202-450 Practice Exam Questions with Answers LPIC-2 - Exam 202 (part 2 of 2), version 4.5 Certification

The http_port directive in squid.conf sets the port number or numbers that Squid will use to listen for client requests. You can specify multiple socket addresses with different port numbers and options. By default, Squid listens on port 3128 on all network interfaces. You can change the port number or bind the socket to a specific IP address if needed. For example, to set the port to 8080, you can write:

http_port 8080

To configure Squid to listen only on the 192.0.2.1 IP address on port 3128, you can write:

http_port 192.0.2.1:3128

References:

• Squid proxy configuration tutorial on Linux
• squid : http_port configuration directive
• Configuring the Squid Service to Listen on a Specific Port or IP Address

 The required control flag means that the PAM module is essential for the authentication process. If the module fails, the whole authentication fails. However, unlike the requisite control flag, the required control flag does not stop the execution of the remaining modules of the same type. This allows the user to receive feedback from all the modules, such as password expiration warnings or account lockout messages. References:

• Linux Professional Institute LPIC-2 Exam 202-450 Objectives, Topic 211: System Security, Objective 211.2: Configuring PAM, Weight: 5
• PAM Control Flags, System Administration Guide: Security Services, Oracle
• 10.2. About PAM Configuration Files, System-Level Authentication Guide, Red Hat Enterprise Linux 7, Red Hat Customer Portal
• 4. The Linux-PAM configuration file, SCO Group

The tool dig, which stands for domain information groper, is a command-line utility that provides the most information when performing DNS queries, without any options. Dig can query any type of DNS record and display the full response from the DNS server, including the header, question, answer, authority, and additional sections. Dig can also show the query time, server address, response code, flags, and statistics. Dig is a versatile and powerful tool that can be used for troubleshooting, testing, and debugging DNS issues123 References:

• dig(1) - Linux manual page
• How to Use the Dig Command on Linux
• How to use the dig command for DNS queries on Linux

 The pam_listfile module is a PAM module that allows the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them. The module can be used to deny or allow access to services based on the contents of the file. The file can contain items such as usernames, group names, terminal names, remote host names, remote user names, or shell names. The module can be configured to match the item against the file and take the appropriate action, such as allowing or denying access, or ignoring the request. The module can also be restricted to apply only to a specific user or group class. The file should be a plain text file with one item per line and not be world writable12.

References:

• pam_listfile(8) - Linux man page: A manual page for the pam_listfile module, which explains its syntax, options, and examples.
• pam_listfile(8) - Linux manual page - man7.org: Another manual page for the pam_listfile module, which provides similar information as the previous reference.

 The htpasswd command is used to create and update user files for basic authentication of HTTP users. The command has several options, but the most relevant ones for this question are:

• -c: This option creates a new file and overwrites it if it already exists. This is not suitable for changing the password of existing users, as it would erase the previous data.
• -n: This option displays the results on standard output rather than updating a file. This is useful for generating password records for other types of data stores, but not for modifying an existing file.
• -D: This option deletes the specified user from the file. This is not what the question asks for, as it wants to change the password, not remove the user.
• -b: This option uses batch mode, which means getting the password from the command line rather than prompting for it. This option is not mentioned in the question, and it is not recommended for security reasons.

Therefore, the correct option is B, which uses the default syntax of htpasswd to change the password of an existing user in the specified file. The command will prompt for the new password and update the file accordingly.

References:

• htpasswd - Manage user files for basic authentication
• How to Create and Use .htpasswd
• Unlocking htpasswd in Linux: Comprehensive Guide with Examples

The /etc/sysct1.conf file is used to configure kernel parameters at runtime. The net.ipv4.ip_forward parameter controls whether IP packet forwarding is enabled for IPv4. Setting it to 1 enables packet forwarding, while setting it to 0 disables it. This setting is applied at boot time and persists across system restarts. The other options are either incorrect or temporary solutions that do not survive a reboot. References: LPIC-2 201 exam objectives, LPIC-2 201-450 Exam Prep: Network Configuration

To allow X connections to be forwarded from or through an SSH server, the configuration keyword that must be set to yes in the sshd configuration file is XllForwarding. This keyword enables X11 forwarding, which is a mechanism that allows graphical applications to be run on a remote host and displayed on a local host. The sshd configuration file is usually located at /etc/ssh/sshd_config, and the XllForwarding keyword can be set globally or per host. For example:

XllForwarding yes

This will enable X11 forwarding for all hosts. To enable X11 forwarding for a specific host, use the Match directive, followed by the Host keyword and the host name or pattern. For example:

Match Host example.com XllForwarding yes

This will enable X11 forwarding only for the host example.com.

References:

• X11 Forwarding using SSH
• sshd_config - OpenSSH SSH daemon configuration file
• How To Configure X11 Forwarding Using SSH In Linux

 In the main Postfix configuration file, which is usually /etc/postfix/main.cf, service definitions are continued on the next line by starting the following line with white space indentation. This means that the line must begin with one or more spaces or tabs. This is useful when a service definition has many parameters or options that would make the line too long or hard to read. For example, a service definition for the smtpd daemon could look like this:

The first line defines the service name, type, private flag, unpriv flag, chroot flag, wakeup time, maxproc limit, and command. The following lines, indented with white space, define additional options for the smtpd command, such as the syslog name, the SASL authentication, and the recipient restrictions. Each option is prefixed with -o and separated by white space.

References: You can find more information about the main Postfix configuration file and the service definition syntax in the following resources:

• Postfix Basic Configuration
• Postfix Architecture Overview

 The host allow option in the smb.conf file specifies the hosts or networks that are allowed to access the Samba server. The hosts can be specified by name, IP address, or network address with a netmask. The host allow option can also include the special name localhost, which refers to the local machine. The host allow option can be overridden by the host deny option, which specifies the hosts or networks that are denied access to the Samba server. The host deny option has a higher priority than the host allow option.

In this question, the host allow option is set to 192.168.1.100 192.168.2.0/24 localhost, which means that only the host with the IP address 192.168.1.100, the hosts on the network 192.168.2.0/24 (from 192.168.2.1 to 192.168.2.254), and the local machine can access the Samba server. This explains why a wireless laptop with an IP address 192.168.2.93 can access the Samba server, but a workstation on the wired network with an IP address 192.168.1.177 cannot. Almost every machine on the wired network is unable to access the Samba server because they are not included in the host allow option.

To fix this problem, the host allow option should be changed to include the entire wired network, which is assumed to be 192.168.1.0/24 (from 192.168.1.1 to 192.168.1.254). This can be done by using the network address and the netmask, or by using a range of IP addresses. The host allow option should also keep the wireless network and the localhost in the list, so that the existing access is not denied. Therefore, the correct answer is E. host allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost. This will allow any host on either network, or the local machine, to access the Samba server, without denying access to anyone else.

The PAM module that sets and unsets environment variables is pam_env. This module allows the (un)setting of environment variables based on the rules specified in the configuration file /etc/security/pam_env.conf or an alternative file. The module can also read a file with simple KEY=VAL pairs on separate lines (/etc/environment by default) or a user-specific file ($HOME/.pam_environment by default). The pam_env module supports the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST. The pam_env module should be the last one on the stack, as setting PAM environment variables can have side effects on other modules. The pam_env module provides the auth and session module types. References:

• pam_env - PAM module to set/unset environment variables
• pam_env(8) - Linux manual page

 The sender_canonical_maps parameter on a Postfix server specifies an optional address mapping that applies when mail is delivered (sent) from the server. This mapping can be used to rewrite the sender address of outgoing messages to a different format or domain. For example, the following sender_canonical_maps entry will rewrite the sender address from user@localdomain to user@example.com:

user@localdomain user@example.com

The sender_canonical_maps parameter only affects the sender address and not the recipient address. The recipient address can be modified by other parameters such as recipient_canonical_maps or virtual_alias_maps.

References: You can learn more about sender_canonical_maps and other Postfix address rewriting parameters from the following sources:

• Postfix Address Rewriting
• Postfix Configuration Parameters
• Postfix Generic Mapping for Outgoing SMTP Mail

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol that allows a client to indicate which hostname it is trying to connect to at the start of the handshaking process1. This enables the server to present the appropriate certificate for the requested hostname, and thus allows multiple SSL/TLS secured virtual HTTP hosts to coexist on the same IP address12. SNI does not support transparent failover of TLS sessions from one web server to another, as this would require session resumption or renegotiation mechanisms1. SNI does not enable HTTP servers to update the DNS of their virtual hosts’ names using the X 509 certificates of the virtual hosts, as this would require a different protocol such as Dynamic DNS1. SNI does not provide a list of available virtual hosts to the client during the TLS handshake, as this would expose the server’s configuration and potentially compromise its security1. SNI submits the host name of the requested URL during the TLS handshake, as this is the information that the client needs to communicate to the server in order to select the correct certificate12. References:

• Server Name Indication - IBM
• Server Name Indication - Wikipedia

In the context of LDAP, when alterations need to be specified to an entry, the “changetype: modify” keyword is used in the LDIF file. This keyword indicates that modifications are to be made to the existing LDAP entry. The modify operation can be used to add, replace, or delete attributes and their values. The syntax of the modify operation is as follows:

changetype: modify add: attribute attribute: valuereplace: attribute attribute: valuedelete: attribute attribute: value

Each modify operation is separated by a hyphen (-) and a blank line separates different entries. The attribute;binary subtype can be used to indicate that the attribute values are binary data. The LDIF syntax for reading a binary value from a file is:

attribute;binary:< file:///path/to/file

References:

• LPIC-2 Exam 202 Objectives, Objective 207.3: LDAP Operations
• How To Use LDIF Files to Make Changes to an OpenLDAP System, DigitalOcean
• Modifying Entries Using ldapmodify, Oracle
• ldap - ldapadd/ldapmodify: clarifications needed about these commands, Server Fault
• Modify Attribute type definition on LDAP server, Stack Overflow

The LDIF file format does not accept any type of file encoding. It requires the file to be encoded in UTF-8, which is a Unicode encoding that supports all characters and languages. If the file contains non-UTF-8 characters, it may cause errors or data loss when importing or exporting LDIF data. Therefore, it is important to ensure that the LDIF file is encoded in UTF-8 before using it with LDAP tools or servers. References:

• LDIF File (What It Is and How to Open One) - Lifewire
• RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification

Sieve is a language for filtering and sorting email messages on a mail server. Sieve core filters are the basic actions that can be applied to a message that matches a set of conditions. The following actions are available in Sieve core filters:

• discard: This action discards the message silently, without sending any notification to the sender or the recipient. This action is useful for deleting spam or unwanted messages.
• fileinto: This action delivers the message to a specified mailbox. The mailbox can be an existing one or a new one that is created by the action. This action is useful for organizing messages into different folders based on their content or headers.
• reject: This action rejects the message and sends a notification to the sender with a specified reason. The message is not delivered to the recipient. This action is useful for informing the sender that the message was not accepted due to some policy or error.

The other options are not valid actions in Sieve core filters. drop, relay, and fileinto are not recognized keywords by Sieve.

References:

• Sieve: An Email Filtering Language, section 2.10, “Actions”
• Sieve Tutorial, section 4, “Actions”

The samba-tool testparm command is a simple test program to check a Samba configuration file for internal correctness. It verifies that the file can be parsed and loaded by Samba without errors or warnings. If the command reports no problems, it means that the configuration file is valid and can be used by Samba. However, this does not guarantee that the services defined in the configuration file will operate as expected, or that the Samba services are running or enabled on the system. The command also does not check the firewall or netfilter rules on the Samba server, or the version of the configuration file used by the running Samba processes. Therefore, the only correct answer is A.

 The line A is valid in a configuration file in /etc/pam.d/ because it follows the correct syntax and semantics of a PAM configuration file. The syntax of a PAM configuration file is:

module_interface control_flag module_name module_arguments

The module_interface specifies the type of authentication action that the module can perform. There are four types of module interface: auth, account, password, and session. The control_flag specifies how important the success or failure of the module is to the overall authentication process. There are four types of control flag: required, requisite, sufficient, and optional. The module_name specifies the name of the library that contains the module. The module_arguments are optional parameters that can modify the behavior of the module.

The line A has the following components:

• module_interface: auth, which means the module is used for user authentication.
• control_flag: required, which means the module must succeed for authentication to continue. If the module fails, the failure is recorded and the rest of the modules are executed.
• module_name: pam_unix.so, which means the module is the standard Unix authentication module that verifies the user’s password against the /etc/passwd and /etc/shadow files.
• module_arguments: try_first_pass nullok, which means the module tries to use the password that was previously entered by the user (if any), and allows users with empty passwords to log in.

The line B is invalid because it has the wrong order of the fields. The control_flag should come before the module_name, not after. The line C is invalid because it uses parentheses and colons instead of spaces to separate the fields. The line D is invalid because it has the wrong syntax for the control_flag. The control_flag should be a single word, not a word in parentheses.

When using a web server certificate that is signed by an intermediate certification authority, the web server must also send the intermediate certificate to the client browser, so that the browser can verify the whole chain of trust. To do this, the web server must have both the web server certificate and the intermediate certificate in one file, which is specified in the SSLCertificateFile directive of Apache HTTPD. This way, the web server can send both certificates to the client in one response. The order of the certificates in the file is important: the web server certificate must come first, followed by the intermediate certificate. The file can be created by concatenating the two certificates with a text editor or the cat command. References:

• LPIC-2 202 exam objectives, topic 218.1: Implementing HTTPS
• Apache HTTPD documentation, section: SSLCertificateFile Directive
• How to install an Intermediate SSL Certificate on Apache

 The Apache HTTPD directive that enables HTTPS protocol support is SSLEngine on. This directive activates the SSL/TLS protocol engine for the current virtual host. HTTPS is a secure version of HTTP that uses SSL/TLS to encrypt the communication between the client and the server. To enable HTTPS, the server must have a valid SSL certificate and a corresponding private key, and configure them using the SSLCertificateFile and SSLCertificateKeyFile directives123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4

Sieve is a programming language used to filter emails by writing simple rules. To combine multiple conditions in a Sieve filter, you can use the allof or anyof keywords. The allof keyword means that all of the conditions must be true for the filter to apply, while the anyof keyword means that at least one of the conditions must be true. For example, the following Sieve filter will assign the label “Important” to any message that is from “boss@example.com” or has the subject “Urgent”:

if anyof (header :contains “From” “boss@example.com”, header :contains “Subject” “Urgent”) { fileinto “Important”; }

The following Sieve filter will assign the label “Spam” to any message that is not from “friend@example.com” and has the subject “Free offer”:

if allof (not header :contains “From” “friend@example.com”, header :contains “Subject” “Free offer”) { fileinto “Spam”; }

References: You can learn more about Sieve filters and logical combinations from the following sources:

• Sieve filter (advanced custom filters) | Proton
• RFC 5228 - Sieve: An Email Filtering Language

 OpenVAS is a network security scanner project that, at the core, is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications. It is an open-source tool that was forked from Nessus, a popular commercial scanner. OpenVAS can perform comprehensive scans of networks and hosts, as well as web application scanning and compliance testing. It also provides a graphical user interface (GUI) and a command-line interface (CLI) for managing scans and reports. References:

• Greenbone Vulnerability Management - Gentoo wiki
• The Best Network Vulnerability Scanners Tested in 2023 - Comparitech

The newaliases command is a Postfix command that can be used to rebuild all of the alias database files with a single invocation and without the need for any command line arguments. The newaliases command is equivalent to running the postalias command on each file specified by the alias_database parameter in the Postfix main.cf configuration file. The newaliases command reads the text files that contain the alias definitions and creates the indexed files in dbm or db format that are used for fast lookup by the mail system. The newaliases command should be executed whenever the alias database is changed, in order to update the indexed files. For example:

newaliases

The other commands are not equivalent to the newaliases command. The makealiases command is not a valid Postfix command. The postalias command can be used to rebuild a single alias database file, but it requires the file name as an argument. The postmapbuild command is not a valid Postfix command.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix manual - aliases(5), Postfix Documentation
• Postfix manual - newaliases(1), Postfix Documentation
• Postfix manual - postalias(1), Postfix Documentation

 The objectClass attribute of an LDAP object defines which other attributes can be set for the object. The objectClass attribute is a multi-valued attribute that specifies one or more object classes that the object belongs to. Each object class has a schema that defines the mandatory and optional attributes that the object can have. The objectClass attribute is required for every LDAP object and determines the nature and characteristics of the object. References:

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• LDAP Object Classes

The option in named.conf that specifies which hosts are permitted to ask for domain name information from the server is allow-query. The allow-query option is used to define an access control list (ACL) that matches the source IP address of the DNS query. The ACL can be a list of IP addresses, networks, keywords, or predefined ACL names. The default value of allow-query is any, which means that any host can query the server. However, this can pose a security risk, as the server may be exposed to unwanted or malicious queries. Therefore, it is recommended to restrict the allow-query option to only the hosts that need to access the server, such as the local network or trusted clients. For example, the following option allows only the hosts in the 192.168.1.0/24 network and the localhost to query the server:

allow-query { 192.168.1.0/24; localhost; };

The other options are not valid in named.conf. allowed-hosts, accept-query, permit-query, and query-group are not recognized keywords by BIND.

References:

• LPIC-2 exam 202 objectives, topic 208.1, “Implementing a web server”
• BIND 9 Administrator Reference Manual, chapter 6, “Access Control Lists and TSIG”
• How to Configure DNS Server with TSIG on CentOS 8

 A glue record is a DNS record that provides the IP address of a nameserver that is a subdomain of the domain being queried. For example, if the domain example.com has nameservers ns1.example.com and ns2.example.com, then the .com nameservers will provide glue records for ns1.example.com and ns2.example.com, along with the NS records for example.com. This way, the resolver can find the IP address of the nameservers without having to query them first, which would create a circular dependency12

The format of a glue record is:

nameserver A IP address

where nameserver is the hostname of the nameserver, A is the record type for IPv4 address, and IP address is the IPv4 address of the nameserver3

Therefore, the only option that matches this format is A. ns1.lab A 198.51.100.53. The other options are either missing the record type, the IP address, or the dot after the nameserver name4 References:

• DNS Tools - Glue Records
• What Is Glue Record: Everything You Wanted To Know
• Glue Records and Dedicated DNS - NS1, an IBM Company
• DNS Record Types - DNSimple Help

Glue Records and Dedicated DNS - NS1, an IBM Company

The Require directive in mod_authz_core selects which authenticated users can access a resource. The directive takes one or more arguments that specify the authorization provider and the criteria for granting access. Some of the built-in authorization providers are:

• all: This provider matches all users, regardless of the criteria. It can be used to grant or deny access to everyone. For example, Require all granted allows access to everyone, while Require all denied denies access to everyone.
• ip: This provider matches the client IP address against a list of IP addresses, network/netmask pairs, or CIDR specifications. It can be used to allow or deny access based on the client’s location. For example, Require ip 192.168.1.0/24 allows access only to clients from the 192.168.1.0/24 subnet.
• host: This provider matches the client hostname against a list of domain names. It can be used to allow or deny access based on the client’s DNS name. For example, Require host example.com allows access only to clients whose hostname ends with example.com.
• local: This provider matches the client IP address against the server IP address. It can be used to allow or deny access based on whether the client is local or remote. For example, Require local allows access only to clients that connect to the server via the loopback interface.
• user: This provider matches the authenticated username against a list of usernames. It can be used to allow or deny access based on the user identity. For example, Require user alice bob allows access only to users alice and bob.
• group: This provider matches the authenticated user’s group membership against a list of groups. It can be used to allow or deny access based on the user’s group affiliation. For example, Require group admins allows access only to users who belong to the admins group.
• valid-user: This provider matches any authenticated user, regardless of the username. It can be used to allow or deny access based on the user authentication status. For example, Require valid-user allows access to any user who can provide valid credentials.
• expr: This provider evaluates an expression and grants or denies access based on the result. It can be used to implement complex logic based on various variables and functions. For example, Require expr "%{REQUEST_METHOD} == 'GET' && %{TIME_HOUR} < 12" allows access only to GET requests made before noon.
• method: This provider matches the request method against a list of methods. It can be used to allow or deny access based on the type of request. For example, Require method GET POST allows access only to GET and POST requests.
• regex: This provider matches the request URI against a regular expression. It can be used to allow or deny access based on the pattern of the request. For example, Require regex ^/admin/.* allows access only to requests that start with /admin/.

Therefore, the correct strings that can be used as an argument to Require are B, C, and E. Statement A is false because method is not a valid argument to Require, but a separate authorization provider. Statement D is false because header is not a valid argument to Require, but a variable that can be used in an expression.

References:

• mod_authz_core - Apache HTTP Server Version 2.4
• Access Control - Apache HTTP Server Version 2.4

 The Alias and Redirect directives in Apache HTTPD’s configuration file have different purposes and effects. The Alias directive maps a URL path to a file system path, allowing the server to serve content that is not under the DocumentRoot. The Redirect directive instructs the client to make a new request with a different URL, which can be used to redirect requests to another server or location. The Redirect directive can use either a fixed URL or a regular expression to match and replace the original URL.

The difference between Alias and Redirect is that Alias is handled on the server side, meaning that the client does not see the file system path that the server uses to serve the content. The Redirect directive is handled on the client side, meaning that the client sees the new URL that the server sends back as a response. The client then makes a new request with the new URL, which may or may not be handled by the same server.

Therefore, the correct statements are C and D. Statement A is false because Alias can reference files outside of the DocumentRoot. Statement B is false because RedirectMatch is the directive that works with regular expressions, not Redirect. Statement E is false because Alias is a valid configuration directive.

References:

• mod_alias - Apache HTTP Server Version 2.4
• How to Redirect a Web Page with Apache - W3docs

 A Fail2Ban jail is a combination of a filter and one or several actions. A filter defines a regular expression that matches a pattern corresponding to a failed login attempt or another suspicious activity. Actions define commands that are executed when the filter catches an abusive IP address. A jail can have active or inactive status1 References: 1: Fail2Ban Jails Management | Plesk Obsidian documentation 

The verbose_proctitle parameter in the Dovecot configuration file controls whether Dovecot adds extra information to its process titles. When this parameter is set to yes, Dovecot will show the username, IP address of the peer, and the connection status for each process. This can help to associate the processes with users and peers, and to monitor the activity of the mail server. For example, the process titles may look like this:

dovecot/imap-login user@domain.com [192.168.0.1] dovecot/imap user@domain.com [192.168.0.1] IDLE

The verbose_proctitle parameter can be set in the /etc/dovecot/dovecot.conf file or in the /etc/dovecot/conf.d/10-master.conf file. The default value is no, which means that Dovecot will only show the process name and the command state. For example:

dovecot/imap-login dovecot/imap [idling]

The other options are not related to the process titles. The --with-linux-extprocnames option for ./configure when building Dovecot is not a valid option. The sys.ps.allow_descriptions and proc.all.show_status parameters in sysctl.conf or /proc are not valid parameters. The process_format parameter in the Dovecot configuration is used to specify the format of the process name, not the process title.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Process Titles — Dovecot documentation, Dovecot Documentation
• Dovecot Configuration Parameters: verbose_proctitle, Dovecot Documentation
• Dovecot Configuration Parameters: process_name, Dovecot Documentation
• How to monitor dovecot processes? - Server Fault, Forum

The client-to-client option in OpenVPN enables the VPN server to forward packets between VPN clients internally, without sending them to the IP layer of the host system. This means that the host networking stack does not see or process the client-to-client traffic at all. This option can improve the performance and efficiency of the VPN, as well as reduce the load on the host system. However, it also means that the VPN server cannot apply any firewall rules or routing policies to the client-to-client traffic, as it would if the traffic passed through the host IP layer. Therefore, this option should be used with caution and only when the VPN clients are trusted and isolated from other networks. References:

• OpenVPN 2.x HOWTO, section “Client-to-client”
• OpenVPN 2.4 man page, option “–client-to-client”