LPI 202-450 - LPIC-2 - Exam 202 (part 2 of 2), version 4.5

The option in named.conf that specifies which hosts are permitted to ask for domain name information from the server is allow-query. The allow-query option is used to define an access control list (ACL) that matches the source IP address of the DNS query. The ACL can be a list of IP addresses, networks, keywords, or predefined ACL names. The default value of allow-query is any, which means that any host can query the server. However, this can pose a security risk, as the server may be exposed to unwanted or malicious queries. Therefore, it is recommended to restrict the allow-query option to only the hosts that need to access the server, such as the local network or trusted clients. For example, the following option allows only the hosts in the 192.168.1.0/24 network and the localhost to query the server:

allow-query { 192.168.1.0/24; localhost; };

The other options are not valid in named.conf. allowed-hosts, accept-query, permit-query, and query-group are not recognized keywords by BIND.

References:

LPIC-2 exam 202 objectives, topic 208.1, “Implementing a web server”

BIND 9 Administrator Reference Manual, chapter 6, “Access Control Lists and TSIG”

How to Configure DNS Server with TSIG on CentOS 8

 The htpasswd command is used to create and update user files for basic authentication of HTTP users. The command has several options, but the most relevant ones for this question are:

-c: This option creates a new file and overwrites it if it already exists. This is not suitable for changing the password of existing users, as it would erase the previous data.

-n: This option displays the results on standard output rather than updating a file. This is useful for generating password records for other types of data stores, but not for modifying an existing file.

-D: This option deletes the specified user from the file. This is not what the question asks for, as it wants to change the password, not remove the user.

-b: This option uses batch mode, which means getting the password from the command line rather than prompting for it. This option is not mentioned in the question, and it is not recommended for security reasons.

Therefore, the correct option is B, which uses the default syntax of htpasswd to change the password of an existing user in the specified file. The command will prompt for the new password and update the file accordingly.

References:

htpasswd - Manage user files for basic authentication

How to Create and Use .htpasswd

Unlocking htpasswd in Linux: Comprehensive Guide with Examples

The netfilter table that contains built-in chains called INPUT, OUTPUT and FORWARD is the filter table. The filter table is the default table for netfilter and iptables, and it is used to filter packets based on their source, destination, protocol, port, state, etc. The filter table has three built-in chains, which correspond to the netfilter hooks that trigger them:

INPUT: This chain is used to process incoming packets that are destined for the local system. The packets must have passed through the PREROUTING chain and the routing decision before reaching this chain.

OUTPUT: This chain is used to process outgoing packets that are originated from the local system. The packets must have passed through the routing decision before reaching this chain.

FORWARD: This chain is used to process packets that are neither originated from nor destined for the local system, but are routed through the system. The packets must have passed through the PREROUTING and POSTROUTING chains and the routing decision before reaching this chain.

The filter table can have user-defined chains as well, which can be created with the -N option of the iptables command. User-defined chains can be used to organize rules and simplify the management of the firewall. Rules can be added to any chain in the filter table with the -A option of the iptables command, and they can specify the target action to take if the packet matches the rule. The target can be one of the following:

ACCEPT: This target allows the packet to pass through the chain and continue to the next netfilter hook.

DROP: This target drops the packet and stops its processing.

REJECT: This target drops the packet and sends back an error message to the sender.

LOG: This target logs the packet information to the kernel log and continues to the next rule in the chain.

RETURN: This target returns from the current chain to the calling chain, or to the default policy if there is no calling chain.

A user-defined chain name: This target jumps to the user-defined chain and executes its rules until a terminal target (ACCEPT, DROP, REJECT, or RETURN) is reached or the end of the chain is reached.

References:

A Deep Dive into Iptables and Netfilter Architecture

Iptables Tutorial 1.2.2

How To List and Delete Iptables Firewall Rules

 TSIG stands for Transaction SIGnature, which is a mechanism for authenticating DNS messages using a shared secret key and a cryptographic hash algorithm. TSIG can be used to secure DNS updates, zone transfers, and queries between DNS servers and clients. To configure a BIND server to use TSIG, the following parameters should be added to the named.conf file:

A key statement that defines the name, algorithm, and secret of the TSIG key. The name can be any arbitrary string, the algorithm can be one of the supported algorithms such as hmac-md5, hmac-sha1, hmac-sha256, etc., and the secret can be a base64-encoded string that represents the shared secret key. For example:

key “server.example.com” { algorithm hmac-md5; secret “skrKc4DoTzi/takIlPi7JZA==”; };

A server statement that specifies the IP address or hostname of the remote server that will use the TSIG key, and the name of the key that should be used for communication. For example:

server 192.168.1.10 { keys { “server.example.com”; }; };

A zone statement that indicates the zone name, type, and file of the zone that will use TSIG, and the name of the key that should be used for updates or transfers. For example:

zone “example.com” { type master; file “example.com.zone”; allow-update { key “server.example.com”; }; allow-transfer { key “server.example.com”; }; };

Option E shows the correct configuration parameters that should be added if the server should use the algorithm hmac-md5 and the key skrKc4DoTzi/takIlPi7JZA==. The other options are incorrect because they either use the wrong syntax, the wrong algorithm, the wrong key name, or the wrong secret.

References:

LPIC-2 exam 202 objectives, topic 208.2, “Securing a DNS server”

BIND 9 Administrator Reference Manual, chapter 6, “Access Control Lists and TSIG”

How to Configure DNS Server with TSIG on CentOS 8

To fully disable password based logins for SSH, you need to set both Challenge Response Authentication and Password Authentication to no in the sshd configuration file. These options control whether the server will accept password-based authentication methods such as keyboard-interactive or PAM. Setting them to no will only allow public key authentication or other methods that do not involve passwords. References:

LPIC-2 Exam 202 Objectives1

LPIC-2 Exam 202 Study Guide2

LPIC-2 Exam 202 Topic 208: SSH Configuration3

 In the context of configuring Nginx for reverse proxy, the proxy_pass directive is used to specify the protocol and address of a proxied server and an optional URI to which a location should be mapped. So, in the provided configuration sample, “proxy_pass” is the missing keyword that should precede “http://proxiedserver:8080;”.

References:

[NGINX Docs | NGINX Reverse Proxy]: The official documentation of Nginx on how to set up a reverse proxy with Nginx.

[How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 20.04 Server | DigitalOcean]: A tutorial from DigitalOcean on how to configure Nginx as a web server and reverse proxy for Apache on Ubuntu 20.04, which includes the use of the proxy_pass directive.

 The mydestination parameter in the Postfix main.cf configuration file specifies the list of domains that are delivered via the $local_transport mail delivery transport. This means that Postfix will accept mail for those domains and deliver it to local mailboxes. To accept mail for both the old and new domain names, the mydestination parameter should include both domains, separated by commas. For example:

mydestination = olddomain.com, newdomain.com, localhost

This will allow Postfix to accept mail for user@olddomain.com and user@newdomain.com and deliver it to the same local user mailbox.

References:

LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server

Postfix Basic Configuration, Postfix Documentation

Postfix Configuration Parameters: mydestination, Postfix Documentation

How to configure Postfix to receive mail for multiple domains, Server Fault

Sieve is a programming language used to filter emails by writing simple rules. To combine multiple conditions in a Sieve filter, you can use the allof or anyof keywords. The allof keyword means that all of the conditions must be true for the filter to apply, while the anyof keyword means that at least one of the conditions must be true. For example, the following Sieve filter will assign the label “Important” to any message that is from “boss@example.com” or has the subject “Urgent”:

if anyof (header :contains “From” “boss@example.com”, header :contains “Subject” “Urgent”) { fileinto “Important”; }

The following Sieve filter will assign the label “Spam” to any message that is not from “friend@example.com” and has the subject “Free offer”:

if allof (not header :contains “From” “friend@example.com”, header :contains “Subject” “Free offer”) { fileinto “Spam”; }

References: You can learn more about Sieve filters and logical combinations from the following sources:

Sieve filter (advanced custom filters) | Proton

RFC 5228 - Sieve: An Email Filtering Language

The command that is used to administer IPv6 netfilter rules is ip6tables. ip6tables is a command-line tool that allows the user to configure the tables, chains, and rules of the IPv6 packet filter in the Linux kernel. Netfilter is a framework that provides packet filtering, network address translation, and other functions for the Linux kernel. ip6tables can be used to create firewall rules, port forwarding rules, network address translation rules, and other types of rules that affect the flow of IPv6 packets. ip6tables has a similar syntax and functionality to iptables, which is the tool for IPv4 netfilter rules. However, ip6tables and iptables are independent of each other and have separate tables, chains, and rules. ip6tables can also be used in conjunction with ip6tables-restore and ip6tables-save, which are tools to save and restore the ip6tables rules to and from a file.

The other options are not correct. iptables is the tool for IPv4 netfilter rules, not IPv6. iptablesv6, iptables6, and ipv6tables are not valid commands in Linux.

References:

ip6tables - Linux manual page

Netfilter - Wikipedia

How to Configure IPTables for IPv6 on Linux

 The unknown-clients statement in the ISC DHCPD configuration is used to specify whether or not an address pool can be used by nodes which have a corresponding host section in the configuration. A host section is a declaration that defines a static IP address for a specific client based on its MAC address or other identifier. An unknown client is a client that does not have a host section. The unknown-clients statement can be either allow, deny, or ignore, and it can be applied to a pool, a subnet, or a shared-network. For example, the following configuration allows unknown clients to use the pool of addresses from 192.168.1.100 to 192.168.1.200, but denies them from using the pool of addresses from 192.168.1.201 to 192.168.1.254:

subnet 192.168.1.0 netmask 255.255.255.0 { pool { range 192.168.1.100 192.168.1.200; allow unknown-clients; } pool { range 192.168.1.201 192.168.1.254; deny unknown-clients; } }

References:

ISC DHCP 4.4 Manual Pages - dhcpd.conf: The official documentation of ISC DHCPD on how to configure the dhcpd.conf file, which includes the description of the unknown-clients statement and examples.

How To Configure a DHCP Server on Ubuntu 20.04 | DigitalOcean: A tutorial from DigitalOcean on how to configure a DHCP server on Ubuntu 20.04, which includes the use of the unknown-clients statement and host sections.