The root directive in Nginx defines the file system path from which the content of the server is retrieved. It can be placed in the http, server, or location contexts. The root directive specifies the root directory that will be used to search for a file. To obtain the path of a requested file, Nginx appends the request URI to the path specified by the root directive. For example, if the root directive is set to /var/www/html and the request URI is /index.php, Nginx will look for the file /var/www/html/index.php. References: Serving Static Content | NGINX DocumentationUnderstanding and Implementing FastCGI Proxying in Nginx

The option in named.conf that specifies which hosts are permitted to ask for domain name information from the server is allow-query. The allow-query option is used to define an access control list (ACL) that matches the source IP address of the DNS query. The ACL can be a list of IP addresses, networks, keywords, or predefined ACL names. The default value of allow-query is any, which means that any host can query the server. However, this can pose a security risk, as the server may be exposed to unwanted or malicious queries. Therefore, it is recommended to restrict the allow-query option to only the hosts that need to access the server, such as the local network or trusted clients. For example, the following option allows only the hosts in the 192.168.1.0/24 network and the localhost to query the server:

allow-query { 192.168.1.0/24; localhost; };

The other options are not valid in named.conf. allowed-hosts, accept-query, permit-query, and query-group are not recognized keywords by BIND.

References:

• LPIC-2 exam 202 objectives, topic 208.1, “Implementing a web server”
• BIND 9 Administrator Reference Manual, chapter 6, “Access Control Lists and TSIG”
• How to Configure DNS Server with TSIG on CentOS 8

An open relay is a mail server that allows anyone to send e-mail through it without authentication or authorization. This can expose the mail server to spam, abuse, and blacklisting. To prevent the mail server from being used as an open relay, while maintaining the possibility to receive company mails, the following actions would help:

• Restrict Postfix to only accept e-mail for domains hosted on this server. This can be done by setting the mydestination parameter in the /etc/postfix/main.cf file to include the company domains, and the smtpd_recipient_restrictions parameter to reject_unauth_destination. This will ensure that Postfix will only accept mail for the domains that it is responsible for, and reject mail for other domains unless the sender is authenticated or authorized. For example:

mydestination = example.com, example.net, localhost smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

• Restrict Postfix to only relay outbound SMTP from the internal network. This can be done by setting the mynetworks parameter in the /etc/postfix/main.cf file to include the IP addresses or networks of the internal hosts that are allowed to relay mail through Postfix, and the smtpd_relay_restrictions parameter to permit_mynetworks. This will ensure that Postfix will only relay mail from the trusted internal hosts, and reject mail from external hosts unless the sender is authenticated or authorized. For example:

mynetworks = 192.168.0.0/24, 127.0.0.0/8 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

The other actions would not help prevent the mail server from being used as an open relay, or they would affect the functionality of the mail server. Configuring Dovecot to support IMAP connectivity would not affect the SMTP relay, but it would allow users to access their mailboxes remotely. Configuring netfilter to not permit port 25 traffic on the public network would prevent the mail server from receiving any mail from the outside world, which would defeat the purpose of having a mail server. Upgrading the mailbox format from mbox to maildir would not affect the SMTP relay, but it would change the way the mail messages are stored on the disk.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix SMTP relay and access control, Postfix Documentation
• How to disable open relay on Postfix? - Howtoforge, Forum
• Postfix SMTP relay without authentication | Guide - Bobcares, Blog

The two commands shown in the image are used to drop packets with source or destination addresses from fe80::/64 in the FORWARD chain. The first command drops packets with source addresses from fe80::/64, while the second command drops packets with destination addresses from fe80::/64. Both commands will complete without an error message or warning because the affected network is not already part of another rule. The other statements are incorrect for the following reasons:

• B. The rules disable packet forwarding because network nodes always use addresses from fe80::/64 to identify routers in their routing tables. This is false because network nodes do not use link-local addresses to identify routers in their routing tables. Instead, they use global or unique local addresses that are advertised by routers through router advertisements or DHCPv6.
• C. ip6tables returns an error for the second command because the affected network is already part of another rule. This is false because there is no indication that the affected network is already part of another rule. Even if it was, ip6tables would not return an error, but rather append the new rule to the existing ones, unless the -I option was used to insert the new rule at a specific position.
• E. The rules suppress any automatic configuration through router advertisements or DHCPv6. This is false because the rules only affect the FORWARD chain, which is used to process packets that are routed through the router. The rules do not affect the INPUT or OUTPUT chains, which are used to process packets that are destined for or originated from the router. Therefore, the rules do not interfere with the router’s ability to send or receive router advertisements or DHCPv6 messages.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, IPv6 Firewalling with ip6tables, IPv6 Addressing and Basic Connectivity

The TransferLog and CustomLog directives are both used to specify the location and format of the access log file in Apache HTTPD. The access log file records information about each request received by the server, such as the client IP address, the request method, the requested URL, the response status code, and the bytes sent.

The TransferLog directive is a simple way to enable access logging, without any customization. It takes one argument, which is the name of the log file or a pipe to a program that will handle the log data. For example:

TransferLog logs/access_log

The CustomLog directive is a more flexible way to enable access logging, with the ability to customize the log format and conditionally log requests based on environment variables. It takes two or three arguments, which are the name of the log file or a pipe to a program, the log format string or a nickname defined by the LogFormat directive, and optionally an expression that evaluates to true or false for each request. For example:

CustomLog logs/access_log common CustomLog “|/usr/bin/rotatelogs logs/access_log.%Y-%m-%d 86400” combined CustomLog logs/ssl_access_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b” env=HTTPS

The ErrorLog directive is another logging directive in Apache HTTPD, but it is used to specify the location and format of the error log file, which records any errors or warnings encountered by the server. For example:

ErrorLog logs/error_log

The ServerLog and VHostLog directives are not valid logging directives in Apache HTTPD. They may be confused with the ServerSignature and VirtualHost directives, which are used for other purposes.

References:

• Log Files - Apache HTTP Server Version 2.4
• Directive Index - Apache HTTP Server Version 2.4
• Apache Logging Basics - The Ultimate Guide To Logging

The security option in the smb.conf file determines how Samba authenticates users who try to access its shares. The value of security = share means that Samba does not require a valid username and password for each connection, but only for each share. This allows users to access shares anonymously, without providing any credentials. This is useful for setting up a guest printer service, where anyone can print to a shared printer without logging in. However, this option is deprecated and not recommended for security reasons. The other options are either invalid or irrelevant for this question.

The Samba service that handles the membership of a file server in an Active Directory domain is winbindd. Winbindd is a daemon that provides a number of services to the Name Service Switch (NSS) capability of the system, such as resolving user and group information from a Windows NT server and authentication. Winbindd can also be used to join a Samba file server to an Active Directory domain and authenticate domain users to access the file shares12 References:

• Chapter 4. Using Samba for Active Directory Integration Red Hat Enterprise Linux 7 - Red Hat Customer Portal
• Winbind: Use of Domain Accounts - SambaWiki

 The option within the ISC DHCPD configuration file that defines the IPv4 DNS server address(es) to be sent to the DHCP clients is domain-name-servers. This option takes one or more IPv4 addresses as arguments and specifies the DNS servers that the client should use for name resolution. The domain-name-servers option is part of the standard DHCP options defined in RFC 2132 and is supported by the ISC DHCP server. The domain-name-servers option can be specified globally, per subnet, per shared network, per group, or per host in the dhcpd.conf file. For example, the following line in the dhcpd.conf file will assign the DNS servers 192.168.1.1 and 192.168.1.2 to all DHCP clients:

option domain-name-servers 192.168.1.1, 192.168.1.2;

References:

• ISC DHCP 4.4 Manual Pages - dhcp-options
• [RFC 2132 - DHCP Options and BOOTP Vendor Extensions]
• isc-dhcp-server - Community Help Wiki - Official Ubuntu Documentation

In Apache HTTPD configuration, only one ServerName directive is allowed per VirtualHost block. The ServerName provides the hostname and port that the server uses to identify itself. If there are additional domain names pointing to the same virtual host, they should be added using the ServerAlias directive. For example, the following configuration would create a virtual host that responds to both www.example.com and www2.example.com:

ServerName www.example.com ServerAlias www2.example.com ServerAdmin webmaster@example.com DocumentRoot /var/www/ Require all granted

The ServerName and ServerAlias directives are usually included in such configuration files. To enable or disable a virtual host, we can use the a2ensite and a2dissite commands to create and remove the symbolic links in the sites-enabled directory. For more information about the ServerName and ServerAlias directives, you can refer to the following resources:

• 1: A Microsoft Learn article that explains the syntax and usage of the ServerName and ServerAlias directives on Windows Server.
• 2: A Stack Overflow question that discusses the difference between ServerName and ServerAlias in Apache configuration.
• 3: A Stack Overflow question that shows how to redirect ServerAlias to ServerName in Apache configuration.

The command in the question is using the ldapsearch tool to query an LDAP directory. The filter expression is (|(cn=marie)(!(telephoneNumber=9*))), which means to match entries that satisfy either one of the two conditions inside the parentheses. The first condition is (cn=marie), which means the common name attribute (cn) of the entry is equal to marie. The second condition is (!(telephoneNumber=9*)), which means the telephone number attribute (telephoneNumber) of the entry is not equal to 9 followed by any number of characters. The ! operator means logical negation, and the * operator means wildcard matching. Therefore, the command will return entries that have a cn of marie or don’t have a telephoneNumber beginning with 9. References: LPIC-2 202 exam objectives, LDAP Search Filters

The http_access directive for Squid allows or denies access to the web resources based on defined access control lists (ACLs). The syntax of the http_access directive is:

http_access allow|deny [!]aclname …

The directive takes one or more ACL names as arguments, separated by spaces. The first argument is either allow or deny, indicating the action to be taken if the ACLs match. The optional ! character before an ACL name negates the result of that ACL.

To allow users in the ACL named sales_net to only access the Internet at times specified in the time_acl named sales_time, the correct http_access directive is:

http_access allow sales_net sales_time

This directive means that if the client IP address matches the sales_net ACL and the request time matches the sales_time ACL, then the access is allowed. Otherwise, the access is denied or the next http_access directive is evaluated.

 The ldappasswd command is an OpenLDAP client tool that can be used to change the password for an LDAP entry. It can be used to change the password of the user who is binding to the LDAP server, or the password of another user if the bind user has sufficient privileges. The ldappasswd command requires the user to specify the LDAP server location, the bind DN and password, the old password, and the new password. The old and new passwords can be given on the command line, through prompts, or from files. The ldappasswd command can also use SASL authentication mechanisms instead of simple authentication. The ldappasswd command follows the general syntax of:

ldappasswd [options] [user]

where user is the DN of the entry whose password is to be changed. If omitted, the bind DN is used.

References:

• LPIC-2 Exam 202 Objectives, Objective 207.3: LDAP Operations
• How To Change Account Passwords on an OpenLDAP Server, DigitalOcean
• ldappasswd: change the password of an LDAP entry, openldap-clients Manual Page
• How To Change an OpenLDAP Password, Tyler’s Guides

 The line A is valid in a configuration file in /etc/pam.d/ because it follows the correct syntax and semantics of a PAM configuration file. The syntax of a PAM configuration file is:

module_interface control_flag module_name module_arguments

The module_interface specifies the type of authentication action that the module can perform. There are four types of module interface: auth, account, password, and session. The control_flag specifies how important the success or failure of the module is to the overall authentication process. There are four types of control flag: required, requisite, sufficient, and optional. The module_name specifies the name of the library that contains the module. The module_arguments are optional parameters that can modify the behavior of the module.

The line A has the following components:

• module_interface: auth, which means the module is used for user authentication.
• control_flag: required, which means the module must succeed for authentication to continue. If the module fails, the failure is recorded and the rest of the modules are executed.
• module_name: pam_unix.so, which means the module is the standard Unix authentication module that verifies the user’s password against the /etc/passwd and /etc/shadow files.
• module_arguments: try_first_pass nullok, which means the module tries to use the password that was previously entered by the user (if any), and allows users with empty passwords to log in.

The line B is invalid because it has the wrong order of the fields. The control_flag should come before the module_name, not after. The line C is invalid because it uses parentheses and colons instead of spaces to separate the fields. The line D is invalid because it has the wrong syntax for the control_flag. The control_flag should be a single word, not a word in parentheses.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol that allows a client to indicate which hostname it is trying to connect to at the start of the handshaking process1. This enables the server to present the appropriate certificate for the requested hostname, and thus allows multiple SSL/TLS secured virtual HTTP hosts to coexist on the same IP address12. SNI does not support transparent failover of TLS sessions from one web server to another, as this would require session resumption or renegotiation mechanisms1. SNI does not enable HTTP servers to update the DNS of their virtual hosts’ names using the X 509 certificates of the virtual hosts, as this would require a different protocol such as Dynamic DNS1. SNI does not provide a list of available virtual hosts to the client during the TLS handshake, as this would expose the server’s configuration and potentially compromise its security1. SNI submits the host name of the requested URL during the TLS handshake, as this is the information that the client needs to communicate to the server in order to select the correct certificate12. References:

• Server Name Indication - IBM
• Server Name Indication - Wikipedia

The standard port used by OpenVPN is 1194. OpenVPN is a VPN daemon that supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport, and other features. OpenVPN can be configured to listen on any port, but the default port is 1194, which is registered with the IANA for OpenVPN. The port number can be specified in the OpenVPN configuration file using the port directive. For example:

port 1194

This will instruct OpenVPN to listen on port 1194. The port number must match on both the server and the client sides of the connection. The port number can also be specified as an argument to the openvpn command. For example:

openvpn --port 1194

This will run OpenVPN with port 1194 as the default port.

References:

• Reference Manual For OpenVPN 2.6 | OpenVPN
• Reference Manual For OpenVPN 2.0 | OpenVPN
• Which ports to open for VPN PPTP, L2TP, IPsec, OpenVPN and … - ITIGIC

The client-to-client option in OpenVPN enables the VPN server to forward packets between VPN clients internally, without sending them to the IP layer of the host system. This means that the host networking stack does not see or process the client-to-client traffic at all. This option can improve the performance and efficiency of the VPN, as well as reduce the load on the host system. However, it also means that the VPN server cannot apply any firewall rules or routing policies to the client-to-client traffic, as it would if the traffic passed through the host IP layer. Therefore, this option should be used with caution and only when the VPN clients are trusted and isolated from other networks. References:

• OpenVPN 2.x HOWTO, section “Client-to-client”
• OpenVPN 2.4 man page, option “–client-to-client”

Sieve filters are usually applied to an email when the email is delivered to a mailbox by a mail delivery agent (MDA) or a local delivery agent (LDA). Sieve filters are scripts that can perform various actions on incoming emails, such as sorting them into folders, assigning labels, forwarding, rejecting, or discarding them. Sieve filters are executed on the server side, and they are independent of the mail user agent (MUA) or the mail access protocol. This means that the email filtering is consistent across different email clients and devices. Sieve filters are not applied when the email is relayed by an SMTP server, received by an SMTP smarthost, sent to the first server by an MUA, or retrieved by an MUA. These are different stages of the email delivery process, but they do not involve the final delivery of the email to a mailbox.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Sieve filter (advanced custom filters) | Proton
• start - Sieve.Info
• What is Sieve Filtering? - Knowledge Base - Pair Networks

 The BIND option that should be used to limit the IP addresses from which slave name servers may connect is allow-transfer. This option specifies a list of IP addresses or networks that are allowed to request zone transfers from the master name server. Zone transfers are the mechanism by which slave name servers obtain a copy of the zone data from the master name server. By limiting the IP addresses that can request zone transfers, the master name server can prevent unauthorized access to the zone data and reduce the network load123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• BIND 9 Administrator Reference Manual

 In the ISC DHCPD server configuration, to always assign the IP address 192.168.1.2 to a host with the MAC address 08:00:2b:4c:59:23, you need to create a host declaration within your dhcpd.conf file. Option A provides the correct syntax for this configuration:

This configuration ensures that whenever a DHCP request is received from the MAC address specified, the ISC DHCPD server will always assign it the IP address 192.168.1.2.

References:

• ISC DHCP 4.1 Manual Pages - dhcpd.conf: The official documentation of ISC DHCPD on how to configure the dhcpd.conf file, which includes the host declaration syntax and examples.
• isc-dhcp-server: Using option dhcp-client-identifier in host declaration to identify a client: A question and answer from Server Fault on how to use the option dhcp-client-identifier in a host declaration, which also shows the use of the hardware-ethernet and fixed-address parameters.

The pam_nologin module is used to prevent users from logging into the system when the /etc/nologin file exists. The file can contain a message that is displayed to the user before the login is denied. The only exception is the root user, who can always log in regardless of the existence of the /etc/nologin file. This method is useful for system maintenance or emergency situations when normal users should not access the system. References: LPIC-2 exam 201 topics, pam_nologin man page

 The sender_canonical_maps parameter on a Postfix server specifies an optional address mapping that applies when mail is delivered (sent) from the server. This mapping can be used to rewrite the sender address of outgoing messages to a different format or domain. For example, the following sender_canonical_maps entry will rewrite the sender address from user@localdomain to user@example.com:

user@localdomain user@example.com

The sender_canonical_maps parameter only affects the sender address and not the recipient address. The recipient address can be modified by other parameters such as recipient_canonical_maps or virtual_alias_maps.

References: You can learn more about sender_canonical_maps and other Postfix address rewriting parameters from the following sources:

• Postfix Address Rewriting
• Postfix Configuration Parameters
• Postfix Generic Mapping for Outgoing SMTP Mail

 To log into a remote SSH server using SSH keys, the client needs to generate a public and private key pair using the ssh-keygen utility. The private key (~/.ssh/id_rsa) should be kept secret and protected by a passphrase, while the public key (~/.ssh/id_rsa.pub) should be copied to the remote server’s authorized_keys file (~/.ssh/authorized_keys) using the ssh-copy-id utility or manually. The authorized_keys file contains the public keys of the clients that are allowed to log into the server using SSH keys. The client can then use the ssh command with the -i option to specify the private key file to authenticate to the server without entering a password. References:

• LPIC-2 Exam 202 Objectives, Topic 212: System Security, 212.3 Secure shell (SSH) (weight: 4)
• How To Configure SSH Key-Based Authentication on a Linux Server

How To Configure SSH Key-Based Authentication on a Linux Server

 The host allow option in the smb.conf file specifies the hosts or networks that are allowed to access the Samba server. The hosts can be specified by name, IP address, or network address with a netmask. The host allow option can also include the special name localhost, which refers to the local machine. The host allow option can be overridden by the host deny option, which specifies the hosts or networks that are denied access to the Samba server. The host deny option has a higher priority than the host allow option.

In this question, the host allow option is set to 192.168.1.100 192.168.2.0/24 localhost, which means that only the host with the IP address 192.168.1.100, the hosts on the network 192.168.2.0/24 (from 192.168.2.1 to 192.168.2.254), and the local machine can access the Samba server. This explains why a wireless laptop with an IP address 192.168.2.93 can access the Samba server, but a workstation on the wired network with an IP address 192.168.1.177 cannot. Almost every machine on the wired network is unable to access the Samba server because they are not included in the host allow option.

To fix this problem, the host allow option should be changed to include the entire wired network, which is assumed to be 192.168.1.0/24 (from 192.168.1.1 to 192.168.1.254). This can be done by using the network address and the netmask, or by using a range of IP addresses. The host allow option should also keep the wireless network and the localhost in the list, so that the existing access is not denied. Therefore, the correct answer is E. host allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost. This will allow any host on either network, or the local machine, to access the Samba server, without denying access to anyone else.

Dovecot supports various authentication mechanisms that can be used to verify the identity of the users who connect to the mail server. Authentication mechanisms are protocols that define how the client and the server exchange the user credentials, such as the username and the password. Some authentication mechanisms are plaintext, which means that the user credentials are sent without any encryption. Others are non-plaintext, which means that the user credentials are protected from eavesdropping or tampering by using some form of encryption or hashing. Dovecot supports the following authentication mechanisms:

• B. digest-md5: This is a non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The client and the server exchange a series of messages that include a nonce (a random number), a realm (a domain name), and a digest (a hashed combination of the username, password, nonce, and realm). This mechanism prevents replay attacks and supports mutual authentication, meaning that both the client and the server can verify each other’s identity. However, this mechanism is not widely supported by clients and has some security weaknesses12.
• C. cram-md5: This is another non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The server sends a nonce to the client, and the client responds with the username and a digest of the password and the nonce. This mechanism protects the password from eavesdropping, but does not prevent replay attacks or support mutual authentication. It also requires the server to have access to the plaintext password or a special hashed version of it. This mechanism has somewhat good support in clients12.
• D. plain: This is the simplest and most common plaintext mechanism. The client simply sends the username and the password to the server without any encryption. This mechanism is supported by all clients, but it is vulnerable to eavesdropping and tampering. Therefore, it should only be used with SSL/TLS encryption to secure the connection12.

The other options are not supported by Dovecot as authentication mechanisms. A. ldap is not an authentication mechanism, but a protocol for accessing directory services. E. krb5 is not an authentication mechanism, but a network authentication protocol based on Kerberos. Dovecot supports Kerberos authentication through the GSSAPI mechanism

 The Apache HTTPD directive that enables HTTPS protocol support is SSLEngine on. This directive activates the SSL/TLS protocol engine for the current virtual host. HTTPS is a secure version of HTTP that uses SSL/TLS to encrypt the communication between the client and the server. To enable HTTPS, the server must have a valid SSL certificate and a corresponding private key, and configure them using the SSLCertificateFile and SSLCertificateKeyFile directives123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4

The command that displays NFS kernel statistics is nfsstat. This command can be used to show information about the number and type of NFS and RPC calls made by the NFS client or server. It can also be used to reset the statistics to zero, or to display information about mounted NFS file systems. The nfsstat command is part of the nfs-utils package and can be installed on most Linux distributions. For more information about the nfsstat command, you can refer to the following resources:

• 1: A Microsoft Learn article that explains the syntax and usage of the nfsstat command on Windows Server.
• 2: A Bing search result page that shows various links and snippets related to the nfsstat command.
• 3: A Red Hat article that demonstrates how to use the nfsstat and nfsiostat commands to troubleshoot NFS performance issues on Linux.

 The fastcgi_pass directive is used to proxy requests to a FastCGI application in Nginx. It specifies the address of the FastCGI server or the path of the Unix-domain socket that will accept FastCGI requests. For example:

location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; }

This configuration will pass any requests ending with .php to the FastCGI server listening on 127.0.0.1:9000.

The other options are not valid directives in Nginx. There is no fastcgi_proxy, proxy_fastcgi, proxy_fastcgi_pass, or fastcgi_forward directive. The proxy_pass directive is used to proxy requests to a HTTP server, not a FastCGI application.

References:

• Module ngx_http_fastcgi_module - nginx
• FastCGI Example | NGINX
• Understanding and Implementing FastCGI Proxying in Nginx

The print$ share is the default location for storing printer drivers on a Samba server. This share allows Windows clients to automatically download and install the drivers when they connect to a printer on the Samba server. This feature is called Point’n’Print driver deployment. The print$ share must be configured in the smb.conf file and the drivers must be uploaded using a Windows client or the rpcclient utility123 References:

• Setting up Automatic Printer Driver Downloads for Windows Clients - Samba
• Uploading Printer Drivers to a Samba Server — Engineering Computer Network
• How do I load Windows printer drivers on a Samba 4 print server?

Setting up Automatic Printer Driver Downloads for Windows Clients - Samba1

Setting up Automatic Printer Driver Downloads for Windows Clients - Samba

 The required control flag means that the PAM module is essential for the authentication process. If the module fails, the whole authentication fails. However, unlike the requisite control flag, the required control flag does not stop the execution of the remaining modules of the same type. This allows the user to receive feedback from all the modules, such as password expiration warnings or account lockout messages. References:

• Linux Professional Institute LPIC-2 Exam 202-450 Objectives, Topic 211: System Security, Objective 211.2: Configuring PAM, Weight: 5
• PAM Control Flags, System Administration Guide: Security Services, Oracle
• 10.2. About PAM Configuration Files, System-Level Authentication Guide, Red Hat Enterprise Linux 7, Red Hat Customer Portal
• 4. The Linux-PAM configuration file, SCO Group

 The Linux user that is used by vsftpd to perform file system operations for anonymous FTP users is the one specified in the configuration option ftp_username. This option defines the local user that vsftpd will run as when handling anonymous FTP requests. By default, this option is set to ‘ftp’, which is a predefined user account that has limited privileges and access to the FTP server. The other options are incorrect for the following reasons:

• A. The Linux user which runs the vsftpd process. This is false because vsftpd does not use the same user that runs the daemon to handle anonymous FTP requests. Instead, it switches to the user specified by ftp_username, which is usually a different and less privileged user than the one that starts the vsftpd process.
• B. The Linux user that owns the root FTP directory served by vsftpd. This is false because vsftpd does not use the owner of the root FTP directory to perform file system operations for anonymous FTP users. The owner of the root FTP directory may or may not be the same as the user specified by ftp_username, but it does not affect the behavior of vsftpd for anonymous FTP requests.
• C. The Linux user with the same user name that was used to anonymously log into the FTP server. This is false because vsftpd does not use the user name that was used to anonymously log into the FTP server to perform file system operations. The user name that is used for anonymous FTP login is usually ‘anonymous’ or ‘ftp’, but it does not correspond to any actual Linux user account on the system. Instead, vsftpd maps these user names to the user specified by ftp_username, which is the one that actually performs the file system operations.
• D. The Linux user root, but vsftpd grants access to anonymous users only to globally read-/writeable files. This is false because vsftpd does not use the root user to perform file system operations for anonymous FTP users. The root user is the most powerful and privileged user on the system, and using it for anonymous FTP requests would pose a serious security risk. Instead, vsftpd uses the user specified by ftp_username, which is usually a low-privileged user that has limited access to the FTP server. The option anon_world_readable_only controls whether vsftpd only allows anonymous users to access files that have global read permissions, regardless of the permissions of the user specified by ftp_username.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Reference Manual For OpenVPN 2.4, linux - What is the anonymous user in vsftp? - Super User

How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04

 The Apache HTTPD configuration directive that specifies the RSA private key that was used in the generation of the SSL certificate for the server is SSLCertificateKeyFile1. This directive sets the file path and name of the file containing the server private key2. The private key is used to decrypt the data that is encrypted with the public key contained in the certificate1. The private key must match the certificate, otherwise an error will occur when starting the server2. The other options are not valid directives for Apache HTTPD. References:

• mod_ssl - Apache HTTP Server Version 2.4
• Why is SSLCertificateKeyFile needed for Apache? - Stack Overflow

 PAM modules are organized and stored as shared object files within the /lib/ directory hierarchy. A shared object file is a file that contains executable code and data that can be loaded into memory and used by one or more programs. This allows PAM modules to be dynamically loaded and unloaded by the PAM library as needed, without requiring recompilation or relinking of the programs that use them. The /lib/ directory hierarchy contains subdirectories for different architectures and operating systems, such as /lib/x86_64-linux-gnu/ or /lib64/. The PAM modules are usually located in a subdirectory named security, such as /lib/x86_64-linux-gnu/security/ or /lib64/security/. The PAM modules have names that start with pam_ and end with .so, such as pam_unix.so or pam_cracklib.so12.

References:

• PAM Modules: A section from the Linux-PAM System Administrators’ Guide that explains what PAM modules are, how they are named, and where they are located.
• An introduction to Pluggable Authentication Modules (PAM) in Linux: An article from Red Hat that introduces the concept and usage of PAM in Linux, which includes a description of PAM modules and their location.