Chapter 40. System Security (Topic 2.212)


This Topic focuses on the methods used to secure Linux servers and workstations. The breadth of system security topics would require an entire exam to fully test, so LPI focuses only on routers, FTP servers, using OpenSSH, TCP wrappers, and ipchains/iptables.

This Topic contains five Objectives (numbered 2 through 6 instead of 1 through 5, because of changes during test development):


Objective 2: Configuring a Router

The LPIC-2 candidate should be able to configure ipchains and iptables to perform IP masquerading and state the significance of network address translation (NAT) and private network addresses in protecting a network. This objective includes configuring port redirection, listing filtering rules, and writing rules that accept or block datagrams based upon source or destination protocol, port, and address. Also included are saving and reloading filtering configurations, using settings in /proc/sys/net/ipv4 to respond to DOS attacks, using /proc/sys/net/ipv4/ip_forward to turn IP forwarding on and off, and using tools such as PortSentry to block port scans and vulnerability probes. Weight: 2.


Objective 3: Securing FTP Servers

The candidate should be able to configure an anonymous download FTP server. This Objective includes configuring an FTP server to allow anonymous uploads, listing additional precautions to be taken if anonymous uploads are permitted, configuring guest users and groups with chroot jail, and configuring ftpaccess to deny access to named users or groups. Weight: 2.


Objective 4: Secure Shell (SSH)

The candidate should be able to configure sshd to allow or deny root logins, and to enable or disable X forwarding. This Objective includes generating server keys, generating a user's public/private key pair, adding a public key to a user's authorized_keys file, and configuring ssh-agent for all users. Candidates should also be able to configure port forwarding to tunnel an application protocol over ssh, configure ssh to support the SSH protocol Versions 1 and 2, disable nonroot logins during system maintenance, configure trusted clients for SSH logins without a password, and make multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes. Weight: 2.


Objective 5: TCP wrappers

The candidate should be able to configure TCP wrappers to allow connections to specified servers from only certain hosts or subnets. Weight: 1.


Objective 6: Security Tasks

The candidate should be able to install and configure Kerberos and perform basic security auditing of source code. This objective includes arranging to receive security alerts from Bugtraq, CERT, CIAC, or other sources. It also includes being able to test for open mail relays and anonymous FTP servers and installing and configuring an intrusion detection system such as Snort or Tripwire. Candidates should also be able to update the IDS configuration as new vulnerabilities are discovered and apply security patches and bug fixes. Weight: 3.



LPI Linux Certification in a Nutshell
LPI Linux Certification in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596005288
EAN: 2147483647
Year: 2004
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net