CCNA System Security Questions

75 of 80 questions · Page 1/2 · System Security topic · Answers revealed

1
MCQmedium

Which user can execute any command as any user without any password restriction?

A.alice
B.charlie
C.root
D.bob
AnswerC

Root has (ALL) ALL with no passwd restriction (default NOPASSWD for root?). Actually root's entry shows (ALL) ALL, but root is not subject to sudo restrictions? Usually root is all-powerful. In this exhibit, root's entry is like a regular user, but since root is the superuser, it's effectively unrestricted.

Why this answer

Option A is correct because root's entry (ALL) ALL implies unrestricted access. Option B is wrong because alice can only run specific commands as root with password. Option C is wrong because bob has (ALL) ALL but with PASSWD? Actually bob's entry says (ALL) ALL with PASSWD? Let's parse: 'root) PASSWD: /bin/systemctl, (ALL) ALL' means two entries: one for systemctl with password, and another (ALL) ALL.

The (ALL) ALL does not specify NOPASSWD, so it requires password? Actually default is PASSWD, so bob can run any command but must enter password. Option D is wrong because charlie can only run tail without password.

2
MCQmedium

A DevOps team manages a Kubernetes cluster on premises. The security team requires that all communication between pods be encrypted. The team decides to use mutual TLS (mTLS). They are using a Linux-based control plane with etcd and kube-apiserver. The current setup uses self-signed certificates for the API server, but the team wants to implement a proper PKI with automated certificate renewal. They have a small budget and prefer open-source tools. Which solution should they implement?

A.Generate certificates using OpenSSL on the control plane and distribute them via Kubernetes secrets manually.
B.Install cert-manager in the cluster and configure an Issuer to sign certificates with automatic renewal.
C.Use Cloudflare's cfssl tool to set up a custom CA and push certificates to nodes via Ansible.
D.Deploy Hashicorp Vault with PKI backend and use the Vault agent sidecar.
AnswerB

cert-manager is designed for Kubernetes and provides automated certificate lifecycle management.

Why this answer

Option C is correct. cert-manager is a Kubernetes-native tool that automates certificate management and integrates with Let's Encrypt or internal CAs. Option A (OpenSSL manual scripts) is non-automated and error-prone. Option B (Hashicorp Vault) is powerful but complex and has a learning curve, though it's also valid; however, cert-manager is more lightweight for Kubernetes.

Option D (Cloudflare's cfssl) is an alternative but not as integrated with Kubernetes; cert-manager is the standard.

3
Multi-Selecteasy

A system administrator wants to enforce key-based SSH authentication for all users on a server, disabling password authentication. Which two commands must be executed to achieve this? (Choose TWO.)

Select 2 answers
A.sshd -T
B.visudo
C.ssh-keygen -t rsa -b 4096
D.chmod 600 ~/.ssh/authorized_keys
E.ssh-copy-id user@server
AnswersC, E

Generates the SSH key pair.

Why this answer

The correct options are A and D. ssh-keygen generates the key pair, and ssh-copy-id copies the public key to the remote server. Option B (chmod 600) is for file permissions, C (sshd -T) tests the configuration, and E (visudo) edits sudoers.

4
MCQhard

A Linux server in a DMZ hosts a custom web application that listens on TCP port 8080. The server is also configured with SSH on port 22 for remote administration. Recently, the security team noticed an increase in brute-force attacks against SSH from various external IPs. The server runs Fedora with firewalld as the firewall service. The current firewalld default zone is 'public', and the SSH service is allowed in the 'public' zone. The administrator wants to mitigate the brute-force attacks without blocking legitimate users. Additionally, the administrator wants to ensure that only specific administrative IP addresses can initiate SSH connections, and that SSH connections are rate-limited to prevent flooding. The administrator also needs to keep the web application accessible from any external IP. Which course of action best meets these requirements?

A.Move SSH to a non-standard port (e.g., 2222) and update the firewalld service definition accordingly.
B.Use iptables to create a whitelist for SSH, and install fail2ban to rate-limit after 3 failures.
C.Change the default zone to 'drop', then add a rich rule to allow SSH only from the administrative network.
D.Add a firewalld rich rule to allow SSH only from specific source IPs, and add a rich rule to limit connection rate for SSH. Keep the web application in the same zone with the appropriate service.
AnswerD

Rich rules provide granular control; direct rule syntax allows whitelist and rate limit.

Why this answer

Option C is correct because it uses firewalld's rich rules to create a whitelist for SSH and a rate limit. This directly meets the requirements without changing zones. Option A is wrong because changing the default zone to drop would also block HTTP (web app).

Option B is wrong because iptables commands are outside firewalld and may conflict; also fail2ban does not whitelist IPs easily. Option D is wrong because moving SSH to another port does not prevent brute-force, just changes the target.

5
MCQmedium

An organization requires that all email traffic from their mail server must be encrypted in transit. Which of the following is the most appropriate solution?

A.Implement IPsec to encrypt all traffic between mail servers.
B.Use SMTPS (SMTP over SSL) on port 465.
C.Configure the mail server to use SSH tunneling for all SMTP connections.
D.Enable STARTTLS on the SMTP server to encrypt connections.
AnswerD

STARTTLS upgrades plain SMTP to encrypted using TLS.

Why this answer

STARTTLS is the standard method for upgrading a plaintext SMTP connection to an encrypted one using TLS, as defined in RFC 3207. It allows the mail server to negotiate encryption on the standard SMTP port (25) or submission port (587), ensuring that email traffic is encrypted in transit without requiring a separate port or protocol. This is the most appropriate solution because it is widely supported, interoperable, and aligns with modern email security best practices.

Exam trap

The trap here is that candidates often confuse SMTPS (port 465) with STARTTLS, believing that using a dedicated SSL port is more secure, when in fact STARTTLS is the modern, standardized approach that allows encryption on standard ports and is required for compliance with many security frameworks.

How to eliminate wrong answers

Option A is wrong because IPsec encrypts all traffic at the network layer, which is overkill for email and introduces significant complexity in configuration and key management; it is not a standard solution for SMTP encryption. Option B is wrong because SMTPS on port 465 is a deprecated protocol that was never standardized by the IETF; it uses SSL/TLS from the start, which breaks compatibility with many mail servers and clients that expect STARTTLS negotiation. Option C is wrong because SSH tunneling requires an SSH server on the mail server and manual setup for each connection, which is impractical for a production mail server handling many concurrent connections; it also does not provide native SMTP encryption and adds unnecessary overhead.

6
MCQeasy

An administrator wants to restrict SSH access to a server so that only users from the domain 'example.com' can connect. Which file and syntax should be used with TCP Wrappers?

A.Add to /etc/hosts.deny: sshd: ALL
B.Add to /etc/hosts.allow: ALL: .example.com
C.Add to /etc/hosts.allow: sshd: .example.com
D.Add to /etc/hosts.allow: sshd: ALLOW .example.com
AnswerC

Allows SSH connections from example.com domain.

Why this answer

Option C is correct because TCP Wrappers uses hosts.allow and hosts.deny. The syntax 'sshd: ALLOW .example.com' is incorrect; the correct syntax is 'sshd: .example.com' in hosts.allow. Option A is wrong because hosts.deny is for denying; but the question asks to allow only.

Option B is wrong because the syntax is reversed. Option D is wrong because 'sshd: ALLOW .example.com' is not valid syntax.

7
MCQhard

An administrator is configuring nftables to log and drop packets from a specific IP. The rule must be added to the input hook. Which command accomplishes this?

A.nft add rule inet filter input ip saddr 10.0.0.5 log accept
B.nft add rule inet filter input ip saddr 10.0.0.5 log drop
C.nft add rule inet filter input ip saddr 10.0.0.5 log prefix "DROP" drop
D.nft add rule ip filter input ip saddr 10.0.0.5 drop
AnswerC

This is the correct syntax: log with a prefix and then drop.

Why this answer

The correct nftables command uses the input hook, specifies source IP, and includes log prefix and drop. Option B uses 'log prefix' which is incorrect syntax; C logs and accepts; D drops without logging.

8
Multi-Selecthard

Which TWO iptables commands are necessary to allow incoming SSH connections (port 22) from the subnet 192.168.1.0/24 while dropping all other incoming traffic? Assume the INPUT chain has a default policy of DROP. (Choose two.)

Select 2 answers
A.iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j DROP
B.iptables -A INPUT -j DROP
C.iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -j ACCEPT
E.iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
AnswersB, C

This drops all remaining incoming traffic not matched by earlier rules.

Why this answer

Options A and D are correct. Option A adds a rule to accept SSH from the subnet. Option D adds a rule to drop all other (or it might be unnecessary if default policy is DROP, but to be explicit, it's often added).

Option B is wrong because it accepts all traffic from the subnet, not just SSH. Option C is wrong because it drops all traffic from the subnet. Option E is wrong because it accepts all incoming traffic.

9
MCQhard

A financial institution uses a Linux server with a custom application that runs as the 'appuser' and writes logs to /var/log/app/. The security team recently detected that the application is vulnerable to a local privilege escalation via log injection. To mitigate, they decide to implement mandatory access control (MAC) using SELinux. The system is CentOS 7 with SELinux in enforcing mode. The current context of /var/log/app is 'unconfined_u:object_r:var_log_t:s0'. The application should only be allowed to write to logs in that directory, and no other processes should modify them. Which SELinux policy change should be made?

A.Use 'semanage permissive -a app_t' to put the application domain in permissive mode.
B.Create a custom SELinux policy module that defines a new type for the log directory and transitions for the application domain.
C.Run 'chcon -t var_log_t /var/log/app' to set the correct context.
D.Use 'audit2allow' to create a local policy module based on current denials.
AnswerB

A targeted policy ensures least privilege and persistent enforcement.

Why this answer

Option D is correct. Creating a custom policy allows defining rules for the application's domain, restricting it to only the necessary operations. Option A (chcon) is temporary and not persistent across relabeling.

Option B (semanage permissive) would allow the application to break out without restriction, defeating the purpose. Option C (audit2allow) generates allow rules from denials, but the application might still have unwanted access; it's better to craft a targeted policy.

10
MCQhard

Based on the sshd configuration, user 'charlie' attempts to log in using public key authentication. What will happen?

A.Login is denied because the DenyUsers directive explicitly blocks charlie.
B.Login is allowed because PasswordAuthentication is disabled, but public key authentication is enabled.
C.Login is allowed because AllowUsers includes other users but does not deny charlie.
D.Login is denied because charlie's IP address is not in the allowed list.
AnswerA

DenyUsers blocks charlie regardless of authentication.

Why this answer

The DenyUsers directive in sshd_config explicitly blocks the user 'charlie' from logging in, regardless of the authentication method. Since DenyUsers takes precedence over AllowUsers and other authentication settings, public key authentication will still be denied for charlie. The correct answer is A because the directive explicitly denies charlie, overriding any other configuration.

Exam trap

The trap here is that candidates often assume that enabling public key authentication automatically allows login, ignoring the explicit DenyUsers directive that takes precedence over authentication methods.

How to eliminate wrong answers

Option B is wrong because while PasswordAuthentication is disabled and public key authentication is enabled, the DenyUsers directive explicitly blocks charlie, so login is denied regardless of the authentication method. Option C is wrong because AllowUsers includes other users but does not deny charlie; however, DenyUsers explicitly blocks charlie, and DenyUsers takes precedence over AllowUsers. Option D is wrong because there is no IP-based restriction mentioned in the question; the denial is due to the DenyUsers directive, not an IP address list.

11
Matchingmedium

Match each systemd unit type to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages a daemon or process

Manages IPC or network socket

Triggers activation based on time events

Controls filesystem mount points

Groups units to define system states

Why these pairings

systemd uses unit files to manage system resources.

12
MCQhard

A security analyst notices that an /etc/pam.d/common-auth file contains the line 'auth required pam_tally2.so deny=5'. What is the effect?

A.Log failed attempts only
B.Password expiration after 5 days
C.Maximum 5 concurrent sessions
D.Account lockout after 5 failed login attempts
AnswerD

pam_tally2.so with deny=5 locks the account after 5 failed login attempts.

Why this answer

pam_tally2.so tracks failed login attempts. The deny=5 parameter locks the account after 5 consecutive failures. Other options misinterpret the parameter.

13
MCQeasy

To protect against SSH brute-force attacks, a system administrator installs fail2ban. Which configuration file should be modified to enable the SSH jail with default settings?

A./etc/fail2ban/fail2ban.conf
B./etc/ssh/sshd_config
C./etc/fail2ban/jail.local
D./etc/fail2ban/jail.conf
AnswerC

This file overrides settings in jail.conf; enabling the SSH jail here is the proper method.

Why this answer

Option B is correct because the local configuration file /etc/fail2ban/jail.local overrides defaults. Option A is wrong because jail.conf is the default and should not be edited directly; local changes go in .local. Option C is wrong because fail2ban.conf controls daemon behavior.

Option D is wrong because sshd_config is for SSH server.

14
MCQeasy

A system administrator wants to verify the integrity of a downloaded package using a GPG signature. Which command should be used after importing the distributor's public key?

A.gpg --encrypt package.tar.gz
B.gpg --verify package.tar.gz.asc package.tar.gz
C.gpg --decrypt package.tar.gz.asc
D.gpg --sign package.tar.gz
AnswerB

This verifies the detached signature against the file.

Why this answer

Option A is correct because 'gpg --verify' checks the signature against the public key. Option B is wrong because 'gpg --decrypt' decrypts, not verifies. Option C is wrong because 'gpg --sign' creates a signature.

Option D is wrong because 'gpg --encrypt' encrypts data.

15
Multi-Selecteasy

An administrator wants to enhance the security of a web server running Apache. Which TWO of the following actions are recommended best practices?

Select 2 answers
A.Enable the mod_info module to monitor server configuration.
B.Disable directory listing in the Apache configuration using Options -Indexes.
C.Enable .htaccess files to allow per-directory configuration changes.
D.Run the Apache worker processes as a non-root user such as www-data.
E.Enable the HTTP TRACE method for debugging purposes.
AnswersB, D

Disabling directory listing prevents attackers from browsing directory contents.

Why this answer

Option B is correct because disabling directory listing with `Options -Indexes` prevents Apache from generating a list of files in directories that lack an index file (e.g., index.html). This is a fundamental security hardening step that reduces information disclosure about the web server's file structure, which could be leveraged by an attacker to find sensitive files or configuration details.

Exam trap

The trap here is that candidates often confuse enabling `.htaccess` files (Option C) with a security best practice, when in fact it is a security anti-pattern that reduces performance and control, while the correct hardening step is to disable them and centralize configuration.

16
MCQeasy

To ensure that OpenVPN clients authenticate the server, which configuration directive should be present on the client side?

A.tls-verify
B.tls-auth
C.ca
D.cert
AnswerC

ca points to the CA certificate file that verifies the server's certificate.

Why this answer

The 'ca' directive specifies the CA certificate used to verify the server's certificate. 'cert' and 'key' are for client authentication. 'tls-auth' is for additional HMAC signing.

17
Multi-Selecthard

Which two commands correctly configure SSH to disable root login? (Select two.)

Select 2 answers
A.usermod -L root
B.echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
C.echo "DenyUsers root" >> /etc/ssh/sshd_config
D.echo "PermitRootLogin yes" >> /etc/ssh/ssh_config
E.echo "PermitRootLogin no" >> /etc/ssh/sshd_config
AnswersC, E

This explicitly denies root user from SSH login.

Why this answer

Setting PermitRootLogin no in sshd_config and adding DenyUsers root both prevent root login via SSH. PermitRootLogin without-password still allows key-based login. usermod -L only locks password, not SSH keys. Editing ssh_config affects the client side.

18
MCQhard

Refer to the exhibit. An administrator has applied these iptables rules. Users can still SSH into the server from any IP address, which is unexpected because the administrator intended to restrict SSH to only a specific subnet. What is the most likely reason the restriction is not working?

A.The SSH rule does not specify a source IP, so it accepts connections from any IP.
B.The default policy is ACCEPT, so the DROP rule is ignored.
C.The conntrack module is not loaded, so the state matching fails.
D.The rules are in the wrong order; the DROP rule should be before the SSH rule.
AnswerA

Without a -s option, the rule matches all source IPs, leading to unrestricted SSH access.

Why this answer

Option C is correct because the default policy ACCEPT allows all traffic that is not matched by explicit rules, but the last rule DROP should drop everything. However, the rule allowing SSH accepts from any source (no -s option). So actually it is working as configured: SSH is allowed from all sources.

So the administrator forgot to add a source specification. That is the issue. Option A is wrong because conntrack is fine.

Option B is wrong because the rules are in order. Option D is wrong because the drop rule is present but it only drops after allowed. The correct answer is that the SSH rule does not restrict source, so all IPs are allowed.

19
MCQhard

Refer to the exhibit. A user cannot log in via SSH even though the password is correct. What is the most likely issue?

A.The password module is not configured correctly.
B.pam_unix.so nullok allows blank passwords, causing authentication to fail.
C.The /etc/nologin file exists, preventing non-root logins.
D.pam_securetty.so restricts root login via SSH, but the user is not root.
AnswerC

pam_nologin.so denies login if /etc/nologin exists, affecting all users except root.

Why this answer

pam_nologin.so checks for the existence of /etc/nologin. If that file exists, login is denied for all non-root users. pam_securetty.so restricts root to secure TTYs, but this affects root only. pam_unix.so nullok allows blank passwords; that would not prevent login.

20
MCQeasy

A web server running Apache is receiving many failed login attempts. Which tool should be used to dynamically block IPs after a configurable number of failures?

A.fail2ban
B.TCP Wrappers
C./etc/hosts.deny
D.iptables
AnswerA

Monitors logs and dynamically bans IPs via firewall rules.

Why this answer

Option C is correct because fail2ban scans log files and blocks IPs using firewall rules. Option A is wrong because tcpwrappers provides host-based access control but not dynamic. Option B is wrong because iptables alone does not have a dynamic failure counter.

Option D is wrong because hosts.deny is static, not dynamic.

21
MCQhard

Given the exhibit, what is the most likely reason for the GPG error, and what is the correct way to fix it permanently?

A.The repository is not signed; use '--allow-unauthenticated' permanently in /etc/apt/apt.conf.d/
B.The repository URL is incorrect; change 'http://deb.example.com' to 'https://deb.example.com'
C.The InRelease file is corrupted; remove it and run 'apt-get update' again
D.The public key is missing; obtain and add it with 'apt-key add' or 'wget -O- | apt-key add -'
AnswerD

Adding the correct public key resolves the error.

Why this answer

The GPG error indicates that the repository's Release file is signed but the system lacks the corresponding public key to verify the signature. This is a common issue when adding third-party repositories. The correct permanent fix is to obtain the missing public key and add it to the APT keyring using 'apt-key add' or by piping the key with 'wget -O- | apt-key add -', which allows APT to authenticate the repository's metadata.

Exam trap

The trap here is that candidates often confuse a missing GPG key with a corrupted file or an incorrect repository URL, but the GPG error message explicitly mentions 'NO_PUBKEY', which directly points to a missing public key.

How to eliminate wrong answers

Option A is wrong because '--allow-unauthenticated' bypasses signature verification entirely, which is insecure and not a permanent fix; it also violates APT's security model. Option B is wrong because changing the URL from HTTP to HTTPS does not resolve a missing GPG key; it addresses transport security, not authentication of the repository's content. Option C is wrong because removing the InRelease file and re-running 'apt-get update' will not fix a missing public key; the error will persist as APT cannot verify the signature without the key.

22
MCQhard

An administrator configures iptables on a Linux firewall with the following rules: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; -A INPUT -p tcp --dport 22 -j ACCEPT; -A INPUT -j DROP. Users report that SSH connections are being dropped. What is the most likely cause?

A.The default INPUT policy is DROP, so the last rule is redundant but harmless.
B.The rule for SSH uses --dport 22, but the source port is randomized; it should use --sport 22.
C.The SSH rule should have -m state --state NEW to allow new connections.
D.The established/related rule should come after the SSH rule.
AnswerC

Without the NEW state, the rule only accepts packets from existing connections, which is not sufficient for initiating new SSH sessions.

Why this answer

Option A is correct because the default policy for the INPUT chain is ACCEPT (if not changed), but the last rule drops all unmatched traffic. However, the issue is that the SSH rule uses --dport 22, which matches destination port, but the connection might be coming from a different source. Actually, the typical problem is that the rule for SSH should also allow state NEW.

But given the rules, the first rule allows established/related, so new SSH packets are not matched by the first rule (they are not ESTABLISHED or RELATED), then they match the second rule (port 22) and are accepted, so it should work. Wait, maybe the order is wrong? The stem says 'following rules' but order might be important. Actually, the rules in the stem are listed in order: first allow established/related, then allow SSH, then drop all.

This should allow SSH. So maybe the problem is that the default policy is DROP? Or the administrator forgot to set the default policy? Let's rethink: If the default policy for INPUT is ACCEPT, then the last rule DROP only affects traffic that is not allowed by earlier rules. SSH traffic should be allowed.

So the likely cause is that the default policy is DROP, and the last rule is unnecessary. But the administrator might have set the default policy to DROP and then added the drop rule redundantly? The question says 'most likely cause', so perhaps the issue is that the rules are applied to the wrong chain? Alternatively, maybe the administrator forgot to add a rule for new SSH connections? But the rule -A INPUT -p tcp --dport 22 -j ACCEPT does accept new SSH. So maybe the problem is that the rule for established/related is before the SSH rule, but new packets are not established, so they are processed by the SSH rule.

That should work. Unless the rule order is reversed? I need a plausible distractor. Let me adjust: Option A: The INPUT chain's default policy is DROP, and the last rule is redundant.

Option B: The rule for SSH does not include the NEW state. Option C: The rule for established/related is missing the NEW state. Option D: The rules are applied to the FORWARD chain instead of INPUT.

The most likely cause is that the administrator set the default policy to DROP and then added a drop rule, but the default policy already drops, so no issue. Actually, if default is DROP, then only allowed rules accept. The rules allow established/related and SSH, so SSH should work.

So something else. Perhaps the administrator forgot to allow the loopback interface? Or the SSH rule is too restrictive? I'll change the stem: 'Users report that SSH connections are being dropped.' The rules listed are correct if applied in order, but maybe the issue is that the first rule should be before the SSH rule? No, it is. I'm overcomplicating.

Let me create a different hard question about iptables state tracking. For example, a rule that allows incoming SSH but only if the connection is from a certain source port, which is unrealistic. Better: An administrator sets up a stateful firewall but forgets to allow NEW state for SSH, so only established connections are allowed.

Then the answer is that the SSH rule should include -m state --state NEW. So Option B is correct. I'll rewrite the stem appropriately.

23
MCQmedium

A system with SELinux in enforcing mode is running a custom application that needs to write to a file in /data. The application's context type is 'myapp_t', and the target file context is 'default_t'. The file's current context is 'var_t'. Which command changes the file's context to allow access?

A.fixfiles -F relabel /data
B.chcon -t default_t /data/file
C.semanage fcontext -a -t default_t /data/file
D.restorecon /data/file
AnswerB

Directly changes the file's type to default_t.

Why this answer

Option B is correct because chcon changes file context temporarily; semanage fcontext and restorecon are for persistent labeling. Option A is wrong because restorecon would reset to default policy; option C is wrong because fixfiles relabel restores default file contexts; option D is wrong because semanage fcontext changes policy but requires restorecon to apply.

24
MCQmedium

Refer to the exhibit. The user 'user' reports that they are able to run 'sudo apt-get update' without a password, but 'sudo apt-get upgrade' prompts for a password. What is the most likely cause?

A.The second rule does not include the NOPASSWD tag, so password is required.
B.The 'Defaults:user !requiretty' setting affects password prompting.
C.The command 'apt-get upgrade' is being run as the user, not as root.
D.The rules are in the wrong order, causing the second to be overridden.
AnswerA

Only the first rule has NOPASSWD; the second rule defaults to password authentication.

Why this answer

Option B is correct. The first rule has NOPASSWD, so update runs without password. The second rule lacks NOPASSWD, so upgrade requires a password.

Option A is wrong because requiretty is not the issue. Option C is wrong because commands are run as root, not as user. Option D is wrong because the syntax is correct; the issue is the missing NOPASSWD tag.

25
MCQhard

Based on the ACL output, which user(s) can write to the file /var/www/html/index.html?

A.Only the user www-data.
B.No one, because the mask is r--.
C.Only root.
D.Any user in the www-data group.
AnswerC

Root has rw- and is not limited by mask.

Why this answer

The correct answer is C because the ACL output shows that the mask is set to r--, which limits the effective permissions of named users and groups to read-only, regardless of their ACL entries. However, the root user is not subject to ACL restrictions and always has full access to any file, including write permission, making root the only user who can write to the file.

Exam trap

The trap here is that candidates often overlook that the ACL mask applies only to named users and groups, not to root, leading them to incorrectly believe that the mask r-- blocks all write access, including root's.

How to eliminate wrong answers

Option A is wrong because the ACL entry for user www-data grants rw- permissions, but the mask is r--, which masks the write permission, so www-data cannot write. Option B is wrong because the mask r-- does not prevent root from writing; root bypasses all ACL and permission checks. Option D is wrong because the group www-data has an ACL entry of r--, and even if it had rw-, the mask r-- would block write access for any group member.

26
MCQmedium

An administrator wants to block all incoming traffic from the IP address 203.0.113.55 except for SSH (port 22) using iptables. The current default policy for the INPUT chain is ACCEPT. Which set of commands achieves this?

A.iptables -A INPUT -p tcp --dport 22 -s 203.0.113.55 -j ACCEPT -m; iptables -A INPUT -s 203.0.113.55 -j DROP
B.iptables -A INPUT -s 203.0.113.55 -j DROP; iptables -A INPUT -s 203.0.113.55 -p tcp -j ACCEPT
C.iptables -A INPUT -s 203.0.113.55 -j DROP; iptables -A INPUT -s 203.0.113.55 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -s 203.0.113.55 -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -s 203.0.113.55 -j DROP
AnswerD

First accepts SSH, then drops all other traffic from the IP.

Why this answer

Option C is correct because it adds the SSH accept rule before the drop rule, ensuring SSH from that IP is allowed. Options A and D drop all first, blocking SSH. Option B has invalid syntax.

27
Multi-Selecteasy

Which TWO files are commonly used to configure PAM authentication for the 'login' service on a Linux system? (Choose two.)

Select 2 answers
A./etc/default/login
B./etc/login.defs
C./etc/pam.conf
D./etc/pam.d/login
E./etc/security/access.conf
AnswersD, E

PAM configuration for the login service.

Why this answer

Options A and D are correct. PAM configuration files are located in /etc/pam.d/ and /etc/security/ (for some modules). Option B is wrong because /etc/pam.conf is an older format, but modern systems use /etc/pam.d/.

Option C is wrong because /etc/login.defs is for login parameters, not PAM. Option E is wrong because /etc/default/login is not a standard PAM file.

28
MCQhard

An administrator is reviewing the audit rules on a Linux server. The current rules are shown in the exhibit. The administrator needs to ensure that any failed attempts to open files are logged, while also monitoring for successful outbound connections. Which of the following describes the effect of the current rules?

A.The first rule logs only failed openat calls, and the second rule logs all connect calls.
B.The first rule logs only successful openat calls, and the second rule logs only failed connect calls.
C.The first rule logs all openat calls, and the second rule logs all connect calls.
D.The first rule logs only failed openat calls, and the second rule logs only failed connect calls.
AnswerA

The first rule logs failed openat (success=0), the second logs all connect (no success filter).

Why this answer

The first rule uses the `-F exit=-EACCES` filter, which matches only failed `openat` calls (those returning the EACCES error). The second rule uses `-S connect` without an exit filter, so it logs all `connect` syscalls regardless of success or failure. Therefore, option A correctly describes the effect: failed openat calls and all connect calls are logged.

Exam trap

The trap here is that candidates often assume `-S connect` without an exit filter only logs failed connections, but it actually logs all connect syscalls, and they may also overlook that `-F exit=-EACCES` explicitly targets failures, not successes.

How to eliminate wrong answers

Option B is wrong because the first rule logs only failed openat calls, not successful ones; the second rule logs all connect calls, not just failed ones. Option C is wrong because the first rule does not log all openat calls—it specifically filters for failures (exit=-EACCES). Option D is wrong because the second rule logs all connect calls, not only failed ones.

29
MCQmedium

A user needs to run a specific command as root without being prompted for a password. The command is /usr/bin/systemctl restart apache2. Which sudoers rule accomplishes this securely?

A.user ALL=(root) /usr/bin/systemctl restart apache2
B.user ALL=(root) NOPASSWD: ALL
C.user ALL=(root) NOPASSWD:: /usr/bin/systemctl restart apache2
D.user ALL=(root) NOPASSWD: /usr/bin/systemctl restart apache2
AnswerD

The NOPASSWD tag allows running the specific command without a password.

Why this answer

Option C is correct because it allows the user to run only that specific command without a password, using NOPASSWD. Option A is wrong because it requires a password. Option B is wrong because it allows any command.

Option D is wrong because the syntax is incorrect (should be NOPASSWD: not NOPASSWD::).

30
Multi-Selecthard

Which THREE conditions must be met for an SSH key-based login to succeed using the default settings on a OpenSSH server? (Choose three.)

Select 3 answers
A.The ~/.ssh directory on the remote server has permissions 0700
B.The remote server has the public key appended to ~/.ssh/authorized_keys
C.The remote server has the host key /etc/ssh/ssh_host_rsa_key
D.The client has the server's public host key stored in ~/.ssh/known_hosts
E.The client has the private key in ~/.ssh/id_rsa
AnswersA, B, E

SSH requires strict permissions on .ssh directory.

Why this answer

Options A, B, and E are correct. The private key must be on the client (usually in ~/.ssh/id_rsa). The public key must be in the remote user's ~/.ssh/authorized_keys.

The permissions of the remote ~/.ssh directory must be 0700. Option C is wrong because the server's /etc/ssh/ssh_host_rsa_key is the host key, not user key. Option D is wrong because the server's configuration is not directly related to user key path if PasswordAuthentication is yes? Actually the question asks 'default settings', and default OpenSSH server allows public key auth.

The client does not need to store the host key manually; it's verified on first connect. So D is not a condition for login success.

31
MCQmedium

A system administrator needs to ensure that all users must change their passwords every 90 days and that passwords must be at least 12 characters long. The administrator modifies /etc/login.defs and /etc/pam.d/common-password. Which additional step is required to enforce these settings for existing users?

A.Run 'chage -M 90' for each existing user
B.Run 'passwd -x 90' for each existing user
C.Run 'pwconv' to synchronize password aging
D.Run 'pwunconv' then 'pwconv' to update shadow file
AnswerA

chage modifies password aging for existing users.

Why this answer

Modifying /etc/login.defs sets default password aging parameters for new users, and /etc/pam.d/common-password enforces password length via pam_pwquality. However, these changes do not retroactively apply to existing users. The chage command modifies the /etc/shadow file directly, and running 'chage -M 90' for each existing user sets their maximum password age to 90 days, enforcing the policy.

Exam trap

The trap here is that candidates assume modifying /etc/login.defs applies retroactively to existing users, but it only affects future user creations, so a per-user command like chage is required to enforce the policy on current accounts.

How to eliminate wrong answers

Option B is wrong because 'passwd -x 90' sets the maximum password age for a user, but it only affects the /etc/shadow entry for that user; however, the correct command for this purpose is 'chage -M', and 'passwd -x' is a less common and less portable alternative that is not the standard LPIC-2 recommended method. Option C is wrong because 'pwconv' synchronizes the /etc/passwd and /etc/shadow files, ensuring shadow passwords are in use, but it does not set or modify password aging values. Option D is wrong because 'pwunconv' then 'pwconv' would convert shadow passwords back to /etc/passwd and then back again, which could disrupt password aging fields and is unnecessary; it does not enforce the 90-day aging requirement.

32
Multi-Selectmedium

Which TWO commands can be used to display the current iptables rules for the filter table?

Select 2 answers
A.iptables -L
B.iptables -S
C.iptables -t filter -L
D.iptables -t nat -L
E.iptables -t mangle -L
AnswersA, C

Lists rules in the filter table by default.

Why this answer

Option A is correct because `iptables -L` lists the current rules in the default filter table without needing to specify the table explicitly. Option C is correct because `iptables -t filter -L` explicitly selects the filter table and lists its rules, which is functionally equivalent to the default behavior of `iptables -L`.

Exam trap

The trap here is that candidates may confuse `-S` (which outputs rules in a format suitable for saving/restoring) with `-L` (which displays the rules in a readable list), or forget that `-t filter` is the default and assume only `-t filter -L` works.

33
Multi-Selecteasy

Which TWO commands can be used to list all currently listening TCP ports and the associated processes?

Select 2 answers
A.lsof -i TCP -s TCP:LISTEN
B.ss -tlnp
C.netstat -tlnp
D.fuser -v 80/tcp
E.nmap -sT localhost
AnswersB, C

ss -tlnp shows listening TCP ports with process info.

Why this answer

Option B (ss -tlnp) is correct because the ss command with -t (TCP), -l (listening), -n (numeric), and -p (process) shows all listening TCP ports and their associated processes. Option C (netstat -tlnp) is correct because netstat with the same flags provides equivalent output, though ss is the modern replacement on many distributions.

Exam trap

The trap here is that candidates may think lsof or nmap are valid for listing all listening ports with processes, but lsof requires specific syntax and does not natively filter by listening state without extra flags, while nmap is an active scanner, not a passive listener display tool.

34
Multi-Selectmedium

Which TWO commands can be used to list currently loaded iptables rules in the filter table? (Choose two.)

Select 2 answers
A.iptables -L -t nat
B.iptables -nL
C.iptables -L -t filter
D.iptables -Z
E.iptables -F
AnswersB, C

Lists rules numerically (default filter table).

Why this answer

Options A and C are correct. 'iptables -L -t filter' lists rules in filter table; 'iptables -nL' lists rules numerically without DNS resolution. Option B is wrong because 'iptables -S' prints rule specifications, not a list? Actually 'iptables -S' prints rules in iptables-save format, which is a list. So B is also a way to list rules.

Wait, -S is also valid. The question says 'list currently loaded iptables rules', and -S does list them. So we have three correct? Let's check: A: iptables -L -t filter (filter is default), C: iptables -nL (numeric list), B: iptables -S (list rules in command form).

The question asks for TWO. Which two are most commonly used? The exam might consider -L and -nL as similar, but -L with -t filter is explicit. However, -S is also valid.

To avoid ambiguity, I'll make D and E clearly wrong. Let's change options: A: iptables -L -t filter, B: iptables -L -t nat, C: iptables -nL, D: iptables -F, E: iptables -Z. So correct: A and C.

B lists nat table, not filter. D flushes, E zeroes counters. So that works.

35
Multi-Selecthard

Which three PAM modules can be used to enforce password complexity? (Select three.)

Select 3 answers
A.pam_securetty.so
B.pam_passwdqc.so
C.pam_unix.so
D.pam_pwquality.so
E.pam_cracklib.so
AnswersB, D, E

This module enforces password quality and complexity.

Why this answer

pam_cracklib.so, pam_pwquality.so, and pam_passwdqc.so are all modules designed to enforce password complexity policies. pam_unix.so handles basic password authentication but not complexity. pam_securetty.so restricts root login to secure terminals.

36
MCQmedium

A system administrator notices that the SSH service on a Linux server is failing to start. The log shows: 'sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key'. What is the most likely cause and solution?

A.The sshd_config file has a syntax error. Run 'sshd -t' to check it.
B.The SSH service is managed by xinetd and the configuration is missing. Edit /etc/xinetd.d/ssh.
C.The /etc/ssh/sshd_config file has incorrect permissions. Change them to 600.
D.The host key file is missing or corrupt. Run 'ssh-keygen -A' to regenerate all missing host keys.
AnswerD

This regenerates default host keys.

Why this answer

The error message indicates that the SSH daemon cannot load the RSA host key file. Host keys are generated during package installation or manually via ssh-keygen. Option D is correct because running 'ssh-keygen -A' automatically generates all missing host key types (RSA, ECDSA, Ed25519) that are configured for use, resolving the missing or corrupt key issue without manual intervention.

Exam trap

The trap here is that candidates may confuse host key issues with configuration file errors or permissions, but the specific error message directly points to the host key file, not sshd_config, and the correct solution is to regenerate the missing keys rather than editing configuration or checking syntax.

How to eliminate wrong answers

Option A is wrong because a syntax error in sshd_config would produce a different error (e.g., 'sshd: fatal: bad ownership or modes') and 'sshd -t' checks configuration syntax, not host key availability. Option B is wrong because SSH is typically managed as a standalone service via systemd or init scripts, not xinetd; xinetd is used for services like Telnet or TFTP, and SSH over xinetd is extremely rare and not the default. Option C is wrong because the error is about the host key file, not sshd_config; incorrect permissions on sshd_config would cause a different error (e.g., 'bad ownership or modes') and the host key file itself must be 600, but the error message explicitly names the key file, not the config file.

37
MCQhard

A security audit reveals that the /var/log directory contains world-readable log files that may contain sensitive information. The administrator wants to ensure new files created in /var/log are not readable by others, without affecting existing file permissions. Which umask value should be set system-wide?

A.umask 027
B.umask 022
C.umask 077
D.umask 026
AnswerD

Results in default file permissions 640 (rw-r-----).

Why this answer

Option D (umask 026) is correct because it sets the default permissions for new files to 640 (rw-r-----), which removes read access for 'others' while preserving read access for group members. The umask value is subtracted from the base permissions (666 for files), so a umask of 026 results in 666 - 026 = 640, meeting the requirement that new files in /var/log are not world-readable without altering existing file permissions.

Exam trap

The trap here is that candidates often choose umask 027 (option A) thinking it provides better security, but they overlook that it removes group read access, which can break legitimate log-reading processes, while the correct answer 026 preserves group read access and only removes world-read access.

How to eliminate wrong answers

Option A (umask 027) is wrong because it results in file permissions of 640 (rw-r-----), which also removes world-read access, but it additionally removes group read access (since 027 subtracts group write and execute, but for files the execute bit is not set by default, so group read is removed). This is more restrictive than needed and may break legitimate group access required for log reading by system utilities. Option B (umask 022) is wrong because it results in file permissions of 644 (rw-r--r--), which leaves files world-readable, directly failing the audit requirement.

Option C (umask 077) is wrong because it results in file permissions of 600 (rw-------), which removes all group and other access, potentially breaking system services that need group read access to log files (e.g., syslog or monitoring tools).

38
MCQeasy

An administrator uses logwatch to send daily summaries to root. Which configuration file controls the default logwatch behavior?

A./etc/logwatch.conf
B./etc/logwatch/conf/logwatch.conf
C./usr/share/logwatch/default.conf
D./etc/logwatch/logwatch.conf
AnswerB

This is the main configuration file for logwatch.

Why this answer

The main logwatch configuration file is /etc/logwatch/conf/logwatch.conf. The other paths are incorrect or used for auxiliary configuration.

39
MCQhard

A PAM configuration file for password authentication includes the line 'password requisite pam_cracklib.so retry=3 minlen=8'. A user tries to change their password but is rejected even though the new password meets the stated criteria. The administrator suspects a conflict with another PAM module. Which of the following is the most likely cause?

A.Another PAM module such as pam_pwhistory.so might be configured to prevent reuse of old passwords, causing rejection even though pam_cracklib passes.
B.The 'retry=3' option limits attempts, but the password is only tried once.
C.The 'requisite' control flag causes immediate failure if pam_cracklib fails, but another module might be overriding.
D.The 'minlen=8' option requires exactly 8 characters, not at least 8.
AnswerA

pam_pwhistory checks the password against a history file; if the new password matches an old one, it fails.

Why this answer

Option D is correct because if another module (like pam_pwhistory) is configured to require that the password not be in a history file, it may reject a valid password. Option A is wrong because pam_cracklib options are correct. Option B is wrong because the retry count only affects attempts, not the criteria.

Option C is wrong because order matters: if pam_cracklib runs first, it may pass, but later modules may fail. But the question says 'suspects a conflict with another PAM module', so history is common.

40
MCQhard

A company runs a web application on a Linux server that uses Apache, MySQL, and PHP. The application stores sensitive user data in a MySQL database. The security team has detected that the MySQL service is listening on port 3306 on all interfaces (0.0.0.0). The application and database are on the same server, so there is no need for remote database access. The administrator must secure the MySQL service without breaking the application. Which of the following is the most appropriate course of action?

A.Edit the MySQL configuration file (my.cnf) and set bind-address = 127.0.0.1, then restart the MySQL service.
B.Change the MySQL default port to a non-standard port to avoid automated scans.
C.Disable the MySQL network entirely by commenting out the 'skip-networking' directive in my.cnf.
D.Use iptables to add a rule dropping incoming packets to port 3306 from all IPs except 127.0.0.1.
AnswerA

This restricts MySQL to listen only on localhost, preventing remote connections.

Why this answer

Setting bind-address = 127.0.0.1 in the MySQL configuration file (my.cnf) instructs the MySQL server to listen only on the loopback interface, which prevents remote connections while still allowing local applications (Apache/PHP) to connect via the local socket or TCP to 127.0.0.1. This directly addresses the security concern of exposing the database on all interfaces without breaking the application, as the application and database reside on the same server.

Exam trap

The trap here is that candidates may confuse 'skip-networking' with disabling networking (option C) or think that changing the port (option B) is sufficient security, when in fact the core issue is the binding to all interfaces, which is directly solved by the bind-address directive.

How to eliminate wrong answers

Option B is wrong because changing the default port to a non-standard port does not prevent the service from listening on all interfaces; it only obscures the port from automated scans, but the service remains reachable from any network interface, which does not eliminate the remote access risk. Option C is wrong because commenting out the 'skip-networking' directive actually enables networking (the directive is typically set to disable networking), and disabling networking entirely would break the application if it relies on TCP connections to MySQL (e.g., via PHP's mysqli or PDO using 'localhost' which may default to TCP). Option D is wrong because while iptables can block incoming packets to port 3306 from non-loopback sources, this approach is less reliable and more complex than the configuration-based solution; it can be bypassed if iptables is not loaded or if rules are misordered, and it does not prevent MySQL from binding to all interfaces, which may still expose the service in certain network contexts (e.g., containers or virtual interfaces).

41
MCQeasy

An administrator wants to encrypt a file so that only a specific recipient can decrypt it. Which GPG command should be used?

A.gpg --encrypt --recipient key-id file
B.gpg --symmetric file
C.gpg --clearsign file
D.gpg --sign file
AnswerA

This encrypts the file for the specified recipient's public key.

Why this answer

To encrypt for a specific recipient, use gpg --encrypt --recipient key-id file. --symmetric uses a passphrase, not a recipient. --sign only signs, --clearsign signs and encrypts? Actually --clearsign signs only.

42
Multi-Selecthard

Which THREE of the following are valid methods to restrict access to the su command on a Linux system?

Select 2 answers
A.Set the SU_WHEEL_ONLY variable in /etc/login.defs.
B.Modify /etc/shells to include only approved shells.
C.Configure sudoers to allow only specific users to run su.
D.Edit the /etc/suauth file to specify allowed users.
E.Add the user to the 'wheel' group and configure pam_wheel.so in /etc/pam.d/su.
AnswersD, E

Legacy method, still works on some systems.

Why this answer

Option D is correct because the /etc/suauth file (used by some Linux distributions with the 'su' command from the 'shadow' suite) allows you to specify which users or groups are permitted to use su, providing a direct access control mechanism. Option E is correct because configuring pam_wheel.so in /etc/pam.d/su with the 'wheel' group restricts su access to only members of that group, a standard PAM-based method.

Exam trap

LPI often tests the misconception that /etc/login.defs or /etc/shells can restrict su, when in reality these files serve different purposes (login defaults and shell validation) and are not used for su access control.

43
MCQmedium

A system administrator wants to allow the user 'jdoe' to run the '/usr/bin/systemctl restart httpd' command on a specific server without a password prompt. Which sudoers entry achieves this?

A.jdoe ALL=(ALL) /usr/bin/systemctl restart httpd
B.jdoe ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
C.user ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
D.jdoe ALL=(ALL) ALL
AnswerB

Grants passwordless execution of the specific command.

Why this answer

Option C is correct because it grants permission for the exact command without password (NOPASSWD). Option A is wrong because it does not specify the command. Option B is wrong because it requires a password.

Option D is wrong because it uses the wrong syntax 'user' instead of 'jdoe'.

44
MCQhard

A company runs an Apache web server (port 80) and an SSH server (port 22) for remote administration. The system administrator notices that the server has become sluggish and network traffic has increased significantly. Checking /var/log/auth.log reveals hundreds of failed SSH authentication attempts per minute from diverse IP addresses targeting the 'admin' user. The administrator wants to mitigate this brute-force attack with minimal impact on legitimate users. Which course of action is most effective?

A.Change the SSH port to a non-standard port number.
B.Disable password authentication for SSH and use key-based authentication only.
C.Add the offending IP addresses to /etc/hosts.deny manually.
D.Install and configure fail2ban to block IP addresses after 5 failed SSH attempts within 10 minutes.
AnswerD

fail2ban dynamically blocks offending IPs, reducing attack surface while allowing legitimate users who might mistype credentials.

Why this answer

Install fail2ban to automatically block IPs after repeated failures, preventing brute-force without disrupting legitimate users who might retry.

45
MCQeasy

A user's SSH public key has been added to '~/.ssh/authorized_keys' on a remote server, but the user is still prompted for a password. Which file permission is most likely causing the issue?

A.0660
B.0644
C.0444
D.0600
AnswerA

Group writable; SSH rejects group-writable authorized_keys.

Why this answer

Option D is correct because SSH requires that authorized_keys not be group-writable. 0660 grants group write, causing key authentication to be ignored. Options A, B, C do not have group writability.

46
MCQmedium

An application running under AppArmor is failing to write to its log directory. The AppArmor profile for the application includes the line '/var/log/myapp/ r,' but not '/var/log/myapp/** rw,'. What is the most likely issue?

A.The directory itself is not created, and AppArmor prevents creation.
B.The 'r' permission only allows read, but write is required.
C.The AppArmor service is not running, so the profile is not enforced.
D.The profile needs 'ix' instead of 'r' for execute rights.
AnswerB

The profile grants read access to the directory, but write access to files requires rw permissions on the directory contents.

Why this answer

Option C is correct because the trailing comma allows writing to the directory itself but not its contents. Option A is wrong because 'r' allows read, but the profile lacks write. Option B is wrong because the profile is not enforcing? Possibly, but the issue is specific to the log directory.

Option D is wrong because the profile does allow access to the directory, just not the files inside.

47
MCQeasy

A small business has a single Linux server that serves as both a file server (Samba) and a web server (Apache). The server is directly connected to the internet. Recently, there have been numerous brute-force SSH login attempts. The administrator wants to implement a simple solution to block IP addresses that have more than 5 failed SSH attempts in 10 minutes. The server runs Ubuntu 20.04. Which tool should the administrator use to achieve this with minimal configuration?

A.Enable UFW and set default deny incoming, allow SSH from specific IPs.
B.Install and configure Fail2ban to monitor /var/log/auth.log.
C.Set up TCP wrappers with /etc/hosts.deny for SSH.
D.Use port knocking to hide SSH port until a specific sequence is sent.
AnswerB

Fail2ban can ban IPs after a configurable number of failed attempts.

Why this answer

Option B is correct. Fail2ban is designed to monitor logs and ban IPs with excessive failures. Option A (TCP Wrappers) only controls access based on hostname/IP but does not handle dynamic banning based on failures.

Option C (UFW) is a frontend to iptables but does not have built-in failure tracking. Option D (knockd) implements port knocking, which is a different concept.

48
MCQmedium

A company's security policy requires that all members of the 'developers' group be able to run the command 'systemctl restart httpd' as root using sudo, without being prompted for a password. Which sudoers entry achieves this?

A.%developers ALL=(root) /usr/bin/systemctl restart httpd
B.%developers ALL=(root) NOPASSWD: /usr/bin/systemctl restart httpd
C.developers ALL=(root) NOPASSWD: /usr/bin/systemctl restart httpd
D.%developers ALL=(root) NOPASSWD: {/usr/bin/systemctl restart httpd}
E.%developers ALL=(0) NOPASSWD: /usr/bin/systemctl restart httpd
AnswerB

Correct syntax: group, hosts, runas, NOPASSWD, command.

Why this answer

Option C is correct. The syntax '%group ALL=(root) NOPASSWD: command' grants passwordless sudo to all group members. Option A has incorrect syntax (missing NOPASSWD), B uses a numeric UID but does not specify passwordless, D uses a wrong group name, and E is syntactically incorrect with curly braces.

49
Multi-Selecteasy

Which two of the following are valid methods to authenticate with OpenVPN? (Select two.)

Select 2 answers
A.LDAP
C.NIS
D.Static key
E.TLS/SSL certificates
AnswersD, E

Static key authentication uses a pre-shared key between client and server.

Why this answer

OpenVPN supports static key and TLS/SSL certificates as native authentication methods. LDAP and RADIUS can be used via plugins but are not native. NIS is not supported.

50
MCQhard

An AppArmor profile for a database server is too restrictive and denies legitimate queries. The administrator wants to learn the required accesses by running the application in complain mode. Which command puts the profile into complain mode?

A.aa-complain /etc/apparmor.d/usr.sbin.mysqld
B.aa-disable /etc/apparmor.d/usr.sbin.mysqld
C.aa-enforce /etc/apparmor.d/usr.sbin.mysqld
D.aa-log /etc/apparmor.d/usr.sbin.mysqld
AnswerA

Puts the profile in complain mode, logging violations without blocking.

Why this answer

Option A is correct because 'aa-complain /path/to/profile' sets the profile to complain mode. Option B is wrong because 'aa-enforce' sets enforce mode. Option C is wrong because 'aa-disable' disables the profile.

Option D is wrong because 'aa-log' is not a standard AppArmor command.

51
MCQmedium

Based on the iptables output, what is the expected behavior for incoming SSH connections on eth0?

A.SSH connections are only allowed if they are part of an established connection.
B.SSH connections from any source to port 22 on eth0 are allowed if they are new.
C.SSH connections are dropped because the default policy is DROP.
D.SSH connections are only allowed from the loopback interface.
AnswerB

The rule matches new SSH connections on eth0.

Why this answer

The iptables output shows a rule on the INPUT chain for eth0 that accepts TCP packets destined for port 22 (SSH) with the state NEW. This means that any incoming SSH connection attempt (SYN packet) that is not part of an existing connection is explicitly allowed. The default policy for the INPUT chain is ACCEPT (not shown as DROP), so even without this rule, SSH would be allowed, but the rule ensures it is explicitly permitted for new connections.

Exam trap

The trap here is that candidates may assume the default policy is DROP (a common security practice) and overlook the explicit ACCEPT rule for NEW SSH connections, or they may confuse the NEW state with ESTABLISHED, thinking that only existing connections are allowed.

How to eliminate wrong answers

Option A is wrong because the rule specifically matches the NEW state, not ESTABLISHED; established connections are handled by a separate rule (not shown) or the default policy. Option C is wrong because the default policy is ACCEPT (as indicated by the chain policy being ACCEPT in the output), not DROP, so SSH connections are not dropped by default. Option D is wrong because the rule applies to eth0, not the loopback interface (lo); there is no restriction to loopback, and SSH on eth0 is explicitly allowed.

52
MCQmedium

An administrator wants to allow user 'john' to execute any command as root without a password. Which sudoers entry is correct?

A.john ALL=(ALL) NOPASSWD:ALL
B.john ALL=(ALL) NOPASSWD:/bin/ls
C.john ALL=(ALL) ALL
D.john ALL=(ALL) PASSWD:ALL
AnswerA

This allows john to run any command as any user without a password.

Why this answer

The correct entry is 'john ALL=(ALL) NOPASSWD:ALL', which allows john to run any command as any user without a password. Option A requires a password. Option C restricts to a specific command.

Option D requires a password.

53
MCQmedium

Refer to the exhibit. A security audit reveals that the server is not blocking SSH connections from unauthorized networks. What is the most likely cause?

A.The FORWARD chain is DROP, blocking all forwarded traffic.
B.The SSH rule uses --dport 22 but missing source IP restriction, allowing all sources.
C.The default policy for INPUT is DROP, which should block all, but SSH works due to the ESTABLISHED,RELATED rule.
D.The SSH rule does not restrict source IP, so it allows all incoming SSH connections.
AnswerD

Without a source IP limitation, the rule permits SSH from any IP address.

Why this answer

The SSH rule (-A INPUT -p tcp --dport 22 -j ACCEPT) does not restrict the source IP, so it allows SSH from any IP. The default policy is DROP, but the SSH rule overrides for all sources. Other options are incorrect.

54
MCQmedium

A company requires two-factor authentication for SSH logins. Which PAM module can be used to implement this if the system uses a time-based one-time password (TOTP)?

A.pam_radius.so
B.pam_ldap.so
C.pam_krb5.so
D.pam_google_authenticator.so
AnswerD

This module provides TOTP-based two-factor authentication.

Why this answer

PAM module pam_google_authenticator.so implements TOTP-based two-factor authentication. pam_radius.so can be used for RADIUS, but not natively TOTP. pam_ldap.so and pam_krb5.so are for directory services.

55
Multi-Selecteasy

Which TWO of the following actions are recommended to improve SSH server security?

Select 2 answers
A.PermitEmptyPasswords no
B.PasswordAuthentication no
C.AllowUsers *.example.com
D.PermitRootLogin yes
E.UsePAM yes
AnswersA, B

Preventing empty passwords eliminates a major vulnerability where an account could have no password set.

Why this answer

Disabling password authentication (Option C) and denying empty passwords (Option E) significantly reduce the risk of unauthorized access.

56
MCQhard

A security audit reveals that a server with PAM authentication allows users to log in even when the '/etc/nologin' file exists, contrary to policy. Which PAM module is most likely misconfigured or missing?

A.pam_nologin.so
B.pam_securetty.so
C.pam_access.so
D.pam_lastlog.so
AnswerA

Denies login if /etc/nologin exists.

Why this answer

Option B is correct because pam_nologin.so checks for /etc/nologin and denies login if present. Option A is wrong because pam_securetty.so restricts root login on ttys, unrelated. Option C is wrong because pam_lastlog.so records login time.

Option D is wrong because pam_access.so restricts based on access lists, not nologin.

57
MCQmedium

You are the security administrator for a company that runs a web application on a Linux server. The application runs under the user 'www-data' and listens on TCP port 8080. The server also runs an SSH service on port 22. Recently, an external penetration test revealed that an attacker could exploit a vulnerability in the web application to execute commands as the 'www-data' user, and from there, the attacker could escalate privileges to root due to a misconfigured sudo rule. You need to implement a defense-in-depth approach to limit the impact of such an attack. Which single action would be the most effective in preventing privilege escalation from the 'www-data' user to root, while still allowing the application to function normally?

A.Review and remove any sudo privileges granted to the 'www-data' user in /etc/sudoers, and ensure the application does not require sudo.
B.Change the SSH port to a non-standard port to reduce the attack surface.
C.Run the web application in a chroot jail to isolate it from the rest of the filesystem.
D.Implement mandatory access control with AppArmor profiles for the web application.
AnswerA

Directly eliminates the escalation path.

Why this answer

Option A is correct because the core issue is a misconfigured sudo rule that allows the 'www-data' user to execute commands as root. By reviewing and removing any sudo privileges for 'www-data' in /etc/sudoers, you directly eliminate the privilege escalation path without affecting the web application's normal operation, as the application itself does not require sudo to function on its designated port 8080.

Exam trap

The trap here is that candidates often choose AppArmor or chroot as a general security measure, overlooking that the specific vulnerability is a misconfigured sudo rule, which must be fixed directly to prevent privilege escalation.

How to eliminate wrong answers

Option B is wrong because changing the SSH port to a non-standard port only obscures the service from casual scans but does not prevent privilege escalation from the compromised 'www-data' user; the attacker can still connect via SSH if credentials are compromised or use other lateral movement techniques. Option C is wrong because running the web application in a chroot jail can limit filesystem access but does not prevent the 'www-data' user from using sudo if a misconfigured sudo rule exists, as chroot does not restrict process capabilities or sudo execution. Option D is wrong because implementing AppArmor profiles can confine the web application's behavior and system calls, but it does not directly address the misconfigured sudo rule; an attacker could still execute 'sudo' commands if the rule is present, as AppArmor typically does not restrict sudo execution unless specifically profiled.

58
Multi-Selectmedium

Which TWO of the following are recommended best practices for securing a Linux server that is publicly accessible?

Select 2 answers
A.Run all services with root privileges.
B.Set all user passwords to simple, memorable ones.
C.Use a firewall to restrict access to only necessary ports.
D.Enable NFS exports for file sharing.
E.Disable direct root login via SSH.
AnswersC, E

Reduces the attack surface by limiting exposed services.

Why this answer

Options A and D are correct. Disabling root login via SSH and using a firewall to allow only necessary ports are standard security practices. Option B is incorrect because running services as root increases risk.

Option C is incorrect because NFS is generally not recommended over the internet. Option E is incorrect because passwords should be complex, not simple.

59
MCQmedium

A company runs a critical database server on a Linux system. The server is subject to a strict compliance policy that requires all commands executed by the database administrator (user 'dbadmin') to be logged. Additionally, any attempt to change the system time must be logged regardless of the user. The administrator has configured auditd and added the following rules: -w /usr/bin -p x -k binary_exec, -a always,exit -F arch=b64 -S adjtimex -F key=time_change. However, during a compliance audit, it is discovered that not all commands executed by dbadmin are being logged. Which of the following is the most likely cause?

A.The auditd logs are being overwritten because the audit log file size is too small.
B.The auditd service is not running because the kernel was not compiled with audit support.
C.The adjtimex syscall rule is incorrect and prevents other rules from being processed.
D.The rule -w /usr/bin -p x only monitors executables in /usr/bin, not commands in other directories or built-in shell commands.
AnswerD

The rule only watches /usr/bin; dbadmin may run commands from elsewhere.

Why this answer

Option D is correct because the rule `-w /usr/bin -p x` only monitors execution of binaries located in `/usr/bin`. Commands executed from other directories (e.g., `/usr/local/bin`, `/opt`, or built-in shell commands like `cd` or `alias`) are not captured. Additionally, the rule does not log commands run via absolute paths outside `/usr/bin` or scripts executed by interpreters, leaving gaps in the audit trail for dbadmin's activities.

Exam trap

The trap here is that candidates assume `-w /usr/bin -p x` logs all command executions, but it only monitors file access events on that specific directory, missing commands from other paths or shell internals.

How to eliminate wrong answers

Option A is wrong because log file size or overwriting would cause missing older logs, not a failure to log specific commands; auditd continues to log new events regardless of rotation. Option B is wrong because if the kernel lacked audit support, auditd would fail to start entirely and no rules would be processed, but the question states that some logging (e.g., time changes) is occurring, proving audit is functional. Option C is wrong because the adjtimex syscall rule is syntactically correct and does not prevent other rules from being processed; auditd rules are independent and do not block each other.

60
MCQmedium

Your company runs a web application on a Linux server that uses Apache HTTPD with mod_ssl for HTTPS. Recently, after a security audit, it was discovered that the server is vulnerable to the POODLE attack on SSLv3. The server is running RHEL 8 with Apache 2.4. The SSL configuration file /etc/httpd/conf.d/ssl.conf currently has the line 'SSLProtocol all -SSLv2'. You need to disable SSLv3 and also disable all versions of TLS below 1.2, while still allowing TLS 1.2 and 1.3. The server must remain available immediately. Which action should you take?

A.Change 'SSLProtocol all -SSLv2' to 'SSLProtocol all -SSLv2 -SSLv3'
B.Add 'SSLProtocol -SSLv3' after the existing line
C.Change 'SSLProtocol all -SSLv2' to 'SSLProtocol TLSv1.2 TLSv1.3'
D.Change the line to 'SSLProtocol TLSv1.2 TLSv1.3 -SSLv2 -SSLv3'
AnswerC

This explicitly enables only TLS 1.2 and 1.3, disabling all older protocols.

Why this answer

Option C is correct. Changing 'SSLProtocol all -SSLv2' to 'SSLProtocol TLSv1.2 TLSv1.3' disables SSLv3 and older TLS versions. Option A would disable more than needed (TLSv1 and TLSv1.1 are included in 'all -SSLv2 -SSLv3'), but it doesn't explicitly allow TLS 1.2/1.3; however, 'all' includes TLS 1.2, but removing SSLv3 still allows TLS 1.0 and 1.1? Actually 'all' includes TLS 1.0,1.1,1.2, so 'all -SSLv2 -SSLv3' would allow TLS 1.0 and 1.1, which are too old.

Option B only adds -SSLv3 but does not disable TLS 1.0/1.1. Option D removes SSLv2 and SSLv3 but still allows TLS 1.0/1.1 via 'all'. Only option C explicitly sets only the desired protocols.

61
MCQhard

An administrator wants to chroot SSH users in the 'jailed' group to their home directories. Which configuration in /etc/ssh/sshd_config achieves this?

A.Subsystem sftp internal-sftp Match Group jailed ChrootDirectory %h
B.Match User jailed ChrootDirectory %h
C.ChrootGroup jailed ChrootDirectory %h
D.Match Group jailed ChrootJail %h
E.Match Group jailed ChrootDirectory %h
AnswerE

Matches the group and sets chroot to the home directory.

Why this answer

Option B is correct. The ChrootDirectory directive is used within a Match Group block. Option A is for a specific user, C is missing the Match block, D uses wrong syntax (ChrootJail), and E uses Subsystem which is for SFTP.

62
MCQhard

An administrator needs to encrypt a large file using GPG with a symmetric cipher and then decrypt it on another system. Which command encrypts the file using AES256 and prompts for a passphrase?

A.gpg --clearsign --cipher-algo AES256 file.txt
B.gpg --encrypt --cipher-algo AES256 file.txt
C.gpg --sign --cipher-algo AES256 file.txt
D.gpg --symmetric --cipher-algo AES256 file.txt
AnswerD

Symmetric encryption prompts for passphrase; uses AES256.

Why this answer

Option B is correct because --symmetric with --cipher-algo AES256 performs symmetric encryption. Option A is wrong because --encrypt is for asymmetric. Option C is wrong because --sign is for signing.

Option D is wrong because --clearsign is for clearsigning.

63
MCQeasy

Refer to the exhibit. What type of attack is indicated by the log entries?

A.Privilege escalation attempt
B.Man-in-the-middle attack
C.Distributed denial-of-service (DDoS) attack
D.Brute-force attack on SSH
AnswerD

The repeated failed login attempts for the root user from the same IP signature a brute-force attempt.

Why this answer

Option A is correct because multiple failed password attempts for root from the same IP in quick succession indicate a brute-force attack. Option B is wrong because a DDoS would involve many different IPs. Option C is wrong because a man-in-the-middle attack would not show in auth logs.

Option D is wrong because privilege escalation is internal.

64
MCQmedium

Refer to the exhibit. An administrator runs aide --check and receives a warning that /var/log/syslog has changed. Why is this expected?

A.The SHA512 hash for /var/log is incorrect.
B.The /var/log entry monitors the directory itself, not its contents; changes inside the directory are not tracked.
C.The /var/log entry includes permissions but not content hashes, so changes in file content are not monitored.
D.The +c flag checks for changes in the file's ctime, so syslog changes are detected.
AnswerB

Only the directory's attributes and hash are checked, not files within.

Why this answer

The rule for /var/log uses 'p+sha512', which only monitors the directory's permissions and SHA512 hash of the directory entry itself, not its contents. Files inside /var/log are not monitored individually.

65
MCQmedium

A web server is running in enforcing mode under SELinux. The administrator wants to allow Apache to connect to a remote database server. Which SELinux boolean needs to be set to allow httpd to make network connections?

A.httpd_enable_homedirs
B.httpd_can_network_connect_db
C.httpd_can_network_connect
D.httpd_unified
AnswerC

Setting this boolean to on allows httpd to initiate outbound network connections, including to databases.

Why this answer

Option C is correct. Option A is wrong because httpd_can_network_connect_db is for database protocols (e.g., MySQL), but the question says 'connect to a remote database server', which is specific. Actually, httpd_can_network_connect allows general outbound connections, and httpd_can_network_connect_db is more specific for database ports.

The answer depends on the exact scenario. The official SELinux policy includes httpd_can_network_connect and httpd_can_network_connect_db. For a generic database connection, httpd_can_network_connect_db is more precise, but httpd_can_network_connect also works.

The question likely expects httpd_can_network_connect as the essential boolean. But to be precise, I'll choose httpd_can_network_connect. Option B is wrong because httpd_enable_homedirs allows access to home directories.

Option D is wrong because httpd_unified allows Apache to run in unified mode.

66
MCQhard

A government agency runs a classified application on a Linux server with strict auditing requirements. The application writes sensitive data to a MySQL database. The auditor requires that all SQL queries executed by the application be logged with timestamps, user, and the full query text. Additionally, the audit logs must be immutable (cannot be altered by the application or any user except a designated auditor account). The database runs on the same server. Which combination of tools and configurations should the administrator deploy?

A.Enable auditd to monitor the MySQL process and log all system calls.
B.Enable MySQL's general query log, direct it to a file on a separate filesystem mounted with the 'noexec' and 'append' options, and set the file immutable with chattr +a.
C.Enable the MySQL audit log plugin and configure rsyslog to forward logs to a remote log server.
D.Use tcpdump to capture all network traffic to port 3306 and save to a file with packet captures.
AnswerB

The general query log logs plaintext queries; chattr +a makes the file append-only, preventing modification of existing logs.

Why this answer

Option D is correct. MySQL's general query log logs all queries, and using a separate filesystem with mount options like 'ro' for the auditor (or using append-only via chattr) can ensure immutability. Option A (auditd) can log system calls but not SQL queries directly.

Option B (rsyslog) with MySQL audit plugin is possible but the audit plugin logs to a table, which may not be immutable. Option C (tcpdump) captures network traffic but not local connections via socket.

67
Multi-Selectmedium

Which TWO of the following are effective methods to secure SSH access on a Linux server? (Choose two.)

Select 2 answers
A.Disable root login over SSH.
B.Use FTP over SSH (SFTP) for file transfers.
C.Disable password authentication and use only key-based authentication.
D.Require users to change their passwords every 30 days.
E.Change the default SSH port from 22 to a non-standard port.
AnswersC, E

Key-based authentication is much stronger against brute-force and phishing.

Why this answer

Options A and D are correct. Option A: Changing the SSH port reduces automated attacks. Option D: Using key-based authentication is more secure than passwords.

Option B is wrong because using FTP over SSH (SFTP) is not an authentication method. Option C is wrong because regular password changes without key-only is less secure (though some may argue, but best practice is key-only). Option E is wrong because disabling root login prevents direct root access, but it is not a method to secure SSH itself; it's a separate measure.

68
MCQeasy

Which file is used to configure which users and groups are allowed to use the 'cron' daemon?

A./var/spool/cron/
B./etc/cron.d/
C./etc/crontab
D./etc/cron.allow
AnswerD

Lists users allowed to use cron.

Why this answer

The /etc/cron.allow file explicitly lists users and groups permitted to schedule cron jobs. If this file exists, only those entries can use crontab; all others are denied, regardless of /etc/cron.deny. This provides a whitelist-based access control mechanism for the cron daemon.

Exam trap

The trap here is that candidates confuse the access control files (/etc/cron.allow and /etc/cron.deny) with the directories or system crontab files that store or schedule jobs, such as /var/spool/cron/ or /etc/crontab.

How to eliminate wrong answers

Option A is wrong because /var/spool/cron/ is a directory containing individual user crontab files (e.g., /var/spool/cron/crontabs/), not a configuration file for access control. Option B is wrong because /etc/cron.d/ is a directory for system cron job fragments (e.g., hourly, daily tasks), not for user authorization. Option C is wrong because /etc/crontab is the system-wide crontab file used to define periodic system jobs, not to control which users can submit cron jobs.

69
Multi-Selecthard

Which THREE of the following tools can be used to implement file integrity checking on a Linux system?

Select 3 answers
A.AIDE
B.Logwatch
C.Nmap
D.Tripwire
E.sha256sum
AnswersA, D, E

Advanced Intrusion Detection Environment checks file integrity.

Why this answer

Options A, C, and E are correct. AIDE and Tripwire are classic file integrity checkers, and sha256sum can be used to manually verify file hashes. Option B (Logwatch) is a log analyzer, not a file integrity checker.

Option D (Nmap) is a network scanner.

70
MCQhard

An administrator configures AIDE to monitor /etc. After initializing the database, what command updates the database with current file hashes without removing old entries?

A.aide --update
B.aide --init
C.aide --compare
D.aide --check
AnswerA

This updates the database with current file hashes while preserving unchanged entries.

Why this answer

The aide --update command updates the database by adding new entries and updating changed ones. --check only compares, --init creates a new database, --compare is not a valid option.

71
MCQeasy

A system administrator wants to ensure that only key-based authentication is allowed for SSH and password authentication is disabled. Which configuration change is required in /etc/ssh/sshd_config?

A.PasswordAuthentication yes and PubkeyAuthentication yes
B.PasswordAuthentication no and PubkeyAuthentication no
C.PasswordAuthentication no and PubkeyAuthentication yes
D.PasswordAuthentication no
AnswerC

This disables password logins and enables key-based authentication, meeting the requirement.

Why this answer

Option B is correct because setting 'PasswordAuthentication no' and 'PubkeyAuthentication yes' disables password logins and enables key-based authentication. Option A is wrong because disabling PasswordAuthentication alone still allows other methods. Option C is wrong because enabling both allows password logins.

Option D is wrong because it disables both, preventing any authentication.

72
MCQhard

A new client with IP 10.0.1.15 tries to connect to HTTPS on the server. Based on the exhibit, what happens?

A.The connection is dropped by rule 5.
B.The connection is rejected with an ICMP error.
C.The connection is accepted only if state RELATED.
D.The connection is accepted because 10.0.1.15 is in 10.0.0.0/8.
AnswerD

Matches rule 4, accepting HTTPS.

Why this answer

Option C is correct because 10.0.1.15 is in 10.0.0.0/8, so it matches rule 4 (ACCEPT https) and is allowed. Option A is wrong because rule 4 matches. Option B is wrong because rule 4 matches.

Option D is wrong because rule 5 is default drop only after all previous rules.

73
MCQeasy

A security policy requires that all users must change their passwords every 90 days. Which command enforces maximum password age for an existing user 'jdoe'?

A.chage -M 90 jdoe
B.passwd -f jdoe
C.usermod -e 90 jdoe
D.chage -E 90 jdoe
AnswerA

Sets maximum number of days a password is valid.

Why this answer

The `chage -M 90 jdoe` command sets the maximum number of days a password is valid for user 'jdoe' to 90 days, enforcing the security policy. The `-M` option directly controls the password aging parameter that defines when the password must be changed, as stored in `/etc/shadow`.

Exam trap

The trap here is confusing the `-M` (maximum password age) option with the `-E` (account expiration) option, as both use a numeric argument but control entirely different aspects of user account lifecycle.

How to eliminate wrong answers

Option B is wrong because `passwd -f jdoe` forces a password change at the next login but does not set a maximum age limit; it only sets the 'force change' flag. Option C is wrong because `usermod -e 90 jdoe` sets the account expiration date to 90 days from the epoch (January 1, 1970), which would immediately expire the account, not enforce a 90-day password rotation. Option D is wrong because `chage -E 90 jdoe` sets the account expiration date to 90 days from the epoch, not the maximum password age; `-E` controls account expiry, not password aging.

74
Multi-Selecteasy

Which THREE of the following actions are recommended as initial security hardening steps after installing a new Linux server? (Choose three.)

Select 3 answers
A.Update all packages using the package manager.
B.Disable root login via SSH.
C.Install a graphical desktop environment for easier administration.
D.Enable and configure a firewall (e.g., iptables or firewalld).
E.Set up a web server to monitor system status.
AnswersA, B, D

Ensures the latest security patches are applied.

Why this answer

Options A, C, and E are correct. Updating packages fixes known vulnerabilities. Disabling root SSH login reduces attack surface.

Enabling a firewall restricts network access. Option B is wrong because installing a graphical desktop increases attack surface and is unnecessary. Option D is wrong because setting up a web server is an application, not a security hardening step.

75
MCQmedium

A firewall rule set is implemented using iptables. The administrator wants to allow incoming SSH connections only from the 192.168.1.0/24 subnet, while all other incoming traffic is dropped. Which set of rules achieves this?

A.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -j DROP
B.iptables -A INPUT -p tcp --sport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -j DROP
C.iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j DROP
E.iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j DROP
AnswerA

Allows SSH from subnet, then drops all other input.

Why this answer

Option D is correct. First, allow SSH from the subnet, then drop all other incoming traffic. Option A drops before allowing, B uses wrong syntax (dport with --sport), C allows all SSH before restricting, and E is correct but uses DROP instead of REJECT; however, the question does not specify preference, but D is more standard.

Actually, D uses DROP which is fine. Option E allows SSH from anywhere then restricts? No, E uses both ACCEPT and DROP in order; first rule allows all SSH, second drops all input, so SSH from anywhere would be allowed. So D is best.

Page 1 of 2 · 80 questions totalNext →

Ready to test yourself?

Try a timed practice session using only System Security questions.