerName declaration’s values.
• Both virtual host names have to be mentioned in the opening VirtualHost tag.
• Only one ServerName declaration may exist, but additional names can be declared in ServerAlias options.

The Samba configuration file contains the following lines:

host allow = 192.168.1.100 192.168.2.0/255.255.255.0 localhost
host deny = 192.168.2.31
interfaces = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0

A workstation is on the wired network with an IP address of 192.168.1.177 but is unable to access the Samba server. A wireless laptop with an IP address 192.168.2.93 can access the Samba server. Additional trouble shooting shows that almost every machine on the wired network is unable to access the Samba server. Which alternate host allow declaration will permit wired workstations to connect to the Samba server without denying access to anyone else?

• host allow = 192.168.1.1-255
• host allow = 192.168.1.100 192.168.2.200 localhost
• host allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost (Solución)
• host deny = 192.168.1.100/255.255.255.0 192.168.2.31 localhost
• host deny = 192.168.2.200/255.255.255.0 192.168.2.31 localhost (Solución)

There is a restricted area in a site hosted by Apache HTTPD, which requires users to authenticate against the file /srv/www/security/sitepasswd. Which command is used to CHANGE the password of existing users, without losing data, when Basic authentication is being used?

• htpasswd –D /srv/www/security/sitepasswd user
• htpasswd –c /srv/www/security/sitepasswd user (Solución)
• htpasswd /srv/www/security/sitepasswd user
• htpasswd –n /srv/www/security/sitepasswd user

What does the samba-tool testparm command confirm regarding the Samba configuration?

• The service operates as expected.
• All running Samba processes use the most recent configuration version.
• The netfilter configuration on the Samba server does not block any access to the services defined in the configuration.
• The configuration loads successfully. (Solución)
• The Samba services are started automatically when the system boots.

When are Sieve filters usually applied to an email?

• When the email is delivered to a mailbox (Solución)
• When the email is retrieved by an MUA
• When the email is relayed by an SMTP server
• When the email is sent to the first server by an MUA
• When the email is received by an SMTP smarthost

When trying to reverse proxy a web server through Nginx, what keyword is missing from the following configuration sample?

location / {
     ____ http://proxiedserver:8080;
}

• proxy_pass (Solución)
• forward_to
• reverse_proxy
• remote_proxy
• proxy_reverse

Which Apache HTTPD configuration directive is used to specify the method of authentication, e.g. None or Basic?

• AllowedAuthUser
• AuthType (Solución)
• AuthUser
• AllowAuth

Which Apache HTTPD configuration directive specifies the RSA private key that was used in the generation of the SSL certificate for the server?

• SSLRSAKeyFile
• SSLCertificateKeyFile (Solución)
• SSLKeyFile
• SSLPrivateKeyFile

Which keyword is used in the Squid configuration to define networks and times used to limit access to the service?

• allow
• acl (Solución)
• http_allow
• permit

Which of the following actions synchronizes UNIX passwords with the Samba passwords when the encrypted Samba password is changed using smbpasswd?

• There are no actions to accomplish this since is not possible.
• Add unix password sync = yes to smb.conf (Solución)
• Run winbind –sync, to synchronize the passwords.
• Run netvamp regularly, to convert the passwords.
• Add smb unix password = sync to smb.conf

Which of the following are logging directives in Apache HTTPD? (Choose two.)

• ErrorLog
• CustomLog (Solución)
• VHostLog
• ServerLog
• TransferLog (Solución)

Which of the following authentication mechanisms are supported by Dovecot? (Choose three.)

• krb5
• digest-md5 (Solución)
• plain (Solución)
• ldap
• cram-md5 (Solución)

Which of the following information has to be submitted to a certification authority in order to request a web server certificate?

• The certificate signing request. (Solución)
• The web server’s SSL configuration file.
• The web server’s private key.
• The list of ciphers supported by the web server.
• The IP address of the web server.

Which of the following PAM modules allows the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them?

• pam_limits (Solución)
• pam_unix
• pam_listfile
• pam_filter

Which of the following services belongs to NFSv4 and does not exist in NFSv3?

• rpc.mountd
• nfsd
• rpc.idmapd (Solución)
• rpc.statd

Which of the following statements are true regarding Server Name Indication (SNI)? (Choose two.)

• It submits the host name of the requested URL during the TLS handshake. (Solución)
• It enables HTTP servers to update the DNS of their virtual hosts’ names using the X 509 certificates of the virtual hosts.
• It provides a list of available virtual hosts to the client during the TLS handshake.
• It allows multiple SSL/TLS secured virtual HTTP hosts to coexist on the same IP address. (Solución)
• It supports transparent failover of TLS sessions from one web server to another.

Which of the following statements in the ISC DHCPD configuration is used to specify whether or not an address pool can be used by nodes which have a corresponding host section in the configuration?

• identified-nodes
• unconfigured-hosts
• unmatched-hwaddr
• missing-peers
• unknown-clients (Solución)

Which option within a Nginx server configuration section defines the file system path from which the content of the server is retrieved?

• root (Solución)
• htdocs
• base_dir
• DocumentRoot
• location

Which Postfix command can be used to rebuild all of the alias database files with a single invocation and without the need for any command line arguments?

• postalias
• newaliases (Solución)
• postmapbuild
• makealiases

With Nginx, which of the following directives is used to proxy requests to a FastCGI application?

• fastcgi_forward
• proxy_fastcgi
• proxy_fastcgi_pass
• fastcgi_pass (Solución)
• fastcgi_proxy

According to this LDIF excerpt, which organizational unit is Robert Smith part of? (Specify only the organizational unit.)

dn: cn=Robert Smith, ou=people, dc=example, dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy

• people

In order to export /usr and /bin via NFSv4, /exports was created and contains working bind mounts to /usr and /bin. The following lines are added to /etc/exports on the NFC server:

/exports     192.0.1.0/24 (rw, sync, fsid=0, crossmnt, no_subtree_check)
/exports/usr 192.0.2.0/24 (rw, sync, fsid=0, crossmnt, no_subtree_check)
/exports/bin 192.0.2.0/24 (rw, sync, fsid=0, crossmnt, no_subtree_check)

After running mount -t nfsv4 server:/ /mnt of an NFC-Client, it is observed that /mnt contains the content of the server’s /usr directory instead of the content of the NFSv4 foot folder. Which option in /etc/exports has to be changed or removed in order to make the NFSv4 root folder appear when mounting the highest level of the server? (Specify ONLY the option name without any values or parameters.)

• mount

In order to specify alterations to an LDAP entry, what keyword is missing from the following LDIF file excerpt?

dn: cn=Some Person, dc=example, dc=com
changetype: ______
...

Specify the keyword only and no other information.

• add

What command displays NFC kernel statistics? (Specify ONLY the command without any path or parameters.)

• nfsstat

What is the name of the root element of the LDAP tree holding the configuration of an OpenLDAP server that is using directory based configuration? (Specify ONLY the element’s name without any additional information.)

• slapd

What is the path to the global Postfix configuration file? (Specify the full name of the file, including path.)

• /etc/postfix/main.cf

Which action in a Sieve filter forwards a message to another email address without changing the message? (Specify ONLY the action’s name without any parameters.)

• redirect

How are PAM modules organized and stored?

• A statically linked binaries in /etc/pam.d/bin/
• As Linux kernel modules within the respective sub directory of /lib/modules/
• As shared object files within the /lib/ directory hierarchy
• As dynamically linked binaries in /usr/lib/pam/sbin/ (Solución)
• As plain text files in /etc/security/

A BIND server should be upgraded to use TSIG. Which configuration parameters should be added if the server should use the algorithm hmac-md5 and the key skrKc4DoTzi/takIlPi7JZA==?

key.server.example.com. {
    algorithm=hmac-md5;
    secret="skrKc4DoTzi/takIlPi7JZA==";
};

Solución:

key.server.example.com. {
    algorithm hmac-md5;
    secret "skrKc4DoTzi/takIlPi7JZA==";
};

key.server.example.com. {
    algorithm hmac-md5;
    secret skrKc4DoTzi/takIlPi7JZA==;
};

TISG server.example.com. {
    algorithm hmac-md5;
    secret  "skrKc4DoTzi/takIlPi7JZA==";
};

key.server.example.com. 
    algorithm=hmac-md5;
    secret="skrKc4DoTzi/takIlPi7JZA==";

A zone file contains the following lines:

$ORIGIN example.com
host2.example.org. IN A 198.51.100.102

and is included in the BIND configuration using this configuration stanza:

zone "example.com"{
    type master;
    file "db.example.com";
};

Which problem is contained in this configuration?

• The $ORIGIN declaration cannot be used in zone files that are included for a specific zone name in the BIND configuration. (Solución)
• The zone cannon contain records for a name which is outside the zone’s hierarchy.
• The zone statement is the BIND configuration must contain the cross-zone-data yes; statement.
• Names of records in a zone file cannot be fully qualified domain names.
• An A record cannot contain an IPv4 address because its value is supposed to be a reverse DNS name.

After running ssh-keygen and accepting the default values, which of the following files are changed or created? (Choose two.)

• ~/.ssh/id_rsa.pub (Solución)
• ~/.ssh/id_rsa.prv
• ~/.ssh/id_rsa.key
• ~/.ssh/id_rsa.crt
• ~/.ssh/id_rsa (Solución)

In the main Postfix configuration file, how are service definitions continued on the next line?

• The following line must begin with a plus character (+).
• The initial line must end with a backslash character (\).
• The service definition continues on the following lines until all of the required fields are specified.
• It isn’t possible. The service definition must fit on one line.
• The following line must begin with white space indentation. (Solución)

mydestination = mail.example.com, localhost.example.com, 
 localhost

Select the alternative that shows the correct way to disable a user login for all users except root.

• The use of the pam_nologin module along with the /etc/nologin configuration file. (Solución)
• The use of the pam_block module along with the /etc/login configuration file.
• The use of the pam_deny module along with the /etc/deny configuration file.
• The use of the pam_pwdb module along with the /etc/pwdv.conf configuration file.

To allow X connections to be forwarded from or through an SSH server, what configuration keyword must be set to yes in the sshd configuration file?

• ForwardingAllow
• X11Forwarding (Solución)
• AllowForwarding
• X11ForwardingAllow

To which destination will a route appear in the Linux routing table after activating IPv6 on a router’s network interface, even when no global IPv6 addresses have been assigned to the interface?

• fe80::/10 (Solución)
• fe80::/64
• 0::/128
• 2000::/3
• 0::/0

Using its standard configuration, how does fail2ban block offending SSH clients?

• By rejecting connections due to its role as a proxy in front of SSHD.
• By creating null routes that drop any answer packets sent to the client.
• By creating and maintaining netfilter rules.
• By modifying and adjusting the SSHD configuration. (Solución)
• By modifying and adjusting the TCP Wrapper configuration for SSHD.

What is the name of the Dovecot configuration variable that specifies the location of user mail?

• mail_location (Solución)
• user_dir
• maildir
• mbox
• user_mail_dir

What is the purpose of DANE?

• Discover which servers within a DNS domain offer a specific service.
• Provide a way to verify the association of X 509 certificates to DNS host names. (Solución)
• Invalidate name information stored on caching name servers to speed up DNS updates.
• Verify the integrity of name information retrieved via DNS.
• Allow secure dynamic DNS updates.

What is the standard port used by OpenVPN?

• 1194 (Solución)
• 500
• 4500
• 1723

Which command is used to administer IPv6 netfilter rules?

• ip6tables (Solución)
• iptables6
• ipv6tables
• iptables
• iptablesv6

Which configuration parameter on a Postfix server modifies only the sender address and not the recipient address?

• sender_canonical_maps (Solución)
• sender_rewrite_maps
• alias_maps
• alias_rewrite_maps

Which FTP names are recognized as anonymous users in vsftp when the option anonymous_enable is set to yes in the configuration files? (Choose two.)

• guest
• anonymous (Solución)
• ftp (Solución)
• In the described configuration, any username which neither belongs to an existing user nor has another special meaning is treated as anonymous user
• nobody

Which netfilter table contains built-in chains called INPUT, OUTPUT and FORWARD?

• masq
• nat
• default
• filter (Solución)
• ipconn

Which of the following actions are available in Sieve core filters? (Choose three.)

• relay (Solución)
• fileinto (Solución)
• drop
• discard
• reject (Solución)

Which of the following commands can be used to connect and interact with remote TCP network services? (Choose two)

• telnet (Solución)
• nettalk
• cat
• netmap
• nc (Solución)

Which of the following commands displays an overview of the Postfix queue content to help identify remote sites that are causing excessive mail traffic?

• mailtraf
• postmap
• poststats
• qshape (Solución)
• queuequery

Which of the following DNS record types is used for reverse DNS queries?

• CNAME
• IN
• RIN
• PTR (Solución)
• REV

Which of the following is correct about this excerpt from an LDIF file?

dn: cn=PrintOperators,ou=Groups,o=IT,DC=mycompany,DC=example,DC=com

• dn is the relative distinguished name. (Solución)
• cn is the common name.
• o is the operator name.
• DC is the delegation container.
• dn is the domain name.

Which of the following lines is valid in a configuration file in /etc/pam.d/?

• auth pam_unix.so(required try_first_pass nullok)
• auth try_first_pass nullok, require pam_unix.so
• auth required pam_unix.so try_first_pass nullok (Solución)
• auth required:pam_unix.so(try_first_pass nullok)

Which of the following OpenVPN configuration options makes OpenVPN forward network packets between VPN clients itself instead of passing the packets on to the Linux host which runs the OpenVPN server for further processing?

• client-pass
• inter-client-traffic
• client-to-client (Solución)
• grant-client-traffic

Which of the following PAM modules sets and unsets environment variables?

• pam_export
• pam_set
• pam_shell
• pam-vars
• pam_env (Solución)

Which of the following statements allow the logical combinations of conditions in Sieve filters? (Choose two.)

• anyof
• noneof
• allof (Solución)
• and
• or (Solución)

Which of the following statements is INCORRECT regarding the LDIF file format?

• It contains a dn line that indicates where the attributes listed in the following lines of the file must be added.
• If an attribute contains binary data, some specific configurations must be made for this entry.
• The LDIF file accepts any type of file encoding. (Solución)
• In the file, a blank line separates one entry from another one.

Which of the following types of IPv6 address assignments does DHCPv6 support? (Choose three.)

• Assignments of temporary IPv6 addresses that cannot be renewed. (Solución)
• Assignments of anonymous IPv6 addresses whose assignment is not logged by the DHCPv6 server.
• Assignments of normal IPv6 addresses that can be renewed. (Solución)
• Assignments of blacklisted IPv6 addresses that should no longer be used.
• Assignments of IPv6 prefixes that can be used for routing or further assignments. (Solución)

Which of the following values can be used in the OpenLDAP attribute olcBackend for any object of the class olcBackendConfig to specify a backend? (Choose three.)

• ldap (Solución)
• bdb (Solución)
• text (Solución)
• passwd
• xml

Which of these sets of entries does the following command return?

ldapsearch -x "(|(cn=marie) (!(telephoneNumber=9*)))"

• Entries that don’t have a cn of marie or don’t have a telephoneNumber that begins with 9.
• Entries that don’t have a cn of marie and don’t have a telephoneNumber beginning with 9.
• Entries that have a cn of marie or don’t have a telephoneNumber beginning with 9.
• Entries that have a cn of marie or have a telephoneNumber beginning with 9.
• Entries that have a cn of marie and a telephoneNumber that ending with 9. (Solución)

Which of these tools provides DNS information in the following format?

www.example.com has address 93.184.216.34
www.example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

• named-checkconf
• host (Solución)
• named-checkzone
• nslookup
• dig

Which option in allowed-hosts specifies which host are permitted to ask for domain name information from the server?

• accept-query
• query-group
• permit-query
• allow-query (Solución)
• allowed-hosts

Which option within the ISC DHCPD configuration file defines the IPv4 DNS server address(es) to be sent to the DHCP clients?

• domain-name-servers (Solución)
• servers
• domain-server
• name-server

Which rdnc sub command can be used in conjunction with the name of a zone in order to make BIND reread the content of the specific zone file without reloading other zones as well?

• lookup (Solución)
• fileupdate (Solución)
• zoneupdate
• reload
• reread

Which attitude of an object in LDAP defines which other attributes can be set for the object? (Specify ONLY the attribute name without any values.)

• class

Which doveadm sub-command displays a list of connections of Dovecot in the following format? (Specify ONLY the command without any parameters.)

• who

Which option in the Postfix configuration makes Postfix pass email to external destinations to another SMTP-server? (Specify ONLY the option name without any values.)

• relay server

What option in the sshd configuration file instructs sshd to permit only specific user names to log in to a system? (Specify ONLY the option name without any values.)

• AllowUsers