Dumps LPI 202 Answers

QUESTION 139

Which command line create an SSH tunnel for POP and SMTP protocols?

1. ssh -L :110 -L :25 -1 user -N mailhost

2. ssh -L 25:110 -1 user -N mailhost

3. ssh -L mailhost:110 -L mailhost:25 -1 user -N mailhost

4. ssh -L mailhost:25:110 -1 user

5. ssh -L 110:mailhost:110 -L 25:mailhost:25 -1 user -N mailhost

Correct Answer: E

QUESTION 124

A correctly-formatted entry has been added to /etc/hosts.allow to allow certain clients to connect to a service, but this is having no effect. What would be the cause of this?

1. tcpd needs to be sent the HUP signal.

2. The service needs to be restarted.

3. The machine needs to be restarted.

4. There is a conflicting entry in /etc/hosts.deny .

5. The service does not support tcpwrappers

Correct Answer: E

QUESTION 167

The Samba configuration file contains the following lines:

hosts allow = 192.168.1.100 192.168.2.0/255.255.255.0 localhost
hosts deny = 192.168.2.31
interfaces = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0

A workstation is on the wired network with an IP address of 192.168.1.117 but is unable to access the Samba server. A wireless laptop with an IP address of 192.168.2.93 can access the Samba server. Additional troubleshooting shows that almost every machine on the wired network is unable to access the Samba server. Which single choice below will permit wired workstations to connect to the Samba server without denying access to any one else?

1. hosts allow = 192.168.1.1-255

2. hosts allow = 192.168.1.100 192.168.2.200 localhost

3. hosts deny = 192.168.1.100/255.255.255.0 192.168.2.31 localhost

4. hosts deny = 192.168.2.200/255.255.255.0 192.168.2.31 localhost

5. hosts allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost

Correct Answer: E

QUESTION 168

Which of the following Samba configuration parameters is functionally identical to the parameter read ‚only=yes‘?

1. browseable=no

2. read write=no

3. writeable=no

4. write only=no

5. write access=no

Correct Answer: C

QUESTION 54

CORRECT TEXT

What postfix configuration setting defines the domains for which Postfix will deliver mail locally? (Please provide only the configuration setting name with no other information):

Correct Answer: mydestination

QUESTION 24

You have to mount the /data filesystem from an NFS server(srvl) that does not support locking. Which of the following mount commands should you use?

1. mount -a -t nfs

2. mount -o locking=off srvl:/data /mnt/data

3. mount -o nolocking srvl:/data /mnt/data

4. mount -o nolock srvl:/data /mnt/data

5. mount -o nolock /data@srvl /mn/data

Correct Answer: D

QUESTION 28

Which of the following is NOT included in a Snort rule header?

1. protocol

2. action

3. source IP address

4. packet byte offset

5. source port

Correct Answer: D

QUESTION 29

Which environment variables are used by ssh-agent? (Please select TWO variables):

1. SSH_AGENT_KEY

2. SSH_AGENT_SOCK

3. SSH_AGENT_PID

4. SSH_AUTH_SOCK

5. SSH_AUTH_PID

Correct Answer: BC

QUESTION 39

For an LDAP client configuration, the LDAP base needs to be set. Which TWO of the following actions would achieve that?

1. export LDAPBASE=dc=linuxfoo,dc=com

2. export BASE=dc=linuxfoo,dc=com

3. Edit ldapbase.conf and add „BASE dc=linuxfoo,dc=com“.

4. Edit cldap.conf and add „BASE dc=linuxfoo,dc=com“.

5. Edit ldap.conf and add „BASE dc=linuxfoo,dc=com“.

Correct Answer: AE

QUESTION 40

Which of the following options can be passed to a DHCP client machine using configuration options on the DHCP server?

1. The NIS domain name

2. The resolving order in /etc/resolv.conf

3. The priority order in nsswitch.conf

4. The filter rules for iptables

5. The contents of hosts.allow and hosts.deny

Correct Answer: A

QUESTION 51

CORRECT TEXT

Postfix daemons can be chroot’d by setting the chroot flag in _______. (Supply only the filename, without a path):

Correct Answer: master.cf

QUESTION 56

CORRECT TEXT

What is the default location for sendmail configuration files? (Please provide the complete path to the directory)

Correct Answer: /etc/mail

QUESTION 59

CORRECT TEXT

What is the name of the module in Apache that provides the HTTP Basic Authentication functionality? (Please provide ONLY the module name)

Correct Answer: mod_auth

QUESTION 60

CORRECT TEXT

What command is used to print NFS kernel statistics? (Provide the command with or without complete path)

Correct Answer: nfsstat

QUESTION 61

Which of the following sentences is true about ISC DHCP?

1. It can’t be configured to assign addresses to BOOTP clients.

2. Its default behavior is to send DHCPNAK to clients that request inappropriate addresses.

3. It can’t be used to assign addresses to X - terminals.

4. It can be configured to only assign addresses to known clients.

5. None of the above.

Correct Answer: D

QUESTION 62

The host, called „ Certkiller „, with the MAC address „08:00:2b:4c:59:23“, should always be given the IP address of 192.168.1.2 by the DHCP server. Which of the following configurations will achieve this?

1. host Certkiller {

hardware-ethernet 08:00:2b:4c:59:23;

fixed-address 192.168.1.2;

}

2. host Certkiller {

mac=08:00:2b:4c:59:23;

ip= 192.168.1.2;

}

3. host Certkiller = 08:00:2b:4c:59:23 192.168.1.2

4. host Certkiller {

hardware ethernet 08:00:2b:4c:59:23;

fixed-address 192.168.1.2;

}

5. host Certkiller {

hardware-address 08:00:2b.4c:59:23;

fixed-ip 192.168.1.2;

Real 24

LPI 117-202 Exam

}

Correct Answer: D

QUESTION 65

Which of these would be the simplest way to configure BIND to return a different version number to queries?

1. Compile BIND with the option -blur-version=my version.

2. Set version-string „my version“ in BIND’s configuration file.

3. Set version „my version“ in BIND’s configuration file.

Real 25

LPI 117-202 Exam

4. Set version=my version in BIND’s configuration file.

5. Ser version-bind „my version“ in BIND’s configuration file.

Correct Answer: C

QUESTION 67

A BIND server should be upgraded to use TSIG. Which configuration parameters should be added, if the server should use the algorithm hmac-md5 and the key

skrKc4DoTzi/tAkllPi7JZA== ?

1. TSIG server.example.com.

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};Real 26

LPI 117-202 Exam

2. key server.example.com. {

algorithm hmac-md5;

secret skrKc4DoTzi/tAkllPi7JZA==;

};

3. key server.example.com. {

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};

4. key server.example.com. {

algorithm=hmac-md5;

secret=“skrKc4DoTzi/tAkllPi7JZA==“;

};

5. key server.example.com. {

algorithm hmac-md5

secret „skrKc4DoTzi/tAkI1Pi7JZA==“

};

Correct Answer: C

QUESTION 74

To securely use dynamic DNS updates, the use of TSIG is recommended. Which TWO statements about TSIG are true?

1. TSIG is used for zone data encryption

B. TSIG is a signal to start a zone update

3. TSIG is used in zone files

4. TSIG is used only in server configuration

5. Servers using TSIG must be in sync (time zone!)

Correct Answer: DE

QUESTION 80

Consider the following / srv/www/ default/html/ restricted/.htaccess

AuthType Basic

AuthUserFile / srv/www/ security/ site-passwd

Real 31

LPI 117-202 Exam

AuthName Restricted

Require valid-user

Order deny,allow

Deny from all

Allow from 10.1.2.0/24

Satisfy any

Considering that DocumentRoot is set to /srv/www/default/html, which TWO of the following sentences are true?

A. Apache will only grant access to http://server/restricted/to authenticated users connecting from clients in the 10.1.2.0/24 network

2. This setup will only work if the directory /srv/www/default/html/restricted/ is configured with AllowOverride AuthConfig Limit

3. Apache will require authentication for every client requesting connections to http://server/restricted/

D. Users connecting from clients in the 10.1.2.0/24 network won’t need to authenticate themselves to access http://server/restricted/

5. The Satisfy directive could be removed without changing Apache behavior for this directory

Correct Answer: BD

QUESTION 83

When Apache is configured to use name-based virtual hosts:

1. it’s also necessary to configure a different IP address for each virtual host.

2. the Listen directive is ignored by the server.

3. it starts multiple daemons (one for each virtual host).

4. it’s also necessary to create a VirtualHost block for the main host.

5. only the directives ServerName and DocumentRoot may be used inside a block.

Correct Answer: D

QUESTION 85

Which Apache directive allows the use of external configuration files defined by the directive AccessFileName?

1. AllowExternalConfig

2. AllowAccessFile

3. AllowConfig

D. IncludeAccessFile

5. AllowOverride

Correct Answer: E

QUESTION 89

In the file /var/squid/url_blacklist is a list of URLs that users should not be allowed to access. What is the correct entry in Squid’s configuration file to create an acl

named blacklist based on this file?

1. acl blacklist urlpath_regex /var/squid/url_blacklist

2. acl blacklist file /var/squid/url_blacklist

3. acl blacklist „/var/squid/url_blacklist“

Real 35

LPI 117-202 Exam

4. acl blacklist urlpath_regex „/var/squid/url_blacklist“

5. acl urlpath_regex blacklist /var/squid/url_blacklist

Correct Answer: D

QUESTION 92

CORRECT TEXT

The command ___________ -x foo will delete the user foo from the Samba database. (Specify the command only, no path information.)

Answer: smbpasswd

QUESTION 95

Which of the following recipes will append emails from „root“ to the „rootmails“ mailbox?

1. 0c:

rootmails

• ^From.*root

2. 0c:

• ^From.*root

rootmails

3. 0c:

• ^From=root

rootmails

4. 0c:

• ^From=*root

rootmails

5. 0c:

$From=$root

rootmails

Correct Answer: B

QUESTION 96

The internal network (192.168.1.0-192.168.1.255) needs to be able to relay email through the site’s sendmail server. What line must be added to /etc/mail/access

to allow this?

1. 192.168.1.0/24 RELAY

2. 192.168.1 RELAY

3. 192.168.1.0/24 OK

4. 192.168.1 OK

Correct Answer: B

QUESTION 97

The following is an excerpt from a procmail configuration filE.

:0 c

Real 38

LPI 117-202 Exam

* ! ^To: backup

! backup

Which of the following is correct?

A. All mails will be backed up to the path defined by $MAILDIR

2. All mails to the local email address backup will be stored in the directory backup.

3. A copy of all mails will be stored in file backup.

4. A copy of all mails will be send to the local email address backup.

E. Mails not addressed to backup are passed through a filter program named backup.

Correct Answer: D

QUESTION 99

On a newly-installed mail server with the IP address 10.10.10.1, ONLY local networks should be able to send email. How can the configuration be tested, using

telnet, from outside the local network?

1. telnet 10.10.10.1 25

MAIL FROM<admin@example.com>

RECEIPT TO:<someone@example.org>

2. telnet 10.10.10.1 25

RCPT FROM:admin@example.com

MAIL TO:<someone@example.org>

Real 39

LPI 117-202 Exam

C. telnet 10.10.10.1 25

HELLO bogus.example.com

MAIL FROM:<anyone@example.org>

RCPT TO:<someone@example.net>

4. telnet 10.10.10.1 25

HELO bogus.example.com

MAIL FROM:<anyone@example.org>

RCPT TO:<someone@example.net>

5. telnet 10.10.10.1 25

HELO: bogus.example.com

RCPT FROM:<anyone@example.org>

MAIL TO:< someone@example.net >

Correct Answer: D

QUESTION 100

CORRECT TEXT

What postfix configuration setting defines the domains for which Postfix will deliver mail locally? (Please provide only the configuration setting name with no other

information)

Answer: mydomain

QUESTION 101

Which file can be used to make sure that procmail is used to filter a user’s incoming email?

1. ${HOME}/.procmail

B. ${HOME}/.forward

3. ${HOME}/.bashrc

4. /etc/procmailrc

5. /etc/aliases

Correct Answer: B

QUESTION 105

CORRECT TEXT

What is the path to the global postfix configuration file? (Please specify the complete directory path and file name)

Answer: /etc/postfix/main.cf

QUESTION 106

A system monitoring service checks the availability of a database server on port 5432 of destination.example.com. The problem with this is that the password will

be sent in clear text. When using an SSH tunnel to solve the problem, which command should be used?

1. ssh -1 5432:127.0.0.1:5432 destination.example. com

2. ssh -L 5432:destination.example.com:5432 127.0.0.1

3. ssh -L 5432:127.0.0.1:5432 destination.example.com

4. ssh -x destination.example.com:5432

5. ssh -R 5432:127.0.0.1:5432 destination.example.com

Correct Answer: C

QUESTION 108

An SSH port-forwarded connection to the web server www.example.com was invoked using the command ssh -TL 80 :www.example.com:80

user@www.example.com. Which TWO of the following are correct?

1. The client can connect to the web server by typing http://www.example.com/ into the browser’s address bar and the connection will be encrypted

2. The client can connect to www.example.com by typing http://localhost/ into the browser’s address bar and the connection will be encrypted

3. The client can’t connect to the web server by typing http://www.example.com/ into the browser’s address bar. This is only possible using http://localhost/

4. It is only possible to port-forward connections to insecure services that provide an interactive shell (like telnet)

5. The client can connect to the web server by typing http://www.example.com/ into the browser’s address bar and the connection will not be encrypted

Correct Answer: BE

QUESTION 111

Which of the following configuration lines will export /usr/local/share/ to nfsclient with read-write access, ensuring that all changes are straight to the disk?

1. /usr/local/share nfsclient(rw) written

2. nfsclient: /usr/local/share/:rw,sync

C. /usr/local/share nfsclient:rw:sync

4. /usr/local/share nfsclient(rw,sync)

5. nfsclient(rw,sync) /usr/local/share

Correct Answer: D

QUESTION 127

Which of the following sentences is true, when using the following /etc/pam.d/login file?

#%PAM-l.0

auth required /lib/security/pam_securetty.so

auth required /lib/security/pam_nologin.so

auth sufficient /lib/security/pam_unix.so shadow nullok md5 use_authtok

auth required /lib/security/pam_ldap.so use_first_pass

account sufficient /lib/security/pam_unix.so

account required /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so

password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow

Real 49

LPI 117-202 Exam

password required /lib/security/pam_ldap.so use_first_pass

session optional /lib/security/pam_console.so

session sufficient /lib/security/pam_unix.so

session required /lib/security/pam_ldap.so

1. All users will be authenticated against the LDAP directory

2. This is the only file needed to configure LDAP authentication on Linux

3. Only local users will be able to log in, when the file/etc/nologin exists

4. Ordinary users will be able to change their password to be blank

5. If the control flags for auth were changed to required, local users wouldn’t be able to log in

Correct Answer: D

QUESTION 29

Which environment variables are used by ssh-agent? (Please select TWO variables)

1. SSH_AGENT_KEY

2. SSH_AGENT_SOCK

3. SSH_AGENT_PID

4. SSH_AUTH_SOCK

5. SSH_AUTH_PID

Correct Answer: BC

QUESTION 39

For an LDAP client configuration, the LDAP base needs to be set. Which TWO of the following actions would achieve that?

1. export LDAPBASE=dc=linuxfoo,dc=com

2. export BASE=dc=linuxfoo,dc=com

3. Edit ldapbase.conf and add „BASE dc=linuxfoo,dc=com“.

4. Edit cldap.conf and add „BASE dc=linuxfoo,dc=com“.

5. Edit ldap.conf and add „BASE dc=linuxfoo,dc=com“.

Correct Answer: AE

QUESTION 62

The host, called „ Certkiller „, with the MAC address „08:00:2b:4c:59:23“, should always be given the IP address of 192.168.1.2 by the DHCP server. Which of the following configurations will achieve this?

1. host Certkiller {

hardware-ethernet 08:00:2b:4c:59:23;

fixed-address 192.168.1.2;

}

2. host Certkiller {

mac=08:00:2b:4c:59:23;

ip= 192.168.1.2;

}

C. host Certkiller = 08:00:2b:4c:59:23 192.168.1.2

4. host Certkiller {

hardware ethernet 08:00:2b:4c:59:23;

fixed-address 192.168.1.2;

}

5. host Certkiller {

hardware-address 08:00:2b.4c:59:23;

fixed-ip 192.168.1.2;

}

Correct Answer: D

2.Select the TWO correct statements about the following excerpt from httpd.conf:

<Directory /var/web/dir1> <Files private.html> Order allow, deny Deny from all </Files>

</Directory>

1. The configuration will deny access to /var/web/dir1/private.html, /var/web/dirl/subdir2/private.html,

/var/web/dirl/subdir3/private.html and any other instance of private.html found under the

/var/web/dir1/directory.

2. The configuration will deny access to /var/web/dir1/private.html, but it will allow access to

/var/web/dirl/subdir2/private.htm1, for example.

C. The configuration will allow access to any file named private.html under /var/web/dir1, but it will deny

access to any other files

4. The configuration will allow access just to the file named private.html under /var/web/dir1

5. The configuration will allow access to /var/web/private.html, if it exists

Answer: A,E

4.Which of the following lines in the Apache configuration file would allow only clients with a valid certificate to access the website?

1. SSLCA conf/ca.crt

2. AuthType ssl

3. IfModule libexec/ssl.c

4. SSLRequire

5. SSLVerifyClient require

Answer: E

19.What is the name of the dovecot configuration variable that specifies the location of user mail?

1. mbox

2. mail_location

3. user_dir

4. maildir

5. user_mail_dir

Answer: B

20.What is the missing keyword in the following configuration sample for dovecot which defines which authentication types to support? (Specify only the keywork) auth default {

______ = plain login cram-md5

}

1. auth_order

2. mechanisms

3. methods

4. supported

Answer: B

1. According to the dhcpd.conf file below, which domain name will clients

in the 172.16.87.0/24 network get?

default-lease-time 1800;

max-lease-time 7200;

option domain-name „example.com“

subnet 172.16.87.0 netmask 255.255.255.0 {

range 172.16.87.128 172.16.87.254;

option broadcast-address 172.16.87.255;

option domain-name-servers 172.16.87.1;

option domain-name „lab.example.com“;

}

subnet 172.16.88.0 netmask 255.255.255.0 {

range 172.16.88.128 172.16.88.254;

option broadcast-address 172.16.88.255;

option domain-name-servers 172.16.88.1;

}

Answer: lab.example.com

2. Which of the following sentences is true about ISC DHCP?

A. It can’t be configured to assign addresses to BOOTP clients.

B. Its default behavior is to send DHCPNAK to clients that request

inappropriate addresses.

C. It can’t be used to assign addresses to X - terminals.

D. It can be configured to only assign addresses to known clients.

E. None of the above.

Answer: D

Explanation: ISC DHCP can Configured to assign the ip address only to known clients.

7. Which of these would be the simplest way to configure BIND to return a

different version number to queries?

A. Compile BIND with the option -blur-version=my version.

B. Set version-string „my version“ in BIND’s configuration file.

C. Set version „my version“ in BIND’s configuration file.

D. Set version=my version in BIND’s configuration file.

E. Ser version-bind „my version“ in BIND’s configuration file.

Answer: C

9. A BIND server should be upgraded to use TSIG. Which configuration

parameters should be added, if the server should use the algorithm hmacmd5

and the key skrKc4DoTzi/tAkllPi7JZA== ?

A. TSIG server.example.com.

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};

B. key server.example.com. {

algorithm hmac-md5;

secret skrKc4DoTzi/tAkllPi7JZA==;

};

C. key server.example.com. {

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};

D. key server.example.com. {

algorithm=hmac-md5;

secret=“skrKc4DoTzi/tAkllPi7JZA==“;

};

E. key server.example.com. {

algorithm hmac-md5

secret „skrKc4DoTzi/tAkI1Pi7JZA==“

};

Answer: C

11. Using only comman ds included with named, what is the command, with

options or parameters, to make named re-read its zone files?

Answer: ndc reload

Answer: /usr/sbin/ndc reload

Answer: rndc reload

Answer: /usr/sbin/rndc reload

14. A BIND server should never answer queries from certain networks or

hosts. Which configuration directive could be used for this purpose?

A. deny-query { …; };

B. no-answer { …; };

C. deny-answer { …; };

D. deny-access { …; };

E. blackhole { …; };

Answer: E

17. What directive can be used in named.conf to restrict zone transfers to the

192.168.1.0/24 network?

A. allow-transfer { 192.168.1.0/24; };

B. allow-transfer { 192.168.1.0/24 };

C. allow-axfr { 192.168.1.0/24; };

D. allow-axfr { 192.168.1.0/24 };

E. allow-xfer { 192.168.1.0/24; };

Answer: A

18. To securely use dynamic DNS updates, the use of TSIG is recommended.

Which TWO statements about TSIG are true?

A. TSIG is used for zone data encryption

B. TSIG is a signal to start a zone update

C. TSIG is used in zone files

D. TSIG is used onl y in server configuration

E. Servers using TSIG must be in sync (time zone!)

Answer: D,E

19. Which option is used to configure pppd to use up to two DNS server

addresses provided by the remote server?

A. ms-dns

B. nameserver

C. usepeerdns

D. dns

E. None of the above

Answer: C

20. A DNS server has the IP address 192.168.0.1. Which TWO of the

following need to be done on a client machine to use this DNS server?

A. Add nameserver 192.168.0.1 to /etc/resolv.conf.

B. Run route add nameserver 192.168.0.1.

C. Run ifconfig eth0 nameserver 192.168.0.1.

D. Ensure that the dns service is listed in the hosts entry in the

/etc/nsswitch.conf file.

E. Run bind add nameserver 192.168.0.1.

Answer: A,D

QUESTION NO: 2

Which of the following sentences is true about ISC DHCP?

1. It can’t be configured to assign addresses to BOOTP clients.

2. Its default behavior is to send DHCPNAK to clients that request inappropriate

addresses.

3. It can’t be used to assign addresses to X - terminals.

D. It can be configured to only assign addresses to known clients.

5. None of the above.

Answer: D

QUESTION NO: 4

Which dhcpd.conf option defines the DNS server address(es) to be sent to the DHCP clients?

1. domainname

2. domain-name-servers

3. domain-nameserver

4. domain-name-server

Answer: B

1. An administrator has just configured an OpenVPN client. Upon starting the service, the following

message is displayed:

TLS Error: TLS key negotiation failed to occur within 60 seconds

Which of the following statements is true?

1. The client was unable to establish a network connection with the server.

2. The client was able to establish a network connection with the server, however TLS key negotiation

failed, resulting in a fallback to SSL.

3. The client was able to establish a network connection with the server, however TLS and SSL security are

not enabled.

4. The client was able to establish a network connection with the server, however TLS key negotiation took

longer than 60 seconds, indicating that there may be a problem with network performance.

Answer: A

QUESTION 2

Select the TWO correct statements about the following excerpt from httpd.conf:

<Directory /var/web/dir1>

<Files private.html>

Order allow, deny

Deny from all

</Files>

</Directory>

A. The configuration will deny access to /var/web/dir1/private.html, /var/web/dirl/subdir2/private.html, /var/

web/dirl/subdir3/private.html and any other instance of private.html found under the /var/web/dir1/

directory.

B. The configuration will deny access to /var/web/dir1/private.html, but it will allow access to /var/web/dirl/

subdir2/private.htm1, for example.

3. The configuration will allow access to any file named private.html under /var/web/dir1, but it will deny

access to any other files

D. The configuration will allow access just to the file named private.html under /var/web/dir1

5. The configuration will allow access to /var/web/private.html, if it exists

Correct Answer: AE

QUESTION 18

What is the name of the dovecot configuration variable that specifies the location of user mail?

A. mbox

2. mail_location

3. user_dir

4. maildir

5. user_mail_dir

Correct Answer: B

QUESTION 21

Which setting in the Courier IMAP configuration file will tell the IMAP daemon to only listen on the localhost interface?

1. ADDRESS=127.0.0.1

2. Listen 127.0.0.1

3. INTERFACE=127.0.0.1

4. LOCALHOST_ONLY=1

Correct Answer: A

QUESTION 22

You suspect that you are receiving messages with a forged From: address. What could help you find out where the mail is originating?

E. Look in the ReceiveD. and Message-ID. parts of the mail header

QUESTION 23

You have to mount the /data filesystem from an NFS server(srvl) that does not support locking. Which of

the following mount commands should you use?

1. mount -a -t nfs

2. mount -o locking=off srvl:/data /mnt/data

C. mount -o nolocking srvl:/data /mnt/data

4. mount -o nolock srvl:/data /mnt/data

5. mount -o nolock /data@srvl /mn/data

Correct Answer: D

QUESTION 28

Which environment variables are used by ssh-agent? (Please select TWO variables)

1. SSH_AGENT_KEY

B. SSH_AGENT_SOCK

3. SSH_AGENT_PID

4. SSH_AUTH_SOCK

5. SSH_AUTH_PID

Correct Answer: BC

QUESTION 38

For an LDAP client configuration, the LDAP base needs to be set. Which TWO of the following actions would achieve that?

1. export LDAPBASE=dc=linuxfoo,dc=com

2. export BASE=dc=linuxfoo,dc=com

3. Edit ldapbase.conf and add „BASE dc=linuxfoo,dc=com“.

4. Edit cldap.conf and add „BASE dc=linuxfoo,dc=com“.

5. Edit ldap.conf and add „BASE dc=linuxfoo,dc=com“.

Correct Answer: AE

QUESTION 39

Which of the following options can be passed to a DHCP client machine using configuration options on the DHCP server?

1. The NIS domain name

2. The resolving order in /etc/resolv.conf

3. The priority order in nsswitch.conf

4. The filter rules for iptables

5. The contents of hosts.allow and hosts.deny

Correct Answer: A

QUESTION 41

In a PAM configuration file, a sufficient control allows access:

1. Immediately on success, if no previous required or requisite control failed

2. Immediately on success, regardless of other controls

3. After waiting if all other controls return success

4. Immediately, but only if the user is root

Correct Answer: A

QUESTION 51

Which Squid configuration directive defines the authentication method to use?

1. auth_param

2. auth_method

3. auth_program

D. auth_mechanism

5. proxy_auth

Correct Answer: A

QUESTION 60

A BIND server should be upgraded to use TSIG. Which configuration parameters should be added, if the server should use the algorithm hmac-md5 and the key skrKc4DoTzi/tAkllPi7JZA== ?

1. TSIG server.example.com.

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};

2. key server.example.com. {

algorithm hmac-md5;

secret skrKc4DoTzi/tAkllPi7JZA==;

};

3. key server.example.com. {

algorithm hmac-md5;

secret „skrKc4DoTzi/tAkllPi7JZA==“;

};

D. key server.example.com. {

algorithm=hmac-md5;

secret=“skrKc4DoTzi/tAkllPi7JZA==“;

};

5. key server.example.com. {

algorithm hmac-md5

secret „skrKc4DoTzi/tAkI1Pi7JZA==“

};

Correct Answer: C

QUESTION 67

Which option is used to configure pppd to use up to two DNS server addresses provided by the remote server?

1. ms-dns

2. nameserver

3. usepeerdns

4. dns

5. None of the above

Correct Answer: E

QUESTION 71

There is a restricted area in an Apache site, which requires users to authenticate against the file /srv/ www/ security/site-passwd.

Which command is used to CHANGE the password of existing users, without losing data, when Basic authentication is being used.

1. htpasswd -c /srv/www/security/site passwd user

2. htpasswd /srv/www/security/site-passwd user

C. htpasswd -n /srv/www/security/site-passwd user

4. htpasswd -D /srv/www/security/site-passwd user

5. None of the above.

Correct Answer: B

QUESTION 72

Consider the following / srv/www/ default/html/ restricted/.htaccess AuthType Basic

AuthUserFile / srv/www/ security/ site-passwd

AuthName Restricted

Require valid-user

Order deny,allow

Deny from all

Allow from 10.1.2.0/24

Satisfy any

Considering that DocumentRoot is set to /srv/www/default/html, which TWO of the following sentences are

true?

A. Apache will only grant access to http://server/restricted/to authenticated users connecting from clients in

the 10.1.2.0/24 network

2. This setup will only work if the directory /srv/www/default/html/restricted/ is configured with

AllowOverride AuthConfig Limit

3. Apache will require authentication for every client requesting connections to http://server/restricted/

4. Users connecting from clients in the 10.1.2.0/24 network won’t need to authenticate themselves to

access http://server/restricted/

5. The Satisfy directive could be removed without changing Apache behavior for this directory

Correct Answer: BD

QUESTION 74

Which statements about the Alias and Redirect directives in Apache’s configuration file are true?

A. Alias can only reference files under DocumentRoot

2. Redirect works with regular expressions

3. Redirect is handled on the client side

4. Alias is handled on the server side

5. Alias is not a valid configuration directive

Correct Answer: CD

QUESTION 75

When Apache is configured to use name-based virtual hosts:

1. it’s also necessary to configure a different IP address for each virtual host.

2. the Listen directive is ignored by the server.

3. it starts multiple daemons (one for each virtual host).

D. it’s also necessary to create a VirtualHost block for the main host.

5. only the directives ServerName and DocumentRoot may be used inside a block.

Correct Answer: D

QUESTION 77

Which Apache directive allows the use of external configuration files defined by the directive AccessFileName?

1. AllowExternalConfig

2. AllowAccessFile

3. AllowConfig

4. IncludeAccessFile

5. AllowOverride

Correct Answer: E

QUESTION 79

Which ACL type in Squid’s configuration file is used for authentication purposes?

2. proxy_auth

QUESTION 81

In the file /var/squid/url_blacklist is a list of URLs that users should not be allowed to access. What is the correct entry in Squid’s configuration file to create an acl named blacklist based on this file?

1. acl blacklist urlpath_regex /var/squid/url_blacklist

2. acl blacklist file /var/squid/url_blacklist

3. acl blacklist „/var/squid/url_blacklist“

4. acl blacklist urlpath_regex „/var/squid/url_blacklist“

5. acl urlpath_regex blacklist /var/squid/url_blacklist

Correct Answer: D

QUESTION 82

Users in the acl named ‚sales_net‘ must only be allowed to access to the Internet at times specified in the time_acl named ‚sales_time‘. Which is the correct http_access directive, to configure this?

1. http_access deny sales_time sales_net

2. http_access allow sales_net sales_time

3. http_access allow sales_net and sales_time

4. allow http_access sales_net sales_time

5. http_access sales_net sales_time

Correct Answer: B

QUESTION 84

The Internet gateway connects the clients with the Internet by using a Squid proxy. Only the clients from the network 192.168.1.0/24 should be able to use the proxy. Which of the following configuration sections is correct?

2. acl local src 192.168.1.0/24

http_access allow local

QUESTION 85

The syntax of the procmail configuration file is?

A. :0[flags][:[lockfile]]

[* condition]

action

2. [* condition]

action

:0[flags][:[lockfile]]

3. :0[flags][:[lockfile]]

[* condition] action

4. :0[flags][:[lockfile]]:[* condition]

action

5. :0[flags][:[lockfile]]:[* condition]:action

Correct Answer: A

QUESTION 86

Which of the following recipes will append emails from „root“ to the „rootmails“ mailbox?

1. 0c:

rootmails

• ^From.*root

2. 0c:

• ^From.*root

rootmails

3. 0c:

• ^From=root

rootmails

4. 0c:

• ^From=*root

rootmails

5. 0c:

$From=$root

rootmails

Correct Answer: B

QUESTION 87

The internal network (192.168.1.0-192.168.1.255) needs to be able to relay email through the site’s sendmail server. What line must be added to /etc/mail/access to allow this?

1. 192.168.1.0/24 RELAY

2. 192.168.1 RELAY

C. 192.168.1.0/24 OK

1. 192.168.1 OK

Correct Answer: B

QUESTION 88

The following is an excerpt from a procmail configuration filE.

:0 c

* ! ^To: backup

! backup

Which of the following is correct?

1. All mails will be backed up to the path defined by $MAILDIR

2. All mails to the local email address backup will be stored in the directory backup.

3. A copy of all mails will be stored in file backup.

4. A copy of all mails will be send to the local email address backup.

E. Mails not addressed to backup are passed through a filter program named backup.

Correct Answer: D

On a newly-installed mail server with the IP address 10.10.10.1, ONLY local networks should be able to send email. How can the configuration be tested, using telnet, from outside the local network?

4. telnet 10.10.10.1 25

HELO bogus.example.com

MAIL FROM:<anyone@example.org>

RCPT TO:< someone@example.net >

QUESTION 91

Which file can be used to make sure that procmail is used to filter a user’s incoming email?

1. ${HOME}/.procmail

2. ${HOME}/.forward

3. ${HOME}/.bashrc

4. /etc/procmailrc

5. /etc/aliases

Correct Answer: B

QUESTION 92

A user is on holiday for two weeks. Anyone sending an email to that account should receive an autoresponse.

Which of the following procmail rules should be used, so that all incoming emails are processed by vacation?

A. :0c:

| /usr/bin/vacation nobody

B. :w

| /usr/bin/vacation nobody

C. :0fc:

|/usr/bin/vacation nobody

D. | /usr/bin/vacation nobody

E. :> |/usr/bin/vacation
nobody

Correct Answer: A

QUESTION 97

An SSH port-forwarded connection to the web server www.example.com was invoked using the command ssh -TL 80 :www.example.com:80 user@www.example.com. Which TWO of the following are correct?

1. The client can connect to the web server by typing http://www.example.com/ into the browser’s address

bar and the connection will be encrypted

2. The client can connect to www.example.com by typing http://localhost/ into the browser’s address bar

and the connection will be encrypted

3. The client can’t connect to the web server by typing http://www.example.com/ into the browser’s

address bar. This is only possible using http://localhost/

4. It is only possible to port-forward connections to insecure services that provide an interactive shell (like

telnet)

5. The client can connect to the web server by typing http://www.example.com/ into the browser’s address

bar and the connection will not be encrypted

Correct Answer: BE

QUESTION 100

Which of the following configuration lines will export /usr/local/share/ to nfsclient with read- write access, ensuring that all changes are straight to the disk?

1. /usr/local/share nfsclient(rw,sync)

QUESTION 103

If the command arp -f is run, which file will be read by default?

2. /etc/ethers

QUESTION 112

Which of the following sentences is true, when using the following /etc/pam.d/login file?

#%PAM-l.0

auth required /lib/security/pam_securetty.so

auth required /lib/security/pam_nologin.so

auth sufficient /lib/security/pam_unix.so shadow nullok md5 use_authtok

auth required /lib/security/pam_ldap.so use_first_pass

account sufficient /lib/security/pam_unix.so

account required /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so

password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow

password required /lib/security/pam_ldap.so use_first_pass

session optional /lib/security/pam_console.so

session sufficient /lib/security/pam_unix.so

session required /lib/security/pam_ldap.so

A. All users will be authenticated against the LDAP directory (FALSCH)

B. This is the only file needed to configure LDAP authentication on Linux (FALSCH)

C. Only local users will be able to log in, when the file/etc/nologin exists (FALSCH)

D. Ordinary users will be able to change their password to be blank

5. If the control flags for auth were changed to required, local users wouldn’t be able to log in

Correct Answer: D

QUESTION 113

LDAP-based authentication against a newly-installed LDAP server does not work as expected. The file /etc/

pam.d/login includes the following configuration parameters. Which of them is NOT correct?

1. password required /lib/security/pam_ldap.so

2. auth sufficient /lib/security/pam_ldap.so use_first_pass

3. account sufficient /lib/security/pam_ldap.so

4. password required /lib/security/pam_pwdb.so

5. auth required /lib/security/pam_ldap.so

Correct Answer: E

QUESTION 114

What is the advantage of using SASL authentication with OpenLDAP?

1. It can prevent the transmission of plain text passwords over the network.

QUESTION 115

In a PAM configuration file, which of the following is true about the required control flag?

3. The success of the module is needed for the module-type facility to succeed. However, all remaining

modules of the same type will be invoked.

QUESTION 119

To configure an LDAP service in the company „ Certkiller Ltd“, which of the following entries should be added to slapd.conf, in the Database Directives section, to set the rootdn so that the common name is Manager and the company’s domain is Certkiller .com ?

2. rootdn „cn=Manager,dc= Certkiller ,dc=com“

QUESTION 126

Which TWO of the following statements about the tcp_wrappers configuration files are correct?

1. Both files must be edited, to get tcp_wrappers to work properly

B. It is possible to configure tcp_wrappers using just one file

3. 24. inetd requires these files

4. All programs that provide network services use these files to control access

5. tcpd uses these files to control access to network services

Correct Answer: BE

QUESTION 127

What is the appropriate configuration file entry to allow SSH to run from inetd?

1. ssh stream tcp nowait root /usr/sbin/tcpd sshd

QUESTION 130

A program, called vsftpd, running in a chroot jail, is giving the following error: /bin/vsftpD. error while loading shared libraries: libc.so.6: cannot open shared object filE. No such file or directory. Which TWO of the following are possible solutions?

1. Get the vsftp source code and compile it statically.

2. The file /etc/ld.so.conf must contain the path to the appropriate lib directory in the chroot jail

3. Create a symbolic link that points to the required library outside the chroot jail

4. Copy the required library to the appropriate lib directory in the chroot jail.

E. Run the program using the command chroot and the option –static_libs

Correct Answer: AD

QUESTION 197

The program vsftpd, running in a chroot jail, gives the following error:

/bin/vsftpD. error while loading shared libraries: libc.so.6: cannot open shared object filE. No such file or directory.

Which of the following actions would fix the error?

1. The file /etc/ld.so.conf in the root filesystem must contain the path to the appropriate lib directory in the

chroot jail.

B. Create a symbolic link that points to the required library outside the chroot jail.

3. Copy the required library to the appropriate lib directory in the chroot jail.

4. Run the program using the command chroot and the option –static_libs.

Correct Answer: C

QUESTION 133

A server is being used as a smurf amplifier, whereby it is responding to ICMP Echo-Request packets sent to its broadcast address. To disable this, which command needs to be run?

1. echo „1“ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

QUESTION 135

To be able to access the server with the IP address 10.12.34.56 using HTTPS, a rule for iptables has to be written. Given that the client host’s IP address is 192.168.43.12, which of the following commands is correct?

1. iptables - A FORWARD -p tcp -s 192.168.43.12 -d 10.12.34.56 –dport 443 -j ACCEPT.

QUESTION 136

Which THREE of the following actions should be considered when a FTP chroot jail is created?

1. Create /dev/ and /etc/ in the chroot enviroment

2. Create /etc/passwd in the chroot enviroment

3. Create /var/cache/ftp in the chroot enviroment

4. Create the user ftp in the chroot enviroment

5. Create /usr/sbin/ in the chroot enviroment

Correct Answer: ABD

QUESTION 139

Which command line create an SSH tunnel for POP and SMTP protocols?

E. ssh -L 110:mailhost:110 -L 25:mailhost:25 -1 user -N mailhost

QUESTION 142

Which command would release the current IP address leased by a DHCP server?

dhclient -r

QUESTION 143

Remote access to a CD-RW device on a machine on a LAN must be restricted to a selected user group.

Select the TWO correct alternatives that describe the possible solutions for this problem.

1. The remote access to these devices can be allowed to users by changing the display manager

configuration and allowing sudo access for the user that will log in remotely

B. The pam_console module allows access configuration to these devices via console, including

simultaneous access by many users

3. The pam_console module can be used to control access to devices via console, allowing/denying

access to these devices in the user’s session

D. If the pam_console module is used, it must be checked as required, because it is essential for user

authentication

5. Through the sudo configuration file, it is possible to set users that will have the power of the root user,

so they can access the devices. Besides that, it is important to configure the /etc/pam.d/su file, so the

PAM modules can secure the service

Correct Answer: CE

QUESTION 144

Select the alternative that shows the correct way to disable a user login (except for root)

A. The use of the pam_nologin module along with the /etc/login configuration file

2. The use of the pam_deny module along with the /etc/deny configuration file

3. The use of the pam_pwdb module along with the /etc/pwdb.conf configuration file

4. The use of the pam_console module along with the /etc/security/console.perms configuration file

5. The use of the pam_nologin module along with the /etc/nologin configuration file

Correct Answer: E

QUESTION 148

Which daemon is required on the client if an ethernet device gets its IP address from a central server?

2. dhcpcd

QUESTION 151

When connecting to an SSH server for the first time, its fingerprint is received and stored in a file, which is located at:

~/ .ssh/known_hosts

QUESTION 153

Which of the following DNS record types is used to allow users and applications to make reverse DNS queries?

PTR

QUESTION 156

Which Apache HTTP Server directive specifies the types of directives that are allowed in .htaccess files?

1. AllowOverride

QUESTION 157

Given that all users have their home directory in /home and the following directive is present in the Apache HTTPD Server configuration file, what is the full filesystem path to the file referenced by the URL http://server/~joe/index.html?

UserDir public_html

1. /home/joe/public_html/index.html

QUESTION 158

When the Apache HTTP Server is configured to use name-based virtual hosts:

5. The setting NameVirtualHost *:80 indicates that all name based virtual hosts will listen on port 80.

QUESTION 159

• Which of the following are commonly

• used log file directives in Apache?

• (Choose TWO correct answers.)

2. CustomLog

3. ErrorLog

QUESTION 160

Which tool can be used to create Certificate Signing Requests (CSR) for running an Apache server with HTTPS?

1. apachectl

2. certgen

3. csrtool

4. httpsgen

5. openssl

Correct Answer: E

QUESTION 161

Why are different IP addresses recommended when hosting multiple HTTPS virtual hosts? (Choose TWO correct answers.)

1. Apache caches SSL keys based on IP address.

B. The SSL connection is made before the virtual host name is known by the server.

3. The SSL key is tied to a specific IP address when issued by the Certificate Authority.

4. This is only needed when dynamic content is being generated by more than one of the virtual hosts.

5. The Server Name Indication extension to TLS is not universally supported.

Correct Answer: BE

QUESTION 163

Which Squid configuration keyword is used to define networks and times that the service may be accessed?

1. acl

QUESTION 164

A user requests a „hidden“ Samba share, named confidential, similar to the Windows Administration Share. How can this be configured?

1. [confidential]

comment = hidden share

path = /srv/smb/hidden

write list = user

create mask = 0700

directory mask = 0700

2. [$confidential]

comment = hidden share

path = /srv/smb/hidden

write list = user

create mask = 0700

directory mask = 0700

3. [#confidential]

comment = hidden share

path = /srv/smb/hidden

write list = user

create mask = 0700

directory mask = 0700

4. [%confidential]

comment = hidden share

path = /srv/smb/hidden

write list = user

create mask = 0700

directory mask = 0700

5. [confidential$]

comment = hidden share

path = /srv/smb/hidden

write list = user

create mask = 0700

directory mask = 0700

Correct Answer: E

QUESTION 165

How must Samba be configured so that it can check passwords against the ones in /etc/passwd and /etc/shadow?

It is not possible for Samba to use /etc/passwd and /etc/shadow directly.

QUESTION 167

The Samba configuration file contains the following lines:

hosts allow = 192.168.1.100 192.168.2.0/255.255.255.0 localhost

hosts deny = 192.168.2.31

interfaces = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0

A workstation is on the wired network with an IP address of 192.168.1.117 but is unable to access the Samba server. A wireless laptop with an IP address of 192.168.2.93 can access the Samba server.

Additional troubleshooting shows that almost every machine on the wired network is unable to access the Samba server. Which single choice below will permit wired workstations to connect to the Samba server

without denying access to any one else?

1. hosts allow = 192.168.1.1-255

2. hosts allow = 192.168.1.100 192.168.2.200 localhost

3. hosts deny = 192.168.1.100/255.255.255.0 192.168.2.31 localhost

4. hosts deny = 192.168.2.200/255.255.255.0 192.168.2.31 localhost

5. hosts allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost

Correct Answer: E

QUESTION 168

Which of the following Samba configuration parameters is functionally identical to the parameter read

only=yes?

1. writeable=no

QUESTION 169

Which of the following are Samba security modes or levels? (Choose TWO correct answers.)

1. ads

2. data

3. ldap

4. network

5. share

Correct Answer: AE

QUESTION 170

What does the testparm command confirm regarding Samba configuration?

1. The configuration file will load successfully.

QUESTION 171

Select the Samba option below that should be used if the main intention is to setup a guest printer service?

1. security = share

QUESTION 172

Which server program will understand and can reply to NetBIOS name service requests?

2. nmbd

QUESTION 177

Which command is used to tell the NFS server which filesystems to make available to clients?

1. exportfs

QUESTION 179

Given the following section of a ISC DHCPD configuration filE.

subnet 192.168.1.0 netmask 255.255.255.0 {

…

# Set the default gateway to be used by

# the PC clients

option _____________ 192.168.1.254;

…

What keyword is missing in order to provide a default gateway address to clients?

1. routers

QUESTION 180

Which of the following PAM modules will allow the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them?

1. pam_filter

2. pam_limits

3. pam_listfile

4. pam_unix

Correct Answer: B

QUESTION 181

Which of the following commands is used to change user passwords in an OpenLDAP directory?

1. ldappasswd

QUESTION 183

Which of the following is correct about this excerpt from an LDIF file?

dn: cn=PrintOperators,ou=Groups,ou=IT,o=BR

1. dn is the domain name.

2. o is the organizational unit.

3. cn is the common name.

4. dn is the relative distinguished name.

Correct Answer: C

QUESTION 184

While analyzing a slapd.conf file, an administrator noted that the rootdn and rootpw directives are not present. Where is the LDAP administrator account defined?

2. The account is defined by an ACL in slapd.conf.

QUESTION 185

If no ACL lines are included in slapd.conf, what is the default behavior of slapd?

1. Allow anyone to read any entry.

2. Deny anyone from reading any entries.

3. Only certain attributes such as userPassword are protected from read access.

4. Access to the directory is only allowed from the local machine.

Correct Answer: A

QUESTION 186

Select the INCORRECT statement regarding the LDIF file format:

1. It contains a dn line, that indicates where the attributes listed in the following lines of the file must be

added.

2. In the file, a blank line separates one entry from another one.

C. If an attribute contains binary data, some specific configurations must be made for this entry.

1. The LDIF file accepts any type of file encoding.

Correct Answer: D

QUESTION 187

A private OID to be used with OpenLDAP should be obtained for a company when:

1. The company intends to use a commercial LDAP schema.

2. The company wants to make their directory available to the public on the Internet.

3. The company plans to create custom schema files for their directory.

4. The company wish to use an encrypted attribute.

Correct Answer: C

QUESTION 188

If there is no access directive, what is the default setting for OpenLDAP?

1. access to * by anonymous read by * none

QUESTION 189

By default OpenLDAP logs via syslogd. What is the slapd.conf file directive to have the LDAP logs written to /var/log/ldap.log?

1. loglevel

2. logfile

3. syslogfile

4. logfilepath

Correct Answer: B

QUESTION 190

Which configuration parameter on a Postfix server modifies only the sender address and not the recipient address?

sender_canonical_maps

QUESTION 191

In the main Postfix configuration file, how are service definitions continued on the next line?

1. It isn’t possible. The service definition must fit on one line.

2. The initial line must end with a backslash character ().

C. The following line must begin with a plus character (+).

4. The following line must begin with white space indentation.

5. The service definition continues on the following lines until all of the required fields are specified.

Correct Answer: D

QUESTION 192

It has been discovered that the company mail server is configured as an open relay. Which of the following actions would help prevent the mail server from being used as an open relay? (Choose TWO correct answers.)

1. Restrict Postfix to only accept e-mail for domains hosted on this server.

B. Configure Dovecot to support IMAP connectivity.

3. Configure netfilter to not permit port 25 traffic on the public network.

4. Restrict Postfix to only relay outbound SMTP from the internal network.

5. Upgrade the mailbox format from mbox to maildir.

Correct Answer: AD

QUESTION 193

Which format, for storing user e-mail, uses the directories tmp, cur and new in order to solve reliability problems in other storage formats?

2. maildir

QUESTION 202

For what purpose is TCP/IP stack fingerprinting used by nmap?

1. It is used to determine the remote operating system.

2. It is used to filter out responses from specific servers.

3. It is used to identify duplicate responses from the same remote server.

D. It is used to masquerade the responses of remote servers.

5. It is used to uniquely identify servers on the network for forensics.

Correct Answer: A

QUESTION 203

Which of the following files needs to be changed in order to enable anonymous FTP logins with vsftpd?

/etc/vsftpd.conf

QUESTION 204

What information can be found in the file specified by the status parameter in an OpenVPN server configuration file? (Choose TWO correct answers.)

1. Errors and warnings generated by the openvpn daemon

2. Routing information

C. Statistical information regarding the currently running openvpn daemon

4. A list of currently connected clients

5. A history of all clients who have connected at some point

Correct Answer: BD

QUESTION 205

What types of virtual network devices does OpenVPN use for connections? (Choose TWO correct answers.)

1. eth

2. tap

3. lo

4. tun

5. ppp

Correct Answer: BD

QUESTION 206

What is the standard port used by OpenVPN?

1. 1194

QUESTION 207

What option in the client configuration file would tell OpenVPN to use a dynamic source port when making a connection to a peer?

1. src-port

2. remote

3. source-port

4. nobind

Correct Answer: D

QUESTION 208

What word is missing from the following excerpt of a named.conf file?

____ friends {

10.10.0.0/24; 192.168.1.0/24;

};

options {

allow-query { friends; };

};

1. acl

QUESTION 210

Which of the following are alternate DNS software packages to BIND? (Choose TWO correct answers.)

1. djbdns

2. dnsmasq

QUESTION 211

What option for BIND is required in the global options to disable recursive queries on the DNS server by default?

1. allow-recursive-query { none; };

2. allow-recursive-query off;

3. recursion { none; };

4. recursion no;

Correct Answer: D

QUESTION 212

In a BIND zone file, what does the @ character indicate?

1. It’s the name of the zone as defined in the zone statement in named.conf.

QUESTION 213

Where should the line:

$TTL 86400 be placed in a BIND zone file?

1. As the first line of the zone file.

QUESTION 215

Which Apache directive is used to specify the method of authentication like e.g. None or Basic?

1. AuthType

QUESTION 216

Which Apache directive will enable HTTPS protocol support?

2. SSLEngine

QUESTION 217

Which subcommands to the openssl command are used in the process of generating a private key and a Certificate Signing Request (CSR)? (Choose TWO correct answers.)

1. csr

2. gencsr

3. genkey

4. genrsa

5. req

Correct Answer: DE

QUESTION 218

Which Apache directive is used to specify the RSA private key that was used in the generation of the SSL certificate for the server?

A. SSLCertificateKeyFile

2. SSLKeyFile

3. SSLPrivateKeyFile

4. SSLRSAKeyFile

Correct Answer: A

QUESTION 219

In which Apache context should SSL support be activated?

1. In a VirtualHost directive

QUESTION 221

In a PAM configuration file, which of the following is true about the sufficient control flag in the following line?

Auth sufficient pam_module.so

3. Failure of this module will not be considered fatal and, if the module succeeds, success will be returned

to the application immediately without considering and further modules.

QUESTION 222

Which Postfix command can be used to rebuild all of the alias database files with a single invocation?

2. newaliases

QUESTION 223

A company is transitioning to a new domain name and wants to accept e-mail for both domains for all of its users on a Postfix server. Which configuration option should be updated to accomplish this?

1. mydestination

QUESTION 224

Why should the Postfix parameter disable_vrfy_command be set to yes on a publicly accessible mail server?

2. It prevents some techniques of gathering existing e-mail addresses.

QUESTION 230

With fail2ban what is a ‚jail‘?

1. A filter definition and a set of one or more actions to take when the filter is matched.

QUESTION 231

Which command can be used when writing scripts which perform tests against remote services?

1. nc

QUESTION 232

Which of the following commands can be used to connect and interact with remote services? (Choose TWO correct answers.)

2. nc

3. telnet

QUESTION 233

Which configuration block in Nginx is used to define settings for a reverse proxied web server?

1. server

2. location

3. reverse

4. http

Correct Answer: B

QUESTION 234

When trying to reverse proxy a web server through Nginx, what keyword is missing from the following configuration sample?

location / {

_________ http://proxiedserver:8080;

}

1. remote_proxy

2. reverse_proxy

3. proxy_reverse

4. proxy_pass

Correct Answer: D

QUESTION 235

When trying to reverse proxy a web server through Nginx, what keyword is required to pass the Host header from the original request to the proxied server?

… {

_________ Host $host

…

}

1. proxy_pass_header

2. proxy_forward_header

3. proxy_set_header

4. proxy_header

Correct Answer: C

QUESTION 236

With Nginx, which of the following directives is used to proxy requests to a FastCGI application?

1. fastcgi_pass

2. fastcgi_proxy

3. proxy_fastcgi

4. proxy_fastcgi_pass

Correct Answer: A

QUESTION 237

Which of the following sshd configuration settings should be set to no in order to fully disable password based logins? (Choose THREE correct answers.)

1. PAMAuthentication

2. ChallengeResponseAuthentication

3. UsePAM

4. UsePasswords

5. PasswordAuthentication

Correct Answer: BCE

QUESTION 238

After having a laptop assigned to a new subnet, a user is no longer able to login to the SSH server with an error message like Connection closed by remote host. Which of the following are possible approaches to determine and fix the cause of this problem? (Choose TWO correct answers.)

1. Generate a new host key on the client and replace the current client host key on the SSH server.

2. Verify that the settings in /etc/host.allow and /etc/host.deny are not preventing access.

C. Flush the ARP table and the neighbor discovery cache on both the SSH server and the client.

4. Add the new IP address of the client to the AllowHosts configuration setting on the SSH server.

5. Check that there are no netfilter rules that reject SSH connections from the new IP address.

Correct Answer: BE

QUESTION 239

Unlike many other services, OpenSSH cannot be configured to hide its version information without recompiling from source code. What is the primary reason for this disclosure of version information?

1. There are many inconsistent SSH client and server versions. This information is used to enable protocol compatibility adjustments.

QUESTION 242

Postfix daemons can be chroot’d by setting the chroot flag in _______. (Supply only the filename, without a path)

Correct Answer: master.cf

QUESTION 245

What is the name of the module in Apache that provides the HTTP Basic Authentication functionality? ** **(Please provide ONLY the module name)

Correct Answer: mod_auth

QUESTION 246

What command is used to print NFS kernel statistics? (Provide the command with or without complete path)

Correct Answer: nfsstat

QUESTION 248

The command ___________ -x foo will delete the user foo from the Samba database. (Specify the command only, no path information.)

Correct Answer: smbpasswd

QUESTION 249

What postfix configuration setting defines the domains for which Postfix will deliver mail locally? (Please provide only the configuration setting name with no other information)

Correct Answer: mydomain

QUESTION 250

What is the path to the global postfix configuration file? (Please specify the complete directory path and file name)

Correct Answer: /etc/postfix/main.cf

QUESTION 253

Which site-specific configuration file for the shadow login suite must be modified to log login failures?

Please enter the complete path to that file.

Correct Answer: /etc/login.defs

QUESTION 254

Which Samba-related command will show all options that were not modified using smb.conf and thus are set to their default values? Please enter the command and its parameter(s):

Correct Answer: testparm -v

QUESTION 256

With which parameter in the smb.conf file can a share be hidden?

Correct Answer: $

QUESTION 258

nfsd, portmap and ________ daemons must be running on an NFS server.

Correct Answer: mountd

QUESTION 259

You have installed some new libraries, but these are not available to programs and are not listed by lconfig -p. What file should the path to the libraries be added to, before running ldconfig?

Correct Answer: ld.so.conf

QUESTION 263

In which configuration file can a key-file be defined to enable secure DNS zone transfers? (Please enter the file name without the path)

Correct Answer: named.conf

QUESTION 267

Which file, in the local file-system, is presented when the client requests and the following directive is present in server’s Apache configuration http://server/~joe/index.html file?

UserDir site/html

Given that all users have their home directory in /home, please type in the FULL file name including the path .

Correct Answer: /home/joe/site/html/index.html

QUESTION 268

Enter one of the Apache configuration file directives that defines where log files are stored.

Correct Answer: ErrorLog

QUESTION 269

A malicious user has sent a 35MB video clip, as an attachment, to hundreds of Recipients. Looking in the outbound queue reveals that this is the only mail there.

This mail can be removed with the command rm _______________ * . Complete the path below.

Correct Answer: /var/spool/mqueue/

QUESTION 271

A procmail recipe is required to delete all emails marked as spam. Please complete the recipe.

:0:

* X-Spam-Status: Yes

Correct Answer: /dev/null

QUESTION 272

Where is the user foo’s procmail configuration stored, if home directories are stored in /home?

Please enter the complete path to the file.

Correct Answer: /home/foo/.procmailrc

QUESTION 279

In which directory are the PAM modules stored?

Correct Answer: /lib/security

QUESTION 280

Which command can be used to change the password for an LDAP entry?

Correct Answer: ldappasswd

QUESTION 283

Please enter the complete command to create a new password file for HTTP basic authentication (/home/http/data/web_passwd) for user john.

Correct Answer: htpasswd -c /home/http/data/web_passwd john

QUESTION 284

Which file on a Postfix server modifies the sender address for outgoing e-mails? Please enter only the file name without the path

Correct Answer: sender_canonical

QUESTION 289

According to this LDIF excerpt, which organizational unit is Robert Smith part of? (Specify only the organizational unit.)

dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uiD. rjsmith
userpassworD. rJsmitH
carlicensE. HISCAR 123
homephonE. 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy

Correct Answer: people, ou=people

QUESTION 290

What parameter in the sshd configuration file instructs sshd to prevent specific user names from logging in to a system? (Please specify the parameter only without settings.)

Correct Answer: DenyUsers, denyusers

QUESTION 291

What parameter in the sshd configuration file instructs sshd to permit only specific user names to log in to a system? (Please specify the parameter only without settings)

Correct Answer: allowusers, AllowUsers

QUESTION 293

What is the name of the procmail configuration file that is placed in a user home directory? (Specify the file name only without any path.)

Correct Answer: .procmailrc

QUESTION 134

Which tool can be used to create Certificate Signing Requests (CSR) for running an Apache server with HTTPS?

1. apachectl

2. certgen

3. csrtool

4. httpsgen

5. openssl

Correct Answer: E

QUESTION 135

Why are different IP addresses recommended when hosting multiple HTTPS virtual hosts? (Choose TWO correct answers.)

1. Apache caches SSL keys based on IP address.

2. The SSL connection is made before the virtual host name is known by the server.

3. The SSL key is tied to a specific IP address when issued by the Certificate Authority.

4. This is only needed when dynamic content is being generated by more than one of the virtual hosts.

5. The Server Name Indication extension to TLS is not universally supported.

Correct Answer: BE

QUESTION 143

Which of the following are Samba security modes or levels? (Choose TWO correct answers.)

1. ads

2. data

3. ldap

4. network

5. share

Correct Answer: AE

QUESTION 145

Select the Samba option below that should be used if the main intention is to setup a guest printer service?

1. security = cups

B. security = ldap

3. security = pam

4. security = share

5. security = printing

Correct Answer: D

QUESTION 146

Which server program will understand and can reply to NetBIOS name service requests?

2. nmbd

QUESTION 148

Which of the following services must be started first on an NFS server?

1. mountd

2. nfsd

3. portmap

4. statd

Correct Answer: C

QUESTION 154

Which of the following PAM modules will allow the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them?

1. pam_filter

2. pam_limits

3. pam_listfile

4. pam_unix

Correct Answer: B

QUESTION 157

Which of the following is correct about this excerpt from an LDIF file?

dn: cn=PrintOperators,ou=Groups,ou=IT,o=BR

1. dn is the domain name.

2. o is the organizational unit.

3. cn is the common name.

4. dn is the relative distinguished name.

Correct Answer: C

QUESTION 158

Real 84

LPI 117-202 Exam

While analyzing a slapd.conf file, an administrator noted that the rootdn and rootpw directives are not present. Where is the LDAP administrator account defined?

1. It is using the default account admin with the password admin.

2. The account is defined by an ACL in slapd.conf.

C. It is using the default account admin without a password.

4. The account is defined in the file /etc/ldap.secret.

5. The account is defined in the file /etc/ldap.root.conf.

Correct Answer: B

QUESTION 159

If no ACL lines are included in slapd.conf, what is the default behavior of slapd?

1. Allow anyone to read any entry.

2. Deny anyone from reading any entries.

3. Only certain attributes such as userPassword are protected from read access.

4. Access to the directory is only allowed from the local machine.

Correct Answer: A

QUESTION 160

Select the INCORRECT statement regarding the LDIF file format:

1. It contains a dn line, that indicates where the attributes listed in the following lines of the file must be added.

2. In the file, a blank line separates one entry from another one.

C. If an attribute contains binary data, some specific configurations must be made for this entry.

1. The LDIF file accepts any type of file encoding.

Correct Answer: D

QUESTION 161

Real 85

LPI 117-202 Exam

A private OID to be used with OpenLDAP should be obtained for a company when:

1. The company intends to use a commercial LDAP schema.

2. The company wants to make their directory available to the public on the Internet.

3. The company plans to create custom schema files for their directory.

4. The company wish to use an encrypted attribute.

Correct Answer: C

QUESTION 162

CORRECT TEXT

According to this LDIF excerpt, which organizational unit is Robert Smith part of? (Specify only the organizational unit.)

dn: cn=Robert

Smith,ou=people,dc=example,dc=com

objectclass: inetOrgPerson

cn: Robert Smith

cn: Robert J Smith

cn: bob smith

sn: smith

uiD. rjsmith

userpassworD. rJsmitH

carlicensE. HISCAR 123

homephonE. 555-111-2222

mail: r.smith@example.com

mail: rsmith@example.com

mail: bob.smith@example.com

Real 86

LPI 117-202 Exam

description: swell guy

Answer: people, ou=people

QUESTION 164

By default OpenLDAP logs via syslogd. What is the slapd.conf file directive to have the LDAP logs written to /var/log/ldap.log?

1. loglevel

2. logfile

3. syslogfile

4. logfilepath

Correct Answer: B

QUESTION 166

In the main Postfix configuration file, how are service definitions continued on the next line?

1. It isn’t possible. The service definition must fit on one line.

2. The initial line must end with a backslash character ().

3. The following line must begin with a plus character (+).

4. The following line must begin with white space indentation.

5. The service definition continues on the following lines until all of the required fields are specified.

Correct Answer: D

QUESTION 167

It has been discovered that the company mail server is configured as an open relay. Which of the following actions would help prevent the mail server from being used as an open relay? (Choose TWO correct answers.)

A. Restrict Postfix to only accept e-mail for domains hosted on this server.

2. Configure Dovecot to support IMAP connectivity.

3. Configure netfilter to not permit port 25 traffic on the public network.

4. Restrict Postfix to only relay outbound SMTP from the internal network.

5. Upgrade the mailbox format from mbox to maildir.

Correct Answer: AD

QUESTION 182

Which of the following files needs to be changed in order to enable anonymous FTP logins with vsftpd?

1. /etc/vsftpd.conf

QUESTION 190

What option for BIND is required in the global options to disable recursive queries on the DNS server by default?

1. recursion no;

QUESTION 194

Which Apache directive is used to specify the method of authentication like e.g. None or Bas shitte, keine Lust zu suchen…..

1. AuthType

Which Apache directive will enable HTTPS protocol support?

SSLEngine

QUESTION 197

Which Apache directive is used to specify the RSA private key that was used in the generation of the SSL certificate for the server?

1. SSLCertificateKeyFile

QUESTION 198

Real 98

LPI 117-202 Exam

In which Apache context should SSL support be activated?

In a VirtualHost directive

QUESTION 202

A company is transitioning to a new domain name and wants to accept e-mail for both domains for all of its users on a Postfix server. Which configuration option

should be updated to accomplish this?

mydestination

QUESTION 212

Which configuration block in Nginx is used to define settings for a reverse proxied web server?

location

QUESTION 213

When trying to reverse proxy a web server through Nginx, what keyword is missing from the following configuration sample?

location / {

_________ http://proxiedserver:8080;

}

proxy_pass

QUESTION 214

When trying to reverse proxy a web server through Nginx, what keyword is required to pass the Host header from the original request to the proxied server?

… {

_________ Host $host

…

}

1. proxy_pass_header

2. proxy_forward_header

3. proxy_set_header

4. proxy_header

Correct Answer: C

QUESTION 215

With Nginx, which of the following directives is used to proxy requests to a FastCGI application?

fastcgi_pass

QUESTION 217

Which of the following sshd configuration settings should be set to no in order to fully disable password based logins? (Choose THREE correct answers.)

1. PAMAuthentication

2. ChallengeResponseAuthentication

3. UsePAM

4. UsePasswords

5. PasswordAuthentication

Correct Answer: BCE

QUESTION 218

After having a laptop assigned to a new subnet, a user is no longer able to login to the SSH server with an error message like Connection closed by remote host.

Which of the following are possible approaches to determine and fix the cause of this problem? (Choose TWO correct answers.)

A. Generate a new host key on the client and replace the current client host key on the SSH server.

2. Verify that the settings in /etc/host.allow and /etc/host.deny are not preventing access.

3. Flush the ARP table and the neighbor discovery cache on both the SSH server and the client.

4. Add the new IP address of the client to the AllowHosts configuration setting on the SSH server.

5. Check that there are no netfilter rules that reject SSH connections from the new IP address.

Correct Answer: BE

QUESTION 219

Unlike many other services, OpenSSH cannot be configured to hide its version information without recompiling from source code. What is the primary reason for this disclosure of version information?

1. There are many inconsistent SSH client and server versions. This information is used to enable protocol compatibility adjustments.

2. The information is used for surveys of SSH servers on the internet by the OpenSSH project.

3. Being a security centric application, the OpenSSH developers do not rely on security through obscurity.

4. It is used by network auditing tools to report on when versions of ssh require security updates.

Correct Answer: A

QUESTION 8

A DNS server has the IP address 192.168.0.1. Which TWO of the following need to be done on a client machine to use this DNS server?

1. Add nameserver 192.168.0.1 to /etc/resolv.conf.

2. Run route add nameserver 192.168.0.1.

3. Run ifconfig eth0 nameserver 192.168.0.1.

4. Ensure that the dns service is listed in the hosts entry in the /etc/nsswitch.conf file.

5. Run bind add nameserver 192.168.0.1.

Correct Answer: AD

QUESTION 12

Consider the following / srv/www/ default/html/ restricted/.htaccess

AuthType Basic

AuthUserFile / srv/www/ security/ site-passwd AuthName Restricted

Require valid-user

Order deny,allow

Deny from all

Allow from 10.1.2.0/24

Satisfy any

Considering that DocumentRoot is set to /srv/www/default/html, which TWO of the following

sentences are true?

1. Apache will only grant access to http://server/restricted/to authenticated users connecting from

clients in the 10.1.2.0/24 network

B. This setup will only work if the directory /srv/www/default/html/restricted/ is configured with

AllowOverride AuthConfig Limit

3. Apache will require authentication for every client requesting connections to http://server/restricted/

D. Users connecting from clients in the 10.1.2.0/24 network won’t need to authenticate

themselves to access http://server/restricted/

5. The Satisfy directive could be removed without changing Apache behaviour for this directory

Correct Answer: BD

QUESTION 30

Which of the following sentences is true, when using the following /etc/pam.d/login file?

#%PAM-l.0

auth required /lib/security/pam_securetty.so

auth required /lib/security/pam_nologin.so

auth sufficient /lib/security/pam_unix.so shadow nullok md5 use_authtok

auth required /lib/security/pam_ldap.so use_first_pass

account sufficient /lib/security/pam_unix.so account required /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow

password required /lib/security/pam_ldap.so use_first_pass session optional /lib/security/pam_console.so

session sufficient /lib/security/pam_unix.so session required /lib/security/pam_ldap.so

1. All users will be authenticated against the LDAP directory

2. This is the only file needed to configure LDAP authentication on Linux

3. Only local users will be able to log in, when the file/etc/nologin exists

4. Ordinary users will be able to change their password to be blank

E. If the control flags for auth were changed to required, local users wouldn’t be able to log in

Correct Answer: D

QUESTION 33

In a PAM configuration file, which of the following is true about the required control flag?

1. If the module returns success, no more modules of the same type will be invoked

B. The success of the module is needed for the module-type facility to succeed.

If it returns a

failure, control is returned to the calling application

3. The success of the module is needed for the module-type facility to succeed However, all

remaining modules of the same type will be invoked.

4. The module is not critical and whether it returns success or failure is not important.

5. If the module returns failure, no more modules of the same type will be invoked

Correct Answer: C

QUESTION 50

Select the alternative that shows the correct way to disable a user login (except for root)

1. The use of the pam_nologin module along with the /etc/login configuration file

2. The use of the pam_deny module along with the /etc/deny configuration file

C. The use of the pam_pwdb module along with the /etc/pwdb.conf configuration file

4. The use of the pam_console module along with the /etc/security/console.perms configuration

file

5. The use of the pam_nologin module along with the /etc/nologin configuration file

Correct Answer: E

QUESTION 52

Please enter the complete command to create a new password file for HTTP basic authentication

(/home/http/data/web _passwd) for user john.

Correct Answer: /usr/sbin/htpasswd -c /home/http/data/web_passwd john

QUESTION 54

With which parameter in the smb.conf file can a share be hidden?

Correct Answer: browseable

QUESTION 5

What 2 Apache directives are used to specify log files location?

Correct Answer: ErrorLog + CustomLog

QUESTION 6

What is the PAM module used to provide FTP users authentication against the password file?

Correct Answer: pam_unix

QUESTION 7

ldap command to add/modifiy users? Correct Answer: ldapmodify

QUESTION 10

Apache command to create CSR? Correct Answer: openssl

QUESTION 19

Which of the following lines in the Apache configuration file would allow only clients with a valid certificate to access the website?

1. SSLCA conf/ca.crt

2. AuthType ssl

3. IfModule libexec/ssl.c

4. SSLRequire

5. SSLVerifyClient require

Correct Answer: E

QUESTION 23

The new file server is a member server of the Windows domain foo. Which TWO of the following configuration sections will allow members of the domain group all to read, write and execute files in /srv/smb/data?

1. [data]

comment = data share

path = /srv/smb/data

write list = @foo+all

force group = @foo+all

create mask = 0550

directory mask = 0770

2. [data]

comment = data share

path = /srv/smb/data

write list = @foo+all

force group = @foo+all

create mask = 0770

directory mask = 0770

3. [data]

path = /srv/smb/data

write list = @foo+all

force group = @foo+all

create mask = 0770

directory mask = 0770

4. [data]

comment = data share

path = /srv/smb/data

write list = @foo+all

force group = @foo+all

directory mask = 0770

5. [data]

comment = data share

path = /srv/smb/data

write list = @foo+all

force group = all

create mask = 0550

directory mask = 0770

Correct Answer: BC

QUESTION 37

Which is a valid Squid option to define a listening port?

1. squid_port 3128

QUESTION 7

What postfix configuration setting defines the domains for which Postfix will deliver mail locally?

(Please provide only the configuration setting name with no other information)

Correct Answer: mydomain

QUESTION 10

A malicious user has sent a 35MB video clip, as an attachment, to hundreds of recipients. Looking in the outbound queue reveals that this is the only mail there. This mail can be removed with the

command rm _______________ * . Complete the path below.

Correct Answer: /var/spool/mqueue/

QUESTION 17

Which TWO of the following statements about xinetd and inetd are correct?

1. xinetd supports access control by time.

2. xinetd only supports TCP connections.

3. xinetd is faster than xinetd and should be preferred for this reason.

4. xinetd includes support for X connections.

E. xinetd and inetd are used to reduce the number of listening daemons.

Correct Answer: AE

QUESTION 22

On a newly-installed mail server with the IP address 10.10.10.1, ONLY local networks should be able to send email. How can the configuration be tested, using telnet, from outside the local network?

1. telnet 10.10.10.1 25

MAIL FROM<admin@example.com>

RECEIPT TO:<someone@example.org>

2. telnet 10.10.10.1 25

RCPT FROM:admin@example.com

MAIL TO:<someone@example.org>

3. telnet 10.10.10.1 25

HELLO bogus.example.com

MAIL FROM:<anyone@example.org>

RCPT TO:<someone@example.net>

4. telnet 10.10.10.1 25

HELO bogus.example.com

MAIL FROM:<anyone@example.org>

RCPT TO:<someone@example.net>

5. telnet 10.10.10.1 25

HELO: bogus.example.com

RCPT FROM:<anyone@example.org>

MAIL TO:<someone@example.net>