Exam Topics

2.205 objective 1: basic networking configuration


 auto lo
 iface lo inet loopback

 auto eth0 
 iface eth0 inet static
   # if resolvconf package is installed try the following
   dns-search domain

For DHCP it has to be

 iface eth0 inet dhcp

The line starting with auto says that this interface should go up at boot time.


 ifconfig [interface] [option] [address]

virtual interfaces

are interfaces as eth0:0 eth0:1

 ifconfig eth0:1 netmask

set MAC address

 ifconfig eth0 192.1658.40.40 netmask broadcast hw ether 1:02:03:04:05:06

route command

 route add default gw

is equivalent to

 route add -net netmask gw

understand the kernel routing table

Flag U means the route is up (usable) while G means the address represents a gateway.

The -C option causes route to display the complete routing cache stored on the local system.

To add an explicit host routing entry for the host which will be reached through a different gateway from the default one enter:

 route add -host gw

To add a network to the routing table routing traffic to it through the gateway found at address enter:

 route add -net netmask gw

To delete the default route enter

 route del default gw
 route del -net netmask gw

Similar outputs as route gives can be obtained by

 netstat -r
 netstat -rn

but netstat can only view the review settings.

ARP and related commands

ARP entries are cached on the hosts in the network for a period of time, which is defined by the /proc/sys/net/ipv4/neigh/eth0/gc_stale_time file. By default it is 60 seconds.

The arp command shows ARP cache.

Add a temporary (not only for 60 seconds) ARP entry to a host's ARP cache:

 arp -s 00:02:03:F6:7C:48 temp

Add a ARP entry which will fall out of cache after a while.

 arp -s 00:02:03:04:05:06

to delete that entry enter:

 arp -d


 -f file 
specifies which file to use for storing the ip/mac mappings
 -i interface
specifies the interface
 -m emailaddress
sets the email address to which arpwatch should report changes
 -n network/netmask

dial-up connections

Each side runs a daemon called pppd. When connecting to an ISP through a modem or an isdn adapter, zou need to configure some of the files in /etc/ppp.

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

An intelligent tool is wvdial, configured through wvdialconf.

 pon providername
 poff providername
 -a stop all ppp connections
 -c cause pppd to renegotate compression
 -r cause the connection to be redialed after it is dropped.


After getting the isdn card into the kernel with something like this:

 modprobe hisax type=3 protocol=2 io=0x180 irq=9

start the daemon with


Afterwards you can use

 isdnctrl action device
 isdnctrl addif ippp0
 isdnctrl addphone ippp0 out 21405060
 ipppd user foo defaultroute noipdefault -detach mru 1524 -bsdcomp /dev/ippp0 &
 isdnctrl hangup ippp0

IP routing configuration

 sudo echo "1" > /proc/sys/net/ipv4/ip_forward

or edit /etc/network/options file changing

 ip_forward=no to yes

To forward the ip packets to the internet you need Network Address Translation since every router would delete packets with private network addresses as 192.168.x.x.

objective 2: advanced network configuration and troubleshooting

simply connectivity test

 telnet localhost 80


 netcast localhost 80
 nc localhost 80

 tcpdump -i eth1 -v -vv -vvv -s0 not port ssh and host
 tcpdump -i eth0 -w /tmp/web -s0 dst and dst port 80
 tcpdump -t -n -q host and host and port 110

etheral nowadays called wireshark. tetheral is the text based etheral:

 tetheral -V -r /tmp/ping

 lsof -i tcp
 lsof -i udp
 lsof -i
 lsof -n 
do not resolve hostnames
 lsof -P
do not resolve port names
 netstat -apne --inet
list only open ip-based network connectijons and show the PID as well as the program and username that opened the file
 netstat -le --inet
list all ports that are listening

Mail and News

Topic 2.206

objective 2: using sendmail

building and editing configuration files: the m4 utility

If you learn the basics of the Unix m4 macro language for which the macros are written and adapt the macros to your needs in a plain text file, you can use the m4 utility to convert your macro file into a valid sendmail.cf file.

Some distributions ship with many sample .mc files, each designed to suit different purposes. All you have to do customize these .mc files to meet your own needs.

You need to edit the macro files otherwise every change to the sendmail.cf will be overwritten during the next run of the macros.

Additional configuration files

The sendmail.cf file ist not the only file that is used to configure Sendmail.

used to allow or deny access to systems and users
 makemap hash access < access

allows you to inform sendmail about the hostname of the computer
used to map incoming email to a local account. This is for routing specific addresses to groups of recipients or to define catchall rules for misspelled addresses.
 makemap hash /etc/mail/virtusertable < sourcefile

used for outbound mail
tells your system which addresses are considered local and which are considered remote
can route email from remote systems
used to redirect mail for local recipients

restart sendmail with one of the following:

 kill -HUP `cat /var/run/sendmail.pid`
 killall -HUP sendmail
 /etc/init.d/sendmail restart

objective 3: managing mail traffic

using procmail

The syntax for creating a recipe is comprised of three parts:

  1. The beginning is a special character sequence, usually :0 on a line by itself, that informs Procmail that a recipe begins immediately.
  2. The condition specifies text matches or other conditions that the mail message must meet before it is processed. There can be multiple conditions in this section.
  3. The final action section contains processing directives that specify what actions to take (e.g. forwarding or deleting the mail) once the conditions have been met.
 # starts comments
informs procmail that a recipe is beginning. Specifying :0c makes a copy of the matching message, meaning that the message will go on to appear in your inbox as well as be processed my the recipe.
Specifies a new condition. Placed at the front of a line in a recipe.
Specifies the everything wildcard. This is never used at the start of a line and therefore can be distinguished from the previous item. For example Subject:.*Kenya.* in a condition matches any message with Kenya in the Subject field.
instructs Procmail to look for the character or parameter that follows at the beginning of a line
in an action, forwards the message to the address you specify. For example, the following line:
  ! asdf@domain.com
sends the message to the user you specify
 Whc: filename.
specifies a lock file for the particular message. Useful to avoid race conditions, where another Procmail process might be running the same recipe.
 * ^From: knownspammer@domainofbadspammers.com
 * ^From: .*@badspammer.com
 * ^Subject:.*viagra.*
 * ^From: info@domain.com
 ! pooremployee@domain.com
 :0 Whc: autoresponder.lock
 * $^To:.*\<$\LOGNAME\>
 * !^X-Loop: username#udel.edu
       | formail -rD 8192 out.cache
          :0 ehc
       | (formail -rA"Precedence: junk" A"X-Loop: your#own.mail.address";
          echo "I am currently out of the office."; BACKSLASH
          echo "I will return Thursday, September 13th."; BACKSLASH
          echo "-- "; cat $HOME/.signature_line.txt BACKSLASH
         ) | $SENDMAIL -oi -t

The formail command in this first part creates a file called out.cache that contains all mails sent. The -r option to formail strips unnecessary headers from the mail message, while the -D option limits the length of the message, to save on system resources and network bandwidth.

The second part begins at line with :0 ehc. This line directs the recipe to reply to messages even if they are not found in the out.cache file. The directive portion of the message contains the actual autoresponder message, complete with an email signature file. The backslashes are necessary for line continuation. The -oi option to Sendmail causes Sendmail not to send a message created from standard input, even if a single period is at the end. The -t option removes all recipients from the message headers.

For more information visit http://www.procmail.org.

Domain Name Service (DNS) 2.207

objective 1: basic dns server configuration (weight: 2)

Description: Candidates should be able to configure BIND to function as a caching-only DNS server. This objective includes the ability to convert older BIND configuration files to newer format, managing a running server and configuring logging.


 options {
directory "/var/named";

 zone "." {
    type hint;
    file "named.ca"

 zone "1.168.192.in-addr.arpa" {
    type master;
    file "db.1.168.192.in-addr.arpa";

 zone "example.com" {
    type master;
    file "db.example.com";

 zone "example.net" {
    type slave;
    file "db.example.net";
    masters {; };

Primary DNS

 zone "asdf.com" {
   type master;
   file "db.asdf.com";
 @ IN SOA ns.asdf.com.   root.asdf.com. (
       2008111101; serial
       10800 ; refresh (3 hours)
       3600  ; retry (1 hour)
       604800 ; expire (7 days)
       86400 ) ; minimum (1 day)
       IN NS ns1.asdf.com.
       IN NS ns2.asdf.com.
       IN A
 www   IN A
 ftp   IN CNAME www
 node2 IN A
 router IN A
 ns1    IN A

The first section is the SOA (start of a zone authority) entry. The SOA entry contains the domain of the originating host, the domain address of the maintainer, the file serial number, and various time parameters as refresh, tetry, expire and minimum time to live.

Weiterhin wird definiert, dass der Primary dieser Zone ns.asdf.com. ist und dass der Administrator όber die E-Mail-Adresse root@asdf.com erreichbar ist (der „@“ muss durch einen „.“ ersetzt werden. (Kommt ein „.“ vor dem „@“ vor, z. B. vorname.nachname@example.com), so wird dieser mit einem „\“ maskiert – also z. B. vorname\.nachname.example.com)). Als Standard (Default) Time To Live fόr Resource Records dieser Zone ist 800 vorgegeben.

 @ IN SOA ns.asdf.com.   root.asdf.com. (
       2008111101; serial
       10800 ; refresh (3 hours)
       3600  ; retry (1 hour)
       604800 ; expire (7 days)
       86400 ) ; minimum (1 day)
       IN NS ns1.asdf.com.
 2     IN    PTR   node2.asdf.com.
 10    IN    PTR   ns1.asdf.com.
 254   IN    PTR   router.asdf.com.

Make sure that you have no character before the content of the A respectively the PTR lines. I first formated them nicely but afterwards encounter problems that bind does not read them or spits errors as "unknown RR type in ..".

When a domain is registered, it must be registered with not only a primary DNS server, but also a secondary DNS server.

Secondary DNS

 zone "asdf.com " {
   type slave;
   file "db.asdf.com";
   masters {; };

objective 2: create and maintain dns zones (weight: 3)

forward DNS zones

 options {
    directory "/var/named";
    forwarders {,;};

forward only

 options {
    directory "/var/named";
    forwarders {,;};
    forward only;

zone specific forwarding

 zone "asdf.com" IN { 
    type forward;
    forwarders {,;};

objective 3: securing a dns server (weight: 3)

Web Services (Apache and Squid) 2.208

objective 1: implementing a web server Weight: 2

Description: Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources.

 <VirtualHost *:80>
    DocumentRoot /var/www/asdf
    DirectoryIndex index.mytype index.php index.html

secure access

 htpasswd -c /etc/apache2/htpasswd hans
 <Directory /var/www/securedir>
   AuthName "text for upcoming window in which you should enter user data"
   AuthType Basic
   AuthUserFile /etc/apache2/htpasswd
   require valid-user 
   # or if only for hans: require user hans

install third-party modules


 aptitude install libapache2-mod-php5

Test it with a site index.php:

 <?php   phpinfo();  ?>


 aptitude install libapache2-mod-perl2

Test through creating cgi file under /usr/lib/cgi-bin/test.pl:

 print << "EOM";
 Content-Type: text/html; charset=utf-8;

 <html><body><h1>perl is running well</h1></html>


 aptitude install openssl
 openssl genrsa -des3 -out server.key 1024
 cp server.key server.key.passphrase
 openssl rsa -in server.key.passphrase -out server.key
 openssl req -new -key server.key -out server.csr
 Listen 443
 SSLPassPhraseDialog guiltin
 SSLSessionCache dbm:/var/logs/ssl_scache
 SSLSessionCacheTimeout 300
 SSLMutex file:/var/logs/ssl_mutex
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 <VirtualHost *:443>
   SSLEngine on 
   SSLCertificateFile /etc/apache2/ssl/server.crt
   SSLCertificateKeyFile /etc/apache2/ssl/server.key
 openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

objective 2: maintaining a web server Weight: 2

Description: Candidates should be able to configure a web server to use virtual hosts, Secure Sockets Layer (SSL) and customize file access.

redirecting request

 RewriteEnginge On
 RewriteRule ^(.+)$ http://www.asdf2.com [R]

Rewrite with use of an enviroment variable (see also http://httpd.apache.org/docs/1.3/mod/mod_reqrite.html)

 RewriteCond %{QUERY_STRING} ^page.+
 RewriteRule ^(.+) /%{QUERY_STRING}.html

In words: If there is a query such as "?page123" and have the word page in it the we execute the RewriteRule.

tuning the server

objective 3: implementing a proxy server Weight: 2

Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.

You should know:

 aptitude install squid

Options you should know:

 cach_dir ufs /var/spool/squid 1024 L1 L2
sets ufs filesystem with 1 gb of space. The L1 (default is 16) gives the max count of top level directores are created and L2 sets how many second-level subdirectories are created (default 256)

The most important option is

 acl intranet src
 http_access allow intranet
 http_access deny all

By default the squid.conf file is configured with ACL lines that will deny access to everything except the localhost.

 acl blocked_sites dstdomain .web.de .google.de .google.com
 acl jupiter src
 acl saturn  src

 http_access allow localhost
 http_access deny blocked_sites
 http_access allow jupiter
 http_access deny saturn
 http_access deny all

With this configuration jupiter is not allowed to access google or web.de site because squid takes the first rule which matchs.

If you want to use authentication for access to the proxy server you get more information in the logfiles. Actually you can track back every access to the web to a specific user.

 htpasswd -c /etc/squid/htpasswd hans
 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidusers.htpasswd
 acl passwd proxy_auth REQUIRED
 http_access allow intranet passwd

to increase speed of a webserver

You can use squid to increase speed of access to a webserver.

 http_port 80
 acl acceleratedHost dst
 httpd_accel_port 80
 acl acceleratedPort port 80
 httpd_accel_with_proxy on
 acl all src
 acl intranet src
 http_access allow acceleratedHost acceleratedPort
 http_accesss allow intranet
 http_access deny all

Network Client Management 2.210

objective 1: DHCP configuration (weight 2)

Description: Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

DHCP can dynamically assign IP addresses from preassigned IP ranges in /etc/dhcpd.config and set up static IP addresses based on the network interface card's Media Access Controller address (MAC). DHCP can even restrict access by accepting requests only from specified MAC addresses.

Setting Up a DHCP Server

 aptitude install dhcp

options you should know

 default-lease-time 21600; 
how long the client can hold ip without reconfirming with server. 21600 means 6 hours
 max-lease-time 43200;
if it has not been in touch within 43200 seconds (12 hours) it should consider itself to be out of a lease
 option subnet-max;
 option broadcast-address;
 option routers;
 option domain-name-servers,;
 option domain-name "example.com";
 option ntp-servers;

random pool for ip numbers

 subnet netmask {

The server takes randomly numbers out of the C-net between 10-100 and 150-200.

Fixed addresses in dhcpd

One way to achieve that is to set the lease time very high. So the client have to be out of the net for a long time not to get the same number as before.

The better way is with a one-to-one relation between IP and MAC address.

 host asdf {
    hardware ethernet 00:60:1D:1F:1E:EF;

The address has to be outside the dynamic ranges.


That is the file where the server saves its leases which it had given to clients. The full path is


Using DHCP Clients


 aptitude install pump

 domainsearch "asdf.com"
 script /sbin/pump.script
 device eth0 { nodns }

The first line overrides the domain list that pump would use to update /etc/resolv.conf. The nodns keyword for eth0 stops pump from changing the resolv.conf for requests coming through eth0.

To get a DHCP lease for eth0, give

 pump -i eth0

To check your DHCP lease enter:

 pump --status

To release lease:

 pump -r 

To renew:

 pump -R




 auto eth0 
 iface eth0 inet dhcp

DHCP Relay

To relay all requests seen on eth0 to the DHCP server ath, relaying can be started as follows. It will then catch all requests and relay them to the server, the server will answer back to the relay agent, and the relay agent will send the answer back to the requester.

objective 2: NIS configuration (weight 1)

Description: Candidates should be able to configure an NIS server. This objective includes configuring a system as an NIS client.

You must run the RPC portmapper (/usr/sbin/portmap) to run NIS. The RPC portmapper servers convert the RPC program numbering to TCP/IP or UDP/IP protocol port numbers.

Most Linux distributions ship with NIS Version 2. NIS Version 3 is known as NIS+ and is not in widespread use.

 ypserv start
 yppasswdd start
 ypxfrd start
 ypbind start

initial the master server:

 /usr/lib/yp/ypinit -m

NIS client-side tools

Keeping maps up to date: on client:

 yppoll -h localhost passwd.byname
 yppoll -h asdf passwd.byname

and watch the differences.

on the master server:

 yppush -h asdf passwd.byname

RPC calls

The utility rpcinfo can be used to detect and debug a variety of failures. Just type rpcinfo -p hostname to check how the things are going in your NIS server.

 rpcinfo -p localhost

The output shows RPC program and version numbers, the protocols supported, IP port used by the RPC server and the name of the service. If rpcinfo times out while attempting to reach the remote machine and reports an error, check whether the portmapper sercie is alive.

 /etc/init.d/portmap status

objective 3: LDAP configuration (weight 2)

Description: Candidates should be able to configure an LDAP server. This objective includes working with directory hierarchy, groups, hosts, services and adding other data to the hierarchy. Also included is importing and adding items, as well as adding and managing users.

objective 4: PAM Authentication (weight 2)

Description: The candidate should be able to configure PAM to support authentication using various available methods.

PAM is the Pluggable Authentication Modules system.

PAM Configuration

files located in /etc/pam.d

common entries that can be found under /etc/pam.d include chfn, chsh, halt, linuxconf, login, passwd, ppp, reboot, rexec, rlogin, rsh, shutdown, su, xdm, adn xscreensaver.

Looking at these files you will see four columns of information:

 module-type control-flag module-path arguments

module-type: auth, account, session, password control-flag: optional, required, requisite, sufficient

System Security Topic 2.212

Objective 2:Configuring a Router

ip packet forwarding

 echo 1 > /proc/sys/net/ipv4/ip_forward


 -p --protocol
 -s --source
 -d --destination
 -j --jump
specifies what to do next if packet matches the rule: ACCEPT,DROP,DENY,MASQUERADE,DNAT
 -i --in-interface
only allowed for INPUT, FORWARDING and PREROUTING table with parameter -A
 -o --out-interface
 --dport, --destination-port
 -m state --state state

An additional target used for port forwarding is DNAT. A rule that uses DNAT takes an additional option that specifies the address to redirect to and optionally the port, if that too is to be changed. An example use of DNAT is:

 iptables -t nat -a PREROUTING ... --jump DNAT --to address[:port]

For a bigger example see Book LPI Linux Certification in a nutshell page 830.

If connection tracking for FTP was enabled both passive and active connections would be allowed in as RELATED. The same goes for the other protocol agents available in Linux 2.6.

Saveing and reloading rulesets

 iptables-save > firewall-rules
now we can reboot the system and afterward we regain the rules with
 iptables-restore firewall-rules

ssh tricks

sshd, like the linux login program, denies logins when the file /etc/nologin exists.

tricks in hosts.allow and hosts.deny

all hosts are allowed except two
all services are allowed for access except vsftpd

add second ip address to an ethernet interface

 ifconfig eth1:1 netmask


capture whole tcp package not only the header

 tcpdump -vvv -s 1518 -i eth0 -w cap1.cap

 tcpdump host host1 and \( host2 or host3 \)
 tcpdump -i eth1 not arp and not '(port ssh)' and not '(port http)'

 not or !
 and or &&
 or or ||


 ping -a # audiable ping
 ping -f # flood pings
 ping -c # stop after number of count ping packages

enable ip forwarding

 echo 1 > /proc/sys/net/ipv4/ip_forward 


 vim /etc/sysctl.conf

and add line


then run command

 sysctl -p /etc/sysctl.conf

netcat (nc)

Could be used as telnet replacement with

 nc localhost 80
 HEAD / HTTP/1.0

 nc remotehost.org 25
 HELO remotehost.org
 mail from:<me@here.org>
 rcpt to:<you@remotehost.org>


easy file transportation only with netcat

or to establish a simple connection between two hosts. For example we want to transfer files from host A to B and do not have any possibility like ssh or ftp. Then we open a port on host A which should receive a tar-file. To obtain a port lower than 1000 you have to be root, so we use 1234.

 nc -l -p 1234 | tar xvfp -

Now host A is listening on port 1234 and you can send a file from host B using netcat:

 tar cfp - /path2files | nc -w 3 hostA 1234

You can also use other applications than tar. Next we want to save a complete partition over the network.

 nc -l -p 1234 | dd of=backup_hda1
opens client listen connection
 dd if=/dev/hda1 | nc -w 3 hostA 1234
writes data to port 1234 on host A.

ssh port forwarding

 ssh -L 2525:mail.example.com:25 login.example.com
log in to login.example.com, then forward connections to localhost port 2525 to port 25 on mail.example.com. The reason for binding to port 2525 is that one needs to be root to bind port 25. Normal user can only bind ports above port 1024.

TCP wrappers

 ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd
  1. do the service and origin have a match in /etc/hosts.allow? if so,allow the connection to continue at once.
  2. do they have a match in /etc/hosts.deny? If so, the connection is closed without reading any input.
  3. Otherwise, the connection is allowed to continue.

Specifying services in hosts.*:

 vsftpd: 10.0.0/


 service rsync
   disable = no
   socket_type =stream
   wait = no
   user = root
   server = /usr/bin/rsync
   server_args= --daemon --server
   log_on_failure += USERID
   no_access =
   only_from =,





config file
finger print database
used for files that can be used across several hosts.
policy files which are created with twadmin.
 tripwire --init
 tripwire --check
 tripwire --update
 tripwire --update-policy
 tripwire --test --email alert@example.com