Unit 4 - Server & Linux - cyops Flashcards

1
Q

What are servers?

A

Servers are computers with software installed that enables them to provide services to clients across the network.

There are many types of services. Some provide external resources such as files, email messages, or web pages to clients upon request. Other services run maintenance tasks such as log management, memory management, disk scanning, and more. Each service requires separate server software. For example, the server in the figure uses file server software to provide clients with the ability to retrieve and submit files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What protocol use the following ports?

Port 20/21
Port 22
Port 23

A

20/21

File Transfer Protocol (FTP)

22

Secure Shell (SSH)

23

Telnet remote login service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What protocol use the following ports?

25
53
67/68

A

25

Simple Mail Transfer Protocol (SMTP)

53

Domain Name System (DNS)

67/68

Dynamic Host Configuration Protocol (DHCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What protocol use the following ports?

69
80
110

A

69

Trivial File Transfer Protocol (TFTP)

80

Hypertext Transfer Protocol (HTTP)

110

Post Office Protocol version 3 (POP3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What protocol use the following ports?

123
143
161/162
443

A

123

Network Time Protocol (NTP)

143

Internet Message Access Protocol (IMAP)

161/162

Simple Network Management Protocol (SNMP)

443

HTTP Secure (HTTPS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In order that a computer can be the server for multiple services, _____ are used.

A

In order that a computer can be the server for multiple services, ports are used. A server is said to be “listening” on a port when it has associated itself to that port.

While the administrator can decide which port to use with any given service, many clients are configured to use a specific port by default. It is common practice to leave the service running in its default port. The table lists a few commonly used ports and their services. These are also called “well-known ports”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a port said to be?

A

A port is a reserved network resource used by a service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are clients?

A

Clients are programs or applications designed to communicate with a specific type of server.

Client is a hardware/software combination that people use directly.

Also known as client applications, clients use a well-defined protocol to communicate with the server. Web browsers are web clients that are used to communicate with web servers through the Hyper Text Transfer Protocol (HTTP) on port 80. The File Transfer Protocol (FTP) client is software used to communicate with an FTP server. The figure shows a client uploading files to a server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How are services managed in Linux?

A

In Linux, services are managed using configuration files.

Common options in configuration files are port number, location of the hosted resources, and client authorization details. When the service starts, it looks for its configuration files, loads them into memory, and adjusts itself according to the settings in the files. Configuration file modifications often require restarting the service before the changes take effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List some basic best practices for hardening.

A

The following are basic best practices for device hardening.

Ensure physical security
Minimize installed packages
Disable unused services
Use SSH and disable the root account login over SSH
Keep the system updated
Disable USB auto-detection
Enforce strong passwords
Force periodic password changes
Keep users from re-using old passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name three events that are recorded in log files?

A

Kernel, services, and application events are all recorded in log files. It is very important for an administrator to periodically review the logs of a computer to keep it healthy. By monitoring Linux log files, an administrator gains a clear picture of the computer’s performance, security status, and any underlying issues. Log file analysis allows an administrator to guard against upcoming issues before they occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In Linux, log files can be categorized as?

A

In Linux, log files can be categorized as:

Application logs
Event logs
Service logs
System logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a daemon?

A

A daemon is a background process that runs without the need for user interaction. For example, the System Security Services Daemon (SSSD) manages remote access and authentication for single sign-on capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

/var/log/messages

A

/var/log/messages

This directory contains generic computer activity logs.
It is mainly used to store informational and non-critical system messages.
In Debian-based computers, /var/log/syslog directory serves the same purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

/var/log/boot.log

A

/var/log/boot.log

This file stores boot-related information and messages logged during the computer startup process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the Swap File System?

A

Swap File System

The swap file system is used by Linux when it runs out of RAM.
Technically, it is a swap partition that does not have a specific file system, but it is relevant to the file system discussion.
When this happens, the kernel moves inactive RAM content to the swap partition on the disk.
While swap partitions (also known as swap space) can be useful to Linux computers with a limited amount of memory, they should not be considered as a primary solution.
Swap partition is stored on disk which has much lower access speeds than RAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is HFS+

A

HFS Plus or HFS+ (Hierarchical File System Plus)

A file system used by Apple in its Macintosh computers.
The Linux kernel includes a module for mounting HFS+ for read-write operations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is APFS?

A

APFS (Apple File System)

An updated file system that is used by Apple devices. It provides strong encryption and is optimized for flash and solid-state drives.

19
Q

Where is the MBR located?

A

Master Boot Record (MBR)

Located in the first sector of a partitioned computer, the MBR stores all the information about the way in which the file system is organized.
The MBR quickly hands over control to a loading function, which loads the OS.

20
Q

What is mounting?

A

Mounting is the term used for the process of assigning a directory to a partition. After a successful mount operation, the file system contained on the partition is accessible through the specified directory. In this context, the directory is called the mounting point for that file system. Windows users may be familiar with a similar concept; the drive letter.

The command output shows the output of the mount command issued in the Cisco CyberOPS VM.

21
Q

Explain the output from ls -l command for the document space.txt

Output:
(-rwxrw-r–)

A

The file space.txt in has the following permissions:

The dash (-) means that this is a file. For directories, the first dash would be a “d”.
The first set of characters is for user permission (rwx). The user, analyst, who owns the file can Read, Write and eXecute the file.
The second set of characters is for group permissions (rw-). The group, staff, who owns the file can Read and Write to the file.
The third set of characters is for any other user or group permissions (r--). Any other user or group on the computer can only Read the file.
22
Q

Explain the output from “1” to the end.

[analyst@secOps ~]$ ls -l space.txt
-rwxrw-r– 1 analyst staff 253 May 20 12:49 space.txt

A

The second field defines the number of hard links to the file (the number 1 after the permissions). A hard link creates another file with a different name linked to the same place in the file system (called an inode). This is in contrast to a symbolic link, which is discussed on the next page.

The third and fourth field display the user (analyst) and group (staff) who own the file, respectively.

The fifth field displays the file size in bytes. The space.txt file has 253 bytes.

The sixth field displays the date and time of the last modification.

The seventh field displays the file name.

23
Q

The only user that can override file permission on a Linux computer is the ____ ____.

A

File permissions are a fundamental part of Linux and cannot be broken. A user has only the rights to a file that the file permissions allow. The only user that can override file permission on a Linux computer is the root user. Because the root user has the power to override file permissions, the root user can write to any file. Because everything is treated as a file, the root user has full control over a Linux computer. Root access is often required before performing maintenance and administrative tasks. Because of the power of the root user, root credentials should use strong passwords and not be shared with anyone other than system administrators and other high-level users.

24
Q

What are the benefits of soft links over hard links?

A

Although symbolic links have a single point of failure (the underlying file), symbolic links have several benefits over hard links:

Locating hard links is more difficult. Symbolic links show the location of the original file in the ls -l command, as shown in the last line of output in the previous command output (mytest.txt -> test.txt).

Hard links are limited to the file system in which they are created. Symbolic links can link to a file in another file system.

Hard links cannot link to a directory because the system itself uses hard links to define the hierarchy of the directory structure. However, symbolic links can link to directories.

25
Q

What does Ubuntu use as its default GUI.

A

Ubuntu Linux uses Gnome 3 as its default GUI. The goal of Gnome 3 is to make Ubuntu even more user-friendly. The table lists the main UI components of Unity.

The figure shows the location of some of the features of the Ubuntu Gnome 3 Desktop.

26
Q

What do the following commands do?
apt-get update
apt-get upgrade

A

The apt-get update command is used to get the package list from the package repository and update the local package database. The apt-get upgrade command is used to update all currently installed packages to their latest versions.

27
Q

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -S          (Arch)
apt install            (Debian / Ubuntu)
A

Install a package by name

28
Q

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Rs         (Arch)
apt remove          (Debian / Ubuntu)
A

Remove a package by name.

29
Q

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Syy (Arch)
apt-get update (Debian / Ubuntu)

A

Update a local package.

30
Q

Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations. What does each below execute/perform.

pacman -Syu (Arch)
apt-get upgrade (Debian / Ubuntu)

A

Upgrade all currently installed packages

31
Q

How do you manually check and install updates via the GUI?

A

A Linux GUI can also be used to manually check and install updates. In Ubuntu for example, to install updates you would click Dash Search Box, type software updater, and then click the Software Updater icon, as shown in the figure.

32
Q

What is a process?

A

A process is a running instance of a computer program. Multitasking operating systems can execute many processes at the same time.

33
Q

What is forking?

A

Forking is a method that the kernel uses to allow a process to create a copy of itself. Processes need a way to create new processes in multitasking operating systems. The fork operation is the only way of doing so in Linux.

34
Q

Why is forking important?

A

Forking is important for many reasons. One of them relates to process scalability. Apache, a popular web server, is a good example. By forking itself, Apache is able to serve a large number of requests with fewer system resources than a single-process-based server.

When a process calls a fork, the caller process becomes the parent process, with the newly created process referred to as its child. After the fork, the processes are, to some extent, independent processes; they have different process IDs but run the same program code.

35
Q

What does the ps command accomplish?

A

ps

Used to list the processes running on the computer at the time it is invoked.
It can be instructed to display running processes that belong to the current user or other users.
While listing processes does not require root privileges, killing or modifying other user’s processes does.

36
Q

What does the top command accomplish?

A

top

Used to list running processes, but unlike ps, top keeps displaying running processes dynamically.
Press q to exit top.

37
Q

What does the kill command accomplish?

A

kill

Used to modify the behavior of a specific process.
Depending on the parameters, kill will remove, restart, or pause a process.
In many cases, the user will run ps or top before running kill.
This is done so the user can learn the PID of a process before running kill.

38
Q

What is a rootkit?

A

A rootkit is a type of malware that is designed to increase an unauthorized user’s privileges or grant access to portions of the software that should not normally be allowed. Rootkits are also often used to secure a backdoor to a compromised computer.

The installation of a rootkit can be automated (done as part of an infection) or an attacker can manually install it after compromising a computer. A rootkit is destructive because it changes kernel code and its modules, changing the most fundamental operations of the OS itself.

With such a deep level of compromise, rootkits can hide the intrusion, remove any installation tracks, and even tamper with troubleshooting and diagnostic tools so that their output now hides the presence of the rootkit. While a few Linux vulnerabilities through history have allowed rootkit installation via regular user accounts, the vast majority of rootkit compromises require root or administrator access.

39
Q

How can you detect and remove rootkits?

A

Because the very nature of the computer is compromised, rootkit detection can be very difficult. Typical detection methods often include booting the computer from trusted media such as a diagnostics operating system live CD. The compromised drive is mounted and, from the trusted system toolset, trusted diagnostic tools can be launched to inspect the compromised file system. Inspection methods include behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.

Rootkit removal can be complicated and often impossible, especially in cases where the rootkit resides in the kernel; re-installation of the operating system is usually the only real solution to the problem. Firmware rootkits usually require hardware replacement.

40
Q

What is a popular Linux-based program designed to check the computer for known rootkits.

A

chkrootkit is a popular Linux-based program designed to check the computer for known rootkits. It is a shell script that uses common Linux tools such as strings and grep to compare the signatures of core programs. It also looks for discrepancies as it traverses the /proc file system comparing the signatures found there with the output of ps.

While helpful, keep in mind that programs to check for rootkits are not 100% reliable.

The command output shows the output of chkrootkit on an Ubuntu Linux.

41
Q

What are piping commands?

A

Although command line tools are usually designed to perform a specific, well-defined task, many commands can be combined to perform more complex tasks by a technique known as piping. Named after its defining character, the pipe (|), piping consists of chaining commands together, feeding the output of one command into the input of another.

For example, the ls command is used to display all the files and directories of a given directory. The grep command compares searches through a file or text looking for the specified string. If found, grep displays the entire contents of the folder where the string was found.

The two commands, ls and grep, can be piped together to filter out the output of ls. This is shown in the output of the ls -l | grep host command and the ls -l | grep file command.

42
Q

A customized version of Linux that contains software and tools that are designed for use in network security monitoring by cybersecurity analysts?

A

A customized version of Linux that is called Security Onion contains software and tools that are designed for use in network security monitoring by cybersecurity analysts.

43
Q

How are file systems mounted in Linux?

A

File systems are mounted on partitions and accessed through mounting points, or directories. Windows drive letters are examples of mounting points. The mount command can be used to display details of the file systems that are currently mounted on a Linux computer. The root file system is represented by the “/” symbol. It contains all of the files in the computer by default.