Free Practice Questions for LPI 202-450 Exam

The Require directive in mod_authz_core selects which authenticated users can access a resource. The directive takes one or more arguments that specify the authorization provider and the criteria for granting access. Some of the built-in authorization providers are:

all: This provider matches all users, regardless of the criteria. It can be used to grant or deny access to everyone. For example, Require all granted allows access to everyone, while Require all denied denies access to everyone.

ip: This provider matches the client IP address against a list of IP addresses, network/netmask pairs, or CIDR specifications. It can be used to allow or deny access based on the client’s location. For example, Require ip 192.168.1.0/24 allows access only to clients from the 192.168.1.0/24 subnet.

host: This provider matches the client hostname against a list of domain names. It can be used to allow or deny access based on the client’s DNS name. For example, Require host example.com allows access only to clients whose hostname ends with example.com.

local: This provider matches the client IP address against the server IP address. It can be used to allow or deny access based on whether the client is local or remote. For example, Require local allows access only to clients that connect to the server via the loopback interface.

user: This provider matches the authenticated username against a list of usernames. It can be used to allow or deny access based on the user identity. For example, Require user alice bob allows access only to users alice and bob.

group: This provider matches the authenticated user’s group membership against a list of groups. It can be used to allow or deny access based on the user’s group affiliation. For example, Require group admins allows access only to users who belong to the admins group.

valid-user: This provider matches any authenticated user, regardless of the username. It can be used to allow or deny access based on the user authentication status. For example, Require valid-user allows access to any user who can provide valid credentials.

expr: This provider evaluates an expression and grants or denies access based on the result. It can be used to implement complex logic based on various variables and functions. For example, Require expr "%{REQUEST_METHOD} == 'GET' && %{TIME_HOUR} < 12" allows access only to GET requests made before noon.

method: This provider matches the request method against a list of methods. It can be used to allow or deny access based on the type of request. For example, Require method GET POST allows access only to GET and POST requests.

regex: This provider matches the request URI against a regular expression. It can be used to allow or deny access based on the pattern of the request. For example, Require regex ^/admin/.* allows access only to requests that start with /admin/.

Therefore, the correct strings that can be used as an argument to Require are B, C, and E. Statement A is false because method is not a valid argument to Require, but a separate authorization provider. Statement D is false because header is not a valid argument to Require, but a variable that can be used in an expression.

References:

mod_authz_core - Apache HTTP Server Version 2.4

Access Control - Apache HTTP Server Version 2.4

The Samba configuration parameter writeable is a synonym for the parameter read only. It has the opposite meaning, so setting writeable=no is equivalent to setting read only=yes. This parameter controls whether a user has the ability to create or modify files within a share12 References:

LPIC-2 Overview

LPIC-2 202-450

smb.conf - Samba

Samba share permissions simplified - nixCraft

Samba cannot use /etc/passwd and /etc/shadow directly because they store passwords in a different format than CIFS. CIFS passwords are encrypted using a one-way hash function, while Unix passwords are encrypted using a two-way cipher. Therefore, Samba needs a separate password file that stores the CIFS passwords in a compatible format. This file is usually called smbpasswd and can be created or updated using the smbpasswd command123 References:

Chapter 9. Users and Security - Samba

smbpasswd - Samba

Chapter 20. samba authentication - linux-training.be

Chapter 9. Users and Security - Samba3

Chapter 9. Users and Security - Samba

 The pam_listfile module is a PAM module that allows the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them. The module can be used to deny or allow access to services based on the contents of the file. The file can contain items such as usernames, group names, terminal names, remote host names, remote user names, or shell names. The module can be configured to match the item against the file and take the appropriate action, such as allowing or denying access, or ignoring the request. The module can also be restricted to apply only to a specific user or group class. The file should be a plain text file with one item per line and not be world writable12.

References:

pam_listfile(8) - Linux man page: A manual page for the pam_listfile module, which explains its syntax, options, and examples.

pam_listfile(8) - Linux manual page - man7.org: Another manual page for the pam_listfile module, which provides similar information as the previous reference.

The PAM module that sets and unsets environment variables is pam_env. This module allows the (un)setting of environment variables based on the rules specified in the configuration file /etc/security/pam_env.conf or an alternative file. The module can also read a file with simple KEY=VAL pairs on separate lines (/etc/environment by default) or a user-specific file ($HOME/.pam_environment by default). The pam_env module supports the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST. The pam_env module should be the last one on the stack, as setting PAM environment variables can have side effects on other modules. The pam_env module provides the auth and session module types. References:

pam_env - PAM module to set/unset environment variables

pam_env(8) - Linux manual page

 TCP/IP stack fingerprinting is a technique that allows nmap to remotely detect the characteristics of a TCP/IP stack implementation on a target host. By sending a series of probes (such as TCP and UDP packets) and analyzing the responses, nmap can infer the operating system (OS) of the target host based on a database of known OS fingerprints. Each OS has a unique way of setting certain parameters and flags in the TCP/IP headers, such as the initial packet size, the initial TTL, the window size, the max segment size, the window scaling value, and the “don’t fragment”, “sackOK”, and “nop” flags. These values can be combined to form a signature or a fingerprint for the target host, which can then be compared to the nmap-os-db database that contains more than 2,600 OS fingerprints. If there is a match, nmap will print out the OS details, such as the name, the version, and the vendor. If there is no match, nmap will print out a message asking the user to submit the fingerprint to the nmap project for further analysis.

TCP/IP stack fingerprinting is useful for several purposes, such as network mapping, security auditing, vulnerability scanning, and penetration testing. By knowing the OS of the target host, nmap can tailor its scanning techniques and exploit the weaknesses of the specific OS. TCP/IP stack fingerprinting can also help identify rogue or unauthorized devices on a network, or detect OS spoofing attempts by the target host.

References:

OS Detection | Nmap Network Scanning

TCP/IP stack fingerprinting - Wikipedia

Cybersecurity | Nmap | OS Detection | Codecademy

 The FTP names that are recognized as anonymous users in vsftpd when the option anonymous_enable is set to yes in the configuration file are anonymous and ftp. These are the default names that vsftpd accepts as valid anonymous users, and they can be used interchangeably. The anonymous user does not need to enter a password, but can optionally enter an email address as a password. The anonymous user has limited permissions and can only access the directory specified by the anon_root directive, which is usually /var/ftp or /srv/ftp. The anonymous user can download files from the server, but cannot upload or modify files, unless the anon_upload_enable and anon_mkdir_write_enable directives are also set to yes.

The other options are not recognized as anonymous users in vsftpd. Option C is incorrect, because vsftpd will reject any username that does not belong to an existing user or an anonymous user. Option D is incorrect, because nobody is a system user that has no permissions and is not related to FTP. Option E is incorrect, because guest is not a valid FTP name, unless the guest_enable directive is set to yes, which will make all non-anonymous users log in as the guest_username, which is usually ftp.

References:

vsftpd.conf - config file for vsftpd

How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04

How to Configure vsftpd FTP Server on CentOS 8

 The nmap command is a network exploration and security auditing tool that can scan hosts and networks for open ports, services, operating systems, vulnerabilities, and other information. The nmap parameters that can scan a target for open TCP ports are:

-sT: This parameter performs a TCP connect scan, which establishes a complete connection to the target host by completing a TCP three-way handshake. This is the default scan type when the user does not have root privileges. The advantage of this scan is that it works on any system that supports TCP, but the disadvantage is that it is easily detectable by firewalls and intrusion detection systems.

-sS: This parameter performs a TCP SYN scan, which sends a TCP SYN packet to the target port and waits for a response. If the response is a SYN/ACK packet, the port is open. If the response is a RST packet, the port is closed. This scan does not complete the TCP three-way handshake, so it is faster and stealthier than the TCP connect scan. However, this scan requires root privileges and may not work on some systems that do not follow the TCP standard.

The other parameters are not related to TCP port scanning:

-sO: This parameter performs an IP protocol scan, which sends IP packets with the specified protocol number set in the IP header. It can be used to determine which IP protocols are supported by the target host.

-sZ: This parameter is not a valid nmap parameter and will cause an error.

-sU: This parameter performs a UDP scan, which sends a UDP packet to the target port and waits for a response. If the response is an ICMP port unreachable message, the port is closed. If the response is a UDP packet, the port is open. This scan can be used to find open UDP ports, which are often used by DNS, SNMP, DHCP, and other services.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Nmap Tutorial: Common Commands, Nmap Scan Types

Cybersecurity | Nmap | TCP Connect Scan | Codecademy

mount-tnfsv4 server://mnt

of an NFC-Client, it is observed that /mnt contains the content of the server’s /usr directory instead of the content of the NFSv4 foot folder.

Which option in /etc/exports has to be changed or removed in order to make the NFSv4 root folder appear when mounting the highest level of the server? (Specify ONLY the option name without any values or parameters.)

Answer:  fsid

The fsid option in /etc/exports is used to specify a unique identifier for each exported filesystem. For NFSv4, there is a distinguished filesystem which is the root of all exported filesystems, and it is specified with fsid=root or fsid=0, both of which mean the same thing. If this option is used for the /exports directory, then it will be the root of the NFSv4 hierarchy, and any subdirectories under it will be mounted relative to it. This means that when mounting the highest level of the server, the client will see the content of /exports instead of the NFSv4 root folder. To avoid this, the fsid option should be removed or changed to a different value for the /exports directory, so that it is not the NFSv4 root. The other options in /etc/exports are not relevant for this question.