Unit 4 - Server & Linux

Question 1

What are servers?

Answer 1

Servers are computers with software installed that enables them to provide services to clients across the network.

There are many types of services. Some provide external resources such as files, email messages, or web pages to clients upon request. Other services run maintenance tasks such as log management, memory management, disk scanning, and more. Each service requires separate server software. For example, the server in the figure uses file server software to provide clients with the ability to retrieve and submit files.

Question 2

What protocol use the following ports?

Port 20/21
Port 22
Port 23

Answer 2

20/21

File Transfer Protocol (FTP)

22

Secure Shell (SSH)

23

Telnet remote login service

Question 3

What protocol use the following ports?

25
53
67/68

Answer 3

25

Simple Mail Transfer Protocol (SMTP)

53

Domain Name System (DNS)

67/68

Dynamic Host Configuration Protocol (DHCP)

Question 4

What protocol use the following ports?

69
80
110

Answer 4

69

Trivial File Transfer Protocol (TFTP)

80

Hypertext Transfer Protocol (HTTP)

110

Post Office Protocol version 3 (POP3)

Question 5

What protocol use the following ports?

123
143
161/162
443

Answer 5

123

Network Time Protocol (NTP)

143

Internet Message Access Protocol (IMAP)

161/162

Simple Network Management Protocol (SNMP)

443

HTTP Secure (HTTPS)

Question 6

In order that a computer can be the server for multiple services, _____ are used.

Answer 6

In order that a computer can be the server for multiple services, ports are used. A server is said to be “listening” on a port when it has associated itself to that port.

While the administrator can decide which port to use with any given service, many clients are configured to use a specific port by default. It is common practice to leave the service running in its default port. The table lists a few commonly used ports and their services. These are also called “well-known ports”.

Question 7

What is a port said to be?

Answer 7

A port is a reserved network resource used by a service.

Question 8

What are clients?

Answer 8

Clients are programs or applications designed to communicate with a specific type of server.

Client is a hardware/software combination that people use directly.

Also known as client applications, clients use a well-defined protocol to communicate with the server. Web browsers are web clients that are used to communicate with web servers through the Hyper Text Transfer Protocol (HTTP) on port 80. The File Transfer Protocol (FTP) client is software used to communicate with an FTP server. The figure shows a client uploading files to a server.

Question 9

How are services managed in Linux?

Answer 9

In Linux, services are managed using configuration files.

Common options in configuration files are port number, location of the hosted resources, and client authorization details. When the service starts, it looks for its configuration files, loads them into memory, and adjusts itself according to the settings in the files. Configuration file modifications often require restarting the service before the changes take effect.

Question 10

List some basic best practices for hardening.

Answer 10

The following are basic best practices for device hardening.

Ensure physical security
Minimize installed packages
Disable unused services
Use SSH and disable the root account login over SSH
Keep the system updated
Disable USB auto-detection
Enforce strong passwords
Force periodic password changes
Keep users from re-using old passwords

Question 11

Name three events that are recorded in log files?

Answer 11

Kernel, services, and application events are all recorded in log files. It is very important for an administrator to periodically review the logs of a computer to keep it healthy. By monitoring Linux log files, an administrator gains a clear picture of the computer’s performance, security status, and any underlying issues. Log file analysis allows an administrator to guard against upcoming issues before they occur.

Question 12

In Linux, log files can be categorized as?

Answer 12

In Linux, log files can be categorized as:

Application logs
Event logs
Service logs
System logs

Question 13

What is a daemon?

Answer 13

A daemon is a background process that runs without the need for user interaction. For example, the System Security Services Daemon (SSSD) manages remote access and authentication for single sign-on capabilities.

Question 14

/var/log/messages

Answer 14

/var/log/messages

This directory contains generic computer activity logs.
It is mainly used to store informational and non-critical system messages.
In Debian-based computers, /var/log/syslog directory serves the same purpose.

Question 15

/var/log/boot.log

Answer 15

/var/log/boot.log

This file stores boot-related information and messages logged during the computer startup process.

Question 16

What is the Swap File System?

Answer 16

Swap File System

The swap file system is used by Linux when it runs out of RAM.
Technically, it is a swap partition that does not have a specific file system, but it is relevant to the file system discussion.
When this happens, the kernel moves inactive RAM content to the swap partition on the disk.
While swap partitions (also known as swap space) can be useful to Linux computers with a limited amount of memory, they should not be considered as a primary solution.
Swap partition is stored on disk which has much lower access speeds than RAM.

Question 17

What is HFS+

Answer 17

HFS Plus or HFS+ (Hierarchical File System Plus)

A file system used by Apple in its Macintosh computers.
The Linux kernel includes a module for mounting HFS+ for read-write operations.

Question 18

What is APFS?

Answer 18

APFS (Apple File System)

An updated file system that is used by Apple devices. It provides strong encryption and is optimized for flash and solid-state drives.

Question 19

Where is the MBR located?

Answer 19

Master Boot Record (MBR)

Located in the first sector of a partitioned computer, the MBR stores all the information about the way in which the file system is organized.
The MBR quickly hands over control to a loading function, which loads the OS.

Question 20

What is mounting?

Answer 20

Mounting is the term used for the process of assigning a directory to a partition. After a successful mount operation, the file system contained on the partition is accessible through the specified directory. In this context, the directory is called the mounting point for that file system. Windows users may be familiar with a similar concept; the drive letter.

The command output shows the output of the mount command issued in the Cisco CyberOPS VM.

Question 21

Explain the output from ls -l command for the document space.txt

Output:
(-rwxrw-r–)

Answer 21

The file space.txt in has the following permissions:

The dash (-) means that this is a file. For directories, the first dash would be a “d”.
The first set of characters is for user permission (rwx). The user, analyst, who owns the file can Read, Write and eXecute the file.
The second set of characters is for group permissions (rw-). The group, staff, who owns the file can Read and Write to the file.
The third set of characters is for any other user or group permissions (r--). Any other user or group on the computer can only Read the file.

Question 22

Explain the output from “1” to the end.

[analyst@secOps ~]$ ls -l space.txt
-rwxrw-r– 1 analyst staff 253 May 20 12:49 space.txt

Answer 22

The second field defines the number of hard links to the file (the number 1 after the permissions). A hard link creates another file with a different name linked to the same place in the file system (called an inode). This is in contrast to a symbolic link, which is discussed on the next page.

The third and fourth field display the user (analyst) and group (staff) who own the file, respectively.

The fifth field displays the file size in bytes. The space.txt file has 253 bytes.

The sixth field displays the date and time of the last modification.

The seventh field displays the file name.

Question 23

The only user that can override file permission on a Linux computer is the ____ ____.

Answer 23

File permissions are a fundamental part of Linux and cannot be broken. A user has only the rights to a file that the file permissions allow. The only user that can override file permission on a Linux computer is the root user. Because the root user has the power to override file permissions, the root user can write to any file. Because everything is treated as a file, the root user has full control over a Linux computer. Root access is often required before performing maintenance and administrative tasks. Because of the power of the root user, root credentials should use strong passwords and not be shared with anyone other than system administrators and other high-level users.

Question 24

What are the benefits of soft links over hard links?

Answer 24

Although symbolic links have a single point of failure (the underlying file), symbolic links have several benefits over hard links:

Locating hard links is more difficult. Symbolic links show the location of the original file in the ls -l command, as shown in the last line of output in the previous command output (mytest.txt -> test.txt).

Hard links are limited to the file system in which they are created. Symbolic links can link to a file in another file system.

Hard links cannot link to a directory because the system itself uses hard links to define the hierarchy of the directory structure. However, symbolic links can link to directories.

Question 25

What does Ubuntu use as its default GUI.

Answer 25

Ubuntu Linux uses Gnome 3 as its default GUI. The goal of Gnome 3 is to make Ubuntu even more user-friendly. The table lists the main UI components of Unity.

The figure shows the location of some of the features of the Ubuntu Gnome 3 Desktop.

Question 26

What do the following commands do?
apt-get update
apt-get upgrade

Answer 26

The apt-get update command is used to get the package list from the package repository and update the local package database. The apt-get upgrade command is used to update all currently installed packages to their latest versions.

Question 27

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -S          (Arch)
apt install            (Debian / Ubuntu)

Answer 27

Install a package by name

Question 28

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Rs         (Arch)
apt remove          (Debian / Ubuntu)

Answer 28

Remove a package by name.

Question 29

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Syy (Arch)
apt-get update (Debian / Ubuntu)

Answer 29

Update a local package.

Question 30

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Syu (Arch)
apt-get upgrade (Debian / Ubuntu)

Answer 30

Upgrade all currently installed packages

Question 31

How do you manually check and install updates via the GUI?

Answer 31

A Linux GUI can also be used to manually check and install updates. In Ubuntu for example, to install updates you would click Dash Search Box, type software updater, and then click the Software Updater icon, as shown in the figure.

Question 32

What is a process?

Answer 32

A process is a running instance of a computer program. Multitasking operating systems can execute many processes at the same time.

Question 33

What is forking?

Answer 33

Forking is a method that the kernel uses to allow a process to create a copy of itself. Processes need a way to create new processes in multitasking operating systems. The fork operation is the only way of doing so in Linux.

Question 34

Why is forking important?

Answer 34

Forking is important for many reasons. One of them relates to process scalability. Apache, a popular web server, is a good example. By forking itself, Apache is able to serve a large number of requests with fewer system resources than a single-process-based server.

When a process calls a fork, the caller process becomes the parent process, with the newly created process referred to as its child. After the fork, the processes are, to some extent, independent processes; they have different process IDs but run the same program code.

Question 35

What does the ps command accomplish?

Answer 35

ps

Used to list the processes running on the computer at the time it is invoked.
It can be instructed to display running processes that belong to the current user or other users.
While listing processes does not require root privileges, killing or modifying other user’s processes does.

Question 36

What does the top command accomplish?

Answer 36

top

Used to list running processes, but unlike ps, top keeps displaying running processes dynamically.
Press q to exit top.

Question 37

What does the kill command accomplish?

Answer 37

kill

Used to modify the behavior of a specific process.
Depending on the parameters, kill will remove, restart, or pause a process.
In many cases, the user will run ps or top before running kill.
This is done so the user can learn the PID of a process before running kill.

Question 38

What is a rootkit?

Answer 38

A rootkit is a type of malware that is designed to increase an unauthorized user’s privileges or grant access to portions of the software that should not normally be allowed. Rootkits are also often used to secure a backdoor to a compromised computer.

The installation of a rootkit can be automated (done as part of an infection) or an attacker can manually install it after compromising a computer. A rootkit is destructive because it changes kernel code and its modules, changing the most fundamental operations of the OS itself.

With such a deep level of compromise, rootkits can hide the intrusion, remove any installation tracks, and even tamper with troubleshooting and diagnostic tools so that their output now hides the presence of the rootkit. While a few Linux vulnerabilities through history have allowed rootkit installation via regular user accounts, the vast majority of rootkit compromises require root or administrator access.

Question 39

How can you detect and remove rootkits?

Answer 39

Because the very nature of the computer is compromised, rootkit detection can be very difficult. Typical detection methods often include booting the computer from trusted media such as a diagnostics operating system live CD. The compromised drive is mounted and, from the trusted system toolset, trusted diagnostic tools can be launched to inspect the compromised file system. Inspection methods include behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.

Rootkit removal can be complicated and often impossible, especially in cases where the rootkit resides in the kernel; re-installation of the operating system is usually the only real solution to the problem. Firmware rootkits usually require hardware replacement.

Question 40

What is a popular Linux-based program designed to check the computer for known rootkits.

Answer 40

chkrootkit is a popular Linux-based program designed to check the computer for known rootkits. It is a shell script that uses common Linux tools such as strings and grep to compare the signatures of core programs. It also looks for discrepancies as it traverses the /proc file system comparing the signatures found there with the output of ps.

While helpful, keep in mind that programs to check for rootkits are not 100% reliable.

The command output shows the output of chkrootkit on an Ubuntu Linux.

Question 41

What are piping commands?

Answer 41

Although command line tools are usually designed to perform a specific, well-defined task, many commands can be combined to perform more complex tasks by a technique known as piping. Named after its defining character, the pipe (|), piping consists of chaining commands together, feeding the output of one command into the input of another.

For example, the ls command is used to display all the files and directories of a given directory. The grep command compares searches through a file or text looking for the specified string. If found, grep displays the entire contents of the folder where the string was found.

The two commands, ls and grep, can be piped together to filter out the output of ls. This is shown in the output of the ls -l | grep host command and the ls -l | grep file command.

Question 42

A customized version of Linux that contains software and tools that are designed for use in network security monitoring by cybersecurity analysts?

Answer 42

A customized version of Linux that is called Security Onion contains software and tools that are designed for use in network security monitoring by cybersecurity analysts.

Question 43

How are file systems mounted in Linux?

Answer 43

File systems are mounted on partitions and accessed through mounting points, or directories. Windows drive letters are examples of mounting points. The mount command can be used to display details of the file systems that are currently mounted on a Linux computer. The root file system is represented by the “/” symbol. It contains all of the files in the computer by default.