Section 43.2. Answers


43.2. Answers

  1. a. Ethernet networks have a maximum MTU of 1500. It is possible that you would want to adjust the MTU if conditions warranted. However, you will find that your Ethernet NIC's MTU will usually be 1500.

  2. b. In Sendmail, the genericstable file is responsible for rewriting headers of outgoing messages.

  3. d. Both the fsck and badblocks commands can be destructive if run against a mounted partition. You should unmount the drive before using either one. You may need to go into single mode to do so.

  4. a and c. You can use smbmount and smbclient. To draw an analogy, smbclient is something like a command-line FTP client. You can use smbclient to access a Samba share and navigate it just as you would an FTP session. The smbmount command, on the other hand, is more like the standard mount command. You must specify a mount point, unlike smbclient.

  5. mount -t nfs bentley:/home/james/mnt/nfs

  6. a. The -w option in traceroute allows you to specify the wait period.traceroute will wait five seconds by default, then move on to the next hop.

  7. b and c. You can use the dig command with the @ option to specify a different DNS server. With the host command, the second hostname given in the command specifies the name server.

  8. d. When using the ifconfig command to specify a second IP address for a NIC, simply use a colon with no space after the interface:

     ifconfig eth2:1 202.168.85.3 netmask 255.255.255.0 

  9. b and d. Two reasons exist for a route command to hang: DNS service has failed, or the default gateway is down. Use the -n option to the route command to bypass name resolution issues.

  10. c. The telnet command is very handy when it comes to troubleshooting servers. All you have to do is specify a port number after the hostname, and the telnet command will use that instead of the default Telnet port (TCP 23). Once telnet connects to the desired port, you may see messages and commands from the server. Even though you likely will not be able to control the server or view data as you would with the proper client, you will still be able to see the operations of the service in a helpful way.

  11. c. The way to conduct a manual scan of the files and drives that Tripwire is configured to protect is by specifying the --check option to the tripwire command.

  12. b and c. CERT (http://www.cert.org) and Bugtraq (http://www.securityfocus.com/archive/1) are dedicated to discussing vulnerabilities, attacks, and system bugs. Although attackers usually know about the bugs and exploits before CERT and Bugtraq report them, it is nevertheless useful for you to receive warnings about the latest security-related issues.

  13. a. The kdestroy command purges the system of any credentials that could be used illicitly. It is a good idea to place this command in the logout script for your shell.

  14. a and c. If you do not have an NTP server and a properly configured DNS server, your Kerberos implementation will likely fail, no matter how well you have defined your Kerberos database and principals. NTP and DNS are foundational for Kerberos because Kerberos relies heavily on both time-based calculations and hostname services.

  15. b. The kdb5_util command has many functions. In particular, the create -s option allows you to create the database that will eventually hold the principals.

  16. c. If you want to conduct a ping scan, use the -sP option, then specify a range using a hyphen.

  17. d. The term false positive describes instances when intrusion detection or antivirus applications mistakenly label legitimate activity as an attack. While careful configuration helps to avoid most false positives, it is very difficult to avoid all instances.

  18. d. Even if you were to block off all services using /etc/hosts.deny, various services still might be accessible because they simply do not consult these files.

  19. b. It is possible to use both the /etc/hosts.allow and /etc/hosts.deny files to improve security. The /etc/hosts.allow file is consulted first. The /etc/hosts.deny file does not negate statements in the /etc/hosts.allow file. Thus, it is often encouraged to explicitly allow services, hosts, and networks in /etc/hosts.allow, then block off all other services in /etc/hosts.deny. It is also important to understand that not all services use TCP wrappers.

  20. c. The ~/.ssh/authorized_keys file (or the ~/.ssh/authorized_keys2 file, for newer versions of SSH) contains the public keys of users that you wish to allow into your system without providing a standard password.

  21. d. The ssh-keygen -t rsa command allows you to begin the process of creating a new key pair. This key pair will be stored in the ~/.ssh directory by default. The files generated will be clearly marked (e.g., id_rsa and id_rsa.pub). You can also specify ssh-keygen -t dsa if you wish to use DSA keys instead of RSA keys. The filenames generated will be slightly different to reflect your use of DSA.

  22. a. The /etc/ssh/sshd_config file allows you to configure most aspects of SSH, including its logging. Using this file, you can also disable non-root access, restrict support to SSH Version 2, and enable X11 port forwarding.

  23. c. If you wish to disable non-root access for an SSH server, use the DenyUsers directive in the /etc/ssh/sshd_config file.

  24. b. The -x option to ssh allows you to tunnel X11 through SSH, thereby encrypting all transmissions. You must first enable X11 tunneling by editing the /etc/ssh/sshd_config file.

  25. d. To remove an identity from ssh-agent, use the ssh-agent -d command. If you are using ssh-agent and ssh-add, it is wise to place ssh-agent -d in your shell's logout file.

  26. c. You must first exchange public keys. The public keys of users you wish to allow without providing a standard password are stored in the ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 files.

  27. b. The ssh-agent and ssh-add commands store private keys in memory. You first run ssh-agent, specifying a shell (e.g., ssh-agent /bin/bash). This shell runs until you exit it. After the shell is active, you then run ssh-add from within this shell to add the private key to ssh-agent. You will then never be asked for the private key's password until you exit the shell started under ssh-agent.

  28. The command is:

     upload /home/ftp * no 

    This directive goes in the ftpaccess file and ensures that anonymous users cannot upload files.

  29. a. Any account listed in the ftpusers file will be prohibited from logging in to the FTP server.

  30. d. The three classes of users that are allowed to log in to an FTP server are real, anonymous, and guest.

  31. c. It is not enough to simply copy the executables into the correct directories when creating a chroot environment for any service. You must also copy the appropriate libraries and ensure that permissions are correct.

  32. The nat table. When you wish to use iptables to masquerade connections (i.e., do Network Address Translation), you do not use the three default tables listed by the iptables -L command (e.g., INPUT, FORWARD, and ACCEPT). You use the somewhat hidden nat table, which you must specify using the -t option:

      iptables -t nat -L 

  33. d. Whenever you make any changes to the /etc/sysctl.conf file, you must use the sysctl -p /etc/sysctl.conf command to make sure the system recognizes the changes.

  34. c. Changing the value of the /proc/sys/net/ipv4/tcp_syncookies file to 1 helps make the Linux system more capable of handing SYN floods. You can do this by using the echo command or by editing the /etc/sysctl.conf file and then running the following command:

     sysctl -p /etc/sysctl.conf 

  35. a and b. As usual, there is more than one way to do it in Linux. You can use the echo command (echo 1 > /proc/sys/net/ipv4/ip_forward), or you can edit the /etc/network/options file and enter the line ip_forward=yes. Both have the same effect. The first option is the most nearly universal, which you should keep in mind. The LPI Exam is vendor-neutral.

  36. d. Portsentry has many capabilities, including the ability to write to the /etc/hosts.deny file, if that feature is something you find useful.

  37. b. The ldapadd command allows you to update an LDIF file and have your LDAP server recognize the changes.

  38. c. The ou= field in an LDAP LDIF file indicates the organizational unit. The ou designation is essential, as it helps identify legitimate users.

  39. c. The ypbind command allows you to maintain binding information for an NIS server.

  40. a. The rpcinfo command provides information about RPC calls made to the local system, and is ideal for determining the status of the portmapper daemon. The portmapper daemon is an essential element of NIS.

  41. When defining a default gateway and a DNS server in a subnet section of the dhcp.conf file, you simply use the option keyword followed by the required network element (e.g., routers or domain-name-servers) and then the appropriate IP address:

     option routers 192.168.2.1; option domain-name-servers 1.10.45.45.3; 

  42. a and c. When configuring a DHCP relay, you need to tell it which interface to listen on. It is also important to give the address of the DHCP server on the subnet, to help the relay work faster.

  43. d Using innwatch helps you monitor your INN server. It runs in the background periodically searching for problem conditions, including full hard drives and overburdened processors.

  44. The command is:

      ctlinnd newgroup scuba y davis 

    The final argument is davis because davis is the user creating the newsgroup.

  45. a. The three parts of a recipe are the beginning (where flags are stored), the conditions, and the action. A recipe first identifies the conditions, then specifies an action.

  46. c. The ~/.ssh/identity file (or the id_rsa file in some Linux systems) contains the identity SSH requires the user to define before public-key authentication will work for her account.

  47. b. Although you could also send email messages, the quickest way to verify settings on Sendmail is to issue the sendmail -bt command and begin an interactive test shell. Once in this shell, you can send test messages and conduct queries to verify that your settings have been recognized and are having the intended effect.

  48. b. Modifying the /etc/mail/access file is the only way listed that will allow you to control access from a domain.

  49. b. The single quotes around the (port ssh) statement are necessary to escape the parenthese from the shell. It is important to understand the sometimes arcane tcpdump options for the exam. Consider this question just the beginning.

  50. a. The StartServers directive allows you to control how many servers Apace Server starts. Familiarize yourself with other directives concerning processes and threads before you take the exam.

  51. d. If you want to use .htaccess files, you would change the AllowOverride directive to use AuthConfig, rather than None.

  52. c. Specify 3000 in the cache_dir statement. Squid specifies this value in megabytes, and 3000 megabytes is 3 gigabytes. The remaining two numbers refer to the number of directories that will be generated to store the proxy cache files.

  53. b. DHCP servers require broadcasts, and routers are to isolate broadcasts to a single network. So if you wish to forward DHCP broadcasts to other networks, you have to use a DHCP relay agent.

  54. a. When you configure an LDAP server, you have to tell slapd what type of database to use. ldbm, which stands for LDAP Database Manager, is traditional.

  55. b. It is often advisable to configure your system to block all services except those you want to explicitly allow. Using the /etc/hosts.allow and /etc/hosts.deny files in the way described here gives you this policy for all services that recognize TCP wrappers.



LPI Linux Certification in a Nutshell
LPI Linux Certification in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596005288
EAN: 2147483647
Year: 2004
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net