202-450 LPIC-2 - Exam 202 (part 2 of 2), version 4.5 Free Practice Exam Questions (2025 Updated)

The rpc.idmapd service is a new component of NFSv4 that does not exist in NFSv3. It is responsible for mapping user and group IDs between the NFS client and server, using string names instead of numeric values. This allows for better security and compatibility across different systems. The rpc.idmapd service runs on both the NFS client and server and communicates with each other using the NFSv4 protocol. The other services, rpc.statd, nfsd, and rpc.mountd, are common to both NFSv3 and NFSv4, although they have some differences in functionality and behavior. References: 1, 2, 3

In Apache HTTPD configuration, only one ServerName directive is allowed per VirtualHost block. The ServerName provides the hostname and port that the server uses to identify itself. If there are additional domain names pointing to the same virtual host, they should be added using the ServerAlias directive. For example, the following configuration would create a virtual host that responds to both www.example.com and www2.example.com:

ServerName www.example.com ServerAlias www2.example.com ServerAdmin webmaster@example.com DocumentRoot /var/www/ Require all granted

The ServerName and ServerAlias directives are usually included in such configuration files. To enable or disable a virtual host, we can use the a2ensite and a2dissite commands to create and remove the symbolic links in the sites-enabled directory. For more information about the ServerName and ServerAlias directives, you can refer to the following resources:

1: A Microsoft Learn article that explains the syntax and usage of the ServerName and ServerAlias directives on Windows Server.

2: A Stack Overflow question that discusses the difference between ServerName and ServerAlias in Apache configuration.

3: A Stack Overflow question that shows how to redirect ServerAlias to ServerName in Apache configuration.

 TCP/IP stack fingerprinting is a technique that allows nmap to remotely detect the characteristics of a TCP/IP stack implementation on a target host. By sending a series of probes (such as TCP and UDP packets) and analyzing the responses, nmap can infer the operating system (OS) of the target host based on a database of known OS fingerprints. Each OS has a unique way of setting certain parameters and flags in the TCP/IP headers, such as the initial packet size, the initial TTL, the window size, the max segment size, the window scaling value, and the “don’t fragment”, “sackOK”, and “nop” flags. These values can be combined to form a signature or a fingerprint for the target host, which can then be compared to the nmap-os-db database that contains more than 2,600 OS fingerprints. If there is a match, nmap will print out the OS details, such as the name, the version, and the vendor. If there is no match, nmap will print out a message asking the user to submit the fingerprint to the nmap project for further analysis.

TCP/IP stack fingerprinting is useful for several purposes, such as network mapping, security auditing, vulnerability scanning, and penetration testing. By knowing the OS of the target host, nmap can tailor its scanning techniques and exploit the weaknesses of the specific OS. TCP/IP stack fingerprinting can also help identify rogue or unauthorized devices on a network, or detect OS spoofing attempts by the target host.

References:

OS Detection | Nmap Network Scanning

TCP/IP stack fingerprinting - Wikipedia

Cybersecurity | Nmap | OS Detection | Codecademy

 The Apache HTTPD directive that enables HTTPS protocol support is SSLEngine on. This directive activates the SSL/TLS protocol engine for the current virtual host. HTTPS is a secure version of HTTP that uses SSL/TLS to encrypt the communication between the client and the server. To enable HTTPS, the server must have a valid SSL certificate and a corresponding private key, and configure them using the SSLCertificateFile and SSLCertificateKeyFile directives123 References:

LPIC-2 Overview

LPIC-2 202-450

SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4

 The nmap command is a network exploration and security auditing tool that can scan hosts and networks for open ports, services, operating systems, vulnerabilities, and other information. The nmap parameters that can scan a target for open TCP ports are:

-sT: This parameter performs a TCP connect scan, which establishes a complete connection to the target host by completing a TCP three-way handshake. This is the default scan type when the user does not have root privileges. The advantage of this scan is that it works on any system that supports TCP, but the disadvantage is that it is easily detectable by firewalls and intrusion detection systems.

-sS: This parameter performs a TCP SYN scan, which sends a TCP SYN packet to the target port and waits for a response. If the response is a SYN/ACK packet, the port is open. If the response is a RST packet, the port is closed. This scan does not complete the TCP three-way handshake, so it is faster and stealthier than the TCP connect scan. However, this scan requires root privileges and may not work on some systems that do not follow the TCP standard.

The other parameters are not related to TCP port scanning:

-sO: This parameter performs an IP protocol scan, which sends IP packets with the specified protocol number set in the IP header. It can be used to determine which IP protocols are supported by the target host.

-sZ: This parameter is not a valid nmap parameter and will cause an error.

-sU: This parameter performs a UDP scan, which sends a UDP packet to the target port and waits for a response. If the response is an ICMP port unreachable message, the port is closed. If the response is a UDP packet, the port is open. This scan can be used to find open UDP ports, which are often used by DNS, SNMP, DHCP, and other services.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Nmap Tutorial: Common Commands, Nmap Scan Types

Cybersecurity | Nmap | TCP Connect Scan | Codecademy

The doveadm who sub-command shows information about the currently connected users and their sessions. The output includes the following columns:

user: The username of the connected user.

ip: The IP address of the client.

port: The port number of the client.

service: The name of the Dovecot service, such as imap, pop3, lmtp, etc.

protocol: The protocol version used by the client, such as IMAP4rev1, POP3, etc.

pid: The process ID of the Dovecot process that handles the connection.

type: The type of the connection, such as tcp, ssl, etc.

state: The state of the connection, such as running, idle, etc.

since: The time when the connection was established.

References:

doveadm-who - Dovecot Wiki

LPIC-2 exam 202 objectives, topic 211.3, “Managing Mailbox Access”

The newaliases command is a Postfix command that can be used to rebuild all of the alias database files with a single invocation and without the need for any command line arguments. The newaliases command is equivalent to running the postalias command on each file specified by the alias_database parameter in the Postfix main.cf configuration file. The newaliases command reads the text files that contain the alias definitions and creates the indexed files in dbm or db format that are used for fast lookup by the mail system. The newaliases command should be executed whenever the alias database is changed, in order to update the indexed files. For example:

newaliases

The other commands are not equivalent to the newaliases command. The makealiases command is not a valid Postfix command. The postalias command can be used to rebuild a single alias database file, but it requires the file name as an argument. The postmapbuild command is not a valid Postfix command.

References:

LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server

Postfix Basic Configuration, Postfix Documentation

Postfix manual - aliases(5), Postfix Documentation

Postfix manual - newaliases(1), Postfix Documentation

Postfix manual - postalias(1), Postfix Documentation

 The fastcgi_pass directive is used to proxy requests to a FastCGI application in Nginx. It specifies the address of the FastCGI server or the path of the Unix-domain socket that will accept FastCGI requests. For example:

location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; }

This configuration will pass any requests ending with .php to the FastCGI server listening on 127.0.0.1:9000.

The other options are not valid directives in Nginx. There is no fastcgi_proxy, proxy_fastcgi, proxy_fastcgi_pass, or fastcgi_forward directive. The proxy_pass directive is used to proxy requests to a HTTP server, not a FastCGI application.

References:

Module ngx_http_fastcgi_module - nginx

FastCGI Example | NGINX

Understanding and Implementing FastCGI Proxying in Nginx

 A glue record is a DNS record that provides the IP address of a nameserver that is a subdomain of the domain being queried. For example, if the domain example.com has nameservers ns1.example.com and ns2.example.com, then the .com nameservers will provide glue records for ns1.example.com and ns2.example.com, along with the NS records for example.com. This way, the resolver can find the IP address of the nameservers without having to query them first, which would create a circular dependency12

The format of a glue record is:

nameserver A IP address

where nameserver is the hostname of the nameserver, A is the record type for IPv4 address, and IP address is the IPv4 address of the nameserver3

Therefore, the only option that matches this format is A. ns1.lab A 198.51.100.53. The other options are either missing the record type, the IP address, or the dot after the nameserver name4 References:

DNS Tools - Glue Records

What Is Glue Record: Everything You Wanted To Know

Glue Records and Dedicated DNS - NS1, an IBM Company

DNS Record Types - DNSimple Help

Glue Records and Dedicated DNS - NS1, an IBM Company

Dovecot supports various authentication mechanisms that can be used to verify the identity of the users who connect to the mail server. Authentication mechanisms are protocols that define how the client and the server exchange the user credentials, such as the username and the password. Some authentication mechanisms are plaintext, which means that the user credentials are sent without any encryption. Others are non-plaintext, which means that the user credentials are protected from eavesdropping or tampering by using some form of encryption or hashing. Dovecot supports the following authentication mechanisms:

B. digest-md5: This is a non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The client and the server exchange a series of messages that include a nonce (a random number), a realm (a domain name), and a digest (a hashed combination of the username, password, nonce, and realm). This mechanism prevents replay attacks and supports mutual authentication, meaning that both the client and the server can verify each other’s identity. However, this mechanism is not widely supported by clients and has some security weaknesses12.

C. cram-md5: This is another non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The server sends a nonce to the client, and the client responds with the username and a digest of the password and the nonce. This mechanism protects the password from eavesdropping, but does not prevent replay attacks or support mutual authentication. It also requires the server to have access to the plaintext password or a special hashed version of it. This mechanism has somewhat good support in clients12.

D. plain: This is the simplest and most common plaintext mechanism. The client simply sends the username and the password to the server without any encryption. This mechanism is supported by all clients, but it is vulnerable to eavesdropping and tampering. Therefore, it should only be used with SSL/TLS encryption to secure the connection12.

The other options are not supported by Dovecot as authentication mechanisms. A. ldap is not an authentication mechanism, but a protocol for accessing directory services. E. krb5 is not an authentication mechanism, but a network authentication protocol based on Kerberos. Dovecot supports Kerberos authentication through the GSSAPI mechanism

The command that creates a SSH key pair is ssh-keygen. This command generates a public and a private key file that can be used for SSH authentication. The command can take various options to specify the algorithm, the file name, the passphrase, and other parameters for the key pair. For more information, see the web search results below or the man page of ssh-keygen.

How to Use ssh-keygen to Generate a New SSH Key?

The option in the sshd configuration file that instructs sshd to permit only specific user names to log in to a system is AllowUsers. This option can be followed by a list of user name patterns, separated by spaces, that are allowed to log in. For example:

AllowUsers alice bob

This will allow only alice and bob to log in via ssh. Any other user will be denied access. The AllowUsers option can also take the form USER@HOST to restrict logins to particular users from particular hosts. For example:

AllowUsers alice@192.168.1.* bob@example.com

This will allow alice to log in from any host in the 192.168.1.0/24 network, and bob to log in from the host example.com. The AllowUsers option can be used in conjunction with the DenyUsers option, which does the opposite. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

References:

sshd_config - OpenSSH SSH daemon configuration file

Allow Or Deny SSH Access To A Particular User Or Group In Linux - OSTechNix

The sshd configuration file is used to customize the behavior of the SSH server daemon. Some of the lines in the file can affect the security of the server and should be modified accordingly. The following are two examples of such lines:

Protocol 2, 1: This line specifies the SSH protocol versions that are supported by the server. The possible values are 1 and 2, where 1 is the older and less secure version and 2 is the newer and more secure version. The recommended value is 2, as it provides stronger encryption, authentication, and integrity mechanisms. Allowing protocol 1 can expose the server to various attacks, such as man-in-the-middle, replay, and insertion attacks. Therefore, this line should be changed to Protocol 2 or commented out (as protocol 2 is the default value).

PermitRootLogin yes: This line determines whether root login is allowed on the server. The possible values are yes, no, prohibit-password, and without-password. The value yes allows root login with any authentication method, including password. This can pose a serious security risk, as root is the most privileged user on the system and can perform any action. If an attacker manages to guess or obtain the root password, they can gain full control over the server. Therefore, this line should be changed to no or prohibit-password (which allows root login only with public key authentication) or commented out (as no is the default value).

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, The Best Ways to Secure Your SSH Server, Configure the /etc/ssh/sshd_config file

Linux SSH Server (sshd) Configuration and Security Options With ...1

The Best Ways to Secure Your SSH Server - How-To Geek

 The OpenLDAP attribute olcBackend is used to specify the backend type for a database entry in the cn=config DIT. The backend type determines how the data is stored and accessed by the OpenLDAP server. There are several backend types available, but not all of them can be used with the olcBackend attribute. The backend types that can be used with the olcBackend attribute are:

bdb: The Berkeley Database backend, which uses the Berkeley DB library to store the data in files on disk. This backend supports transactions, indexing, replication, and caching. It is the default backend for OpenLDAP and is recommended for most applications.

ldap: The LDAP backend, which uses another LDAP server as the data source. This backend allows the OpenLDAP server to act as a proxy or a gateway to another LDAP server. It can be used to merge data from multiple LDAP servers, to provide access control or schema mapping, or to implement load balancing or failover.

text: The text backend, which uses plain text files to store the data. This backend is mainly used for testing purposes or for simple applications that do not require advanced features. It does not support indexing, replication, or caching.

The backend types that cannot be used with the olcBackend attribute are:

xml: The XML backend, which uses XML files to store the data. This backend is experimental and not recommended for production use. It does not support indexing, replication, or caching.

passwd: The passwd backend, which uses the /etc/passwd and /etc/group files as the data source. This backend is deprecated and should not be used. It does not support indexing, replication, or caching.

References:

How To Configure OpenLDAP and Perform Administrative LDAP Tasks

OpenLDAP Online Configuration Reference - Tyler’s Guides