LPIC-2 202-450 Deep Dive: Directory Services, Web Hosting, File Sharing, and Security
The LPIC-2 202-450 exam is the second of two exams required for the LPIC-2 certification. It covers DNS and web services, file sharing with NFS and Samba, email and directory services, system security, and operational troubleshooting.
This guide covers each objective with the commands, configuration files, and concepts tested on the exam.
Topic 207: DNS and DHCP (weight 10)
207.1 Configure DNS Server (BIND)
BIND configuration files:
| File | Purpose |
|---|---|
/etc/bind/named.conf | Main configuration (Debian) |
/etc/named.conf | Main configuration (RHEL) |
/var/named/ | Zone data files |
/etc/bind/db.root | Root hints |
/etc/bind/rndc.key | RNDC authentication key |
named.conf structure:
options {
directory "/var/named";
listen-on port 53 { any; };
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
forwarders { 8.8.8.8; 8.8.4.4; };
};
zone "example.com" IN {
type master;
file "db.example.com";
allow-transfer { 192.168.1.2; }; # Slave DNS
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "db.192.168.1";
};
zone "." IN {
type hint;
file "db.root";
};
Forward zone file (db.example.com):
$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. (
2026071301 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
@ IN MX 10 mail.example.com.
@ IN A 192.168.1.10
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
mail IN A 192.168.1.20
www IN CNAME example.com.
ftp IN CNAME example.com.
Reverse zone file (db.192.168.1):
$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. (
2026071301 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
10 IN PTR ns1.example.com.
10 IN PTR example.com.
11 IN PTR ns2.example.com.
20 IN PTR mail.example.com.
BIND management:
# Check configuration
named-checkconf /etc/named.conf
named-checkzone example.com /var/named/db.example.com
# Control BIND
rndc status
rndc reload
rndc flush
rndc stop
rndc querylog
systemctl restart named
# DNSSEC
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
dnssec-signzone -o example.com db.example.com
# Logging
channel default_log {
file "/var/log/named.log" versions 3 size 5m;
severity info;
print-time yes;
};
207.2 Configure DNS Client
# /etc/resolv.conf
search example.com
nameserver 192.168.1.10
nameserver 8.8.8.8
options timeout:2 attempts:3 rotate
# Testing DNS
dig example.com
dig @192.168.1.10 example.com
dig -x 192.168.1.10 # Reverse lookup
dig example.com MX # Mail exchange record
dig example.com NS # Name server records
dig example.com ANY # All records (deprecated)
host example.com
host -t MX example.com
host -l example.com # Zone transfer
nslookup
> server 192.168.1.10
> set type=MX
> example.com
# Zone transfer test
dig @192.168.1.10 example.com AXFR
# Check resolver
getent hosts example.com
getent services http
cat /etc/nsswitch.conf
207.3 Configure DHCP Server (ISC DHCP)
cat /etc/dhcp/dhcpd.conf
# DHCP configuration
option domain-name "example.com";
option domain-name-servers 192.168.1.10, 8.8.8.8;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
option broadcast-address 192.168.1.255;
}
host webserver {
hardware ethernet 00:11:22:33:44:55;
fixed-address 192.168.1.10;
}
# DHCPv6
subnet6 2001:db8::/64 {
range6 2001:db8::100 2001:db8::200;
option dhcp6.name-servers 2001:db8::1;
}
# DHCP management
dhcpd -t # Test configuration
dhcpd -d -f # Debug mode (foreground)
cat /var/lib/dhcp/dhcpd.leases # Lease database
dhcp-lease-list # Show active leases
systemctl restart isc-dhcp-server
207.4 DHCP Client Configuration
# dhclient
dhclient eth0
dhclient -r eth0 # Release
dhclient -v eth0 # Verbose
# NetworkManager
nmcli connection down eth0
nmcli connection up eth0
# /etc/network/interfaces (Debian)
# auto eth0
# iface eth0 inet dhcp
# systemd-networkd
cat /etc/systemd/network/20-wired.network
# [Match]
# Name=eth0
# [Network]
# DHCP=yes
# Lease files
cat /var/lib/dhcp/dhclient.leases
cat /var/lib/dhcp/dhclient.eth0.leases
# DHCP troubleshooting
dhclient -v eth0 # See negotiation
tcpdump -i eth0 port 67 or port 68 # Watch DHCP traffic
Topic 208: Web Services (weight 8)
208.1 Configure Apache HTTPD
Apache configuration files:
| File | Purpose |
|---|---|
/etc/apache2/apache2.conf | Main config (Debian) |
/etc/httpd/conf/httpd.conf | Main config (RHEL) |
/etc/apache2/sites-available/ | Virtual hosts (Debian) |
/etc/apache2/sites-enabled/ | Enabled vhosts (Debian) |
/etc/httpd/conf.d/ | Additional config (RHEL) |
/var/log/apache2/access.log | Access log |
/var/log/apache2/error.log | Error log |
Virtual host configuration:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example
ErrorLog ${APACHE_LOG_DIR}/example-error.log
CustomLog ${APACHE_LOG_DIR}/example-access.log combined
<Directory /var/www/example>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
<Directory /var/www/example>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Apache management:
# Debian
a2ensite example.com
a2dissite example.com
a2enmod rewrite
a2enmod ssl
a2dismod autoindex
# RHEL
systemctl enable httpd
systemctl restart httpd
# Configuration test
apachectl configtest
apachectl -S # Show virtual hosts
apachectl -M # Show loaded modules
# Log analysis
tail -f /var/log/apache2/access.log
awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -10 # Top IPs
208.2 Apache Configuration for HTTPS
# Enable SSL
a2enmod ssl (Debian)
LoadModule ssl_module modules/mod_ssl.so (RHEL)
# Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/server.key \
-out /etc/ssl/certs/server.crt
# Let's Encrypt (certbot)
certbot --apache -d example.com -d www.example.com
certbot renew --dry-run
# SSL configuration directives
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol all -TLSv1 -TLSv1.1
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000"
208.3 Configure Squid Proxy
# Squid configuration
cat /etc/squid/squid.conf
# Access control
acl localnet src 192.168.1.0/24
acl localhost src 127.0.0.1
acl SSL_ports port 443
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777
http_access allow localnet
http_access deny all
# Cache
cache_dir ufs /var/spool/squid 100 16 256
cache_mem 256 MB
maximum_object_size 4 MB
# Authentication
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
# Transparent proxy
http_port 3128 transparent
# Management
squid -z # Initialize cache directories
squid -k parse # Test config
squid -k reconfigure # Reload
squid -k shutdown
systemctl restart squid
# Logs
cat /var/log/squid/access.log
cat /var/log/squid/cache.log
208.4 Configure Nginx
# Nginx configuration structure
cat /etc/nginx/nginx.conf
# Virtual host
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
location /images/ {
root /var/www;
expires 30d;
}
location /api/ {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# SSL
listen 443 ssl;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
ssl_protocols TLSv1.2 TLSv1.3;
}
# Management
nginx -t # Test config
nginx -s reload
nginx -s stop
systemctl restart nginx
# Logs
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log
208.5 Configure Reverse Proxy
# Apache reverse proxy
a2enmod proxy proxy_http proxy_balancer lbmethod_byrequests
<VirtualHost *:80>
ServerName app.example.com
ProxyPass /app1 http://backend1:8080/
ProxyPassReverse /app1 http://backend1:8080/
ProxyPass /app2 http://backend2:8080/
ProxyPassReverse /app2 http://backend2:8080/
<Proxy balancer://mycluster>
BalancerMember http://app1:8080
BalancerMember http://app2:8080
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass / balancer://mycluster/
</VirtualHost>
# Nginx reverse proxy
location / {
proxy_pass http://backend_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Nginx load balancing
upstream backend {
server backend1.example.com weight=3;
server backend2.example.com;
server backend3.example.com backup;
}
server {
location / {
proxy_pass http://backend;
}
}
Topic 209: File Sharing (weight 7)
209.1 Configure Samba
Samba configuration (/etc/samba/smb.conf):
[global]
workgroup = WORKGROUP
server string = %h Samba Server
netbios name = fileserver
security = user
map to guest = bad user
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
[shared]
path = /srv/samba/shared
browseable = yes
read only = no
guest ok = no
valid users = @staff
create mask = 0644
directory mask = 0755
[public]
path = /srv/samba/public
browseable = yes
read only = yes
guest ok = yes
[homes]
browseable = no
read only = no
valid users = %S
Samba management:
# Test configuration
testparm
# Add Samba users
smbpasswd -a alice
pdbedit -a -u alice
pdbedit -L # List users
# Mount Samba share
mount -t cifs //server/share /mnt/smb -o username=alice
mount -t cifs //server/share /mnt/smb -o credentials=/etc/smb.txt
# /etc/fstab
//server/share /mnt/smb cifs credentials=/etc/smb.txt,uid=1000,gid=1000 0 0
# Management
smbstatus # Active connections
smbcontrol smbd reload-config
systemctl restart smbd
systemctl restart nmbd # NetBIOS name resolution
# Logs
tail -f /var/log/samba/log.smbd
209.2 Configure NFS
NFS server configuration:
# /etc/exports
/nfs/shared 192.168.1.0/24(rw,sync,no_subtree_check)
/nfs/backups 192.168.1.10(rw,sync,no_root_squash)
/nfs/public *(ro,sync,no_subtree_check)
# Export options
# rw — read-write
# ro — read-only
# sync — write changes synchronously
# async — write asynchronously (faster, less safe)
# no_subtree_check — disable subtree checking
# root_squash — map root to nobody (default)
# no_root_squash — root retains privileges (dangerous)
# all_squash — map all users to nobody
# NFS management
exportfs -a # Export all
exportfs -r # Re-export after changes
exportfs -v # Show exports
exportfs -u 192.168.1.10:/nfs/shared # Unexport
showmount -e localhost # Show exports
showmount -a # Show connected clients
# NFS server services
systemctl restart nfs-kernel-server # Debian
systemctl restart nfs-server # RHEL
# NFS client
mount -t nfs4 server:/nfs/shared /mnt/nfs
mount -t nfs server:/nfs/shared /mnt/nfs -o nfsvers=4
# /etc/fstab
server:/nfs/shared /mnt/nfs nfs4 defaults,timeo=30,retrans=3 0 0
# NFS status
nfsstat
cat /proc/fs/nfsd/versions
cat /etc/default/nfs-kernel-server
# NFSv4 ID mapping
cat /etc/idmapd.conf
# [General]
# Domain = example.com
209.3 Transfer Files
# SCP
scp file.txt user@host:/path/
scp -r dir/ user@host:/path/
scp -P 2222 file.txt user@host:/path/ # Custom port
# SFTP
sftp user@host
> put local.txt
> get remote.txt
> ls
> cd
# rsync (over SSH)
rsync -avz /local/dir/ user@host:/remote/dir/
rsync -avz --progress user@host:/remote/dir/ /local/dir/
# FTP
# vsftpd configuration: /etc/vsftpd.conf
ftp ftp.example.com
> get file.txt
> put local.txt
> ls
> binary # Binary transfer mode
> ascii # Text transfer mode
# wget
wget https://example.com/file.tar.gz
wget -c https://example.com/large-file.iso # Resume
wget -r https://example.com/dir/ # Recursive
# curl
curl -O https://example.com/file.tar.gz
curl -o localname https://example.com/file
curl -L https://example.com/redirect # Follow redirects
Topic 210: Network Client Management (weight 6)
210.1 DHCP Configuration
Already covered in 207.3 and 207.4.
210.2 PAM Authentication
# PAM configuration files
cat /etc/pam.d/login
cat /etc/pam.d/sshd
cat /etc/pam.d/sudo
cat /etc/pam.d/common-auth # Debian
cat /etc/pam.d/system-auth # RHEL
# PAM module types
# auth — authentication (password, biometric)
# account — non-auth checks (account expired, time restrictions)
# password — password change operations
# session — setup session (mount home, log)
# Control flags
# required — must pass, continues even on failure
# requisite — must pass, stops on failure
# sufficient — if pass, skip remaining modules
# optional — not required
# Example: /etc/pam.d/sshd
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
# PAM modules
pam_unix.so # Standard Unix auth (/etc/passwd, /etc/shadow)
pam_ldap.so # LDAP authentication
pam_krb5.so # Kerberos authentication
pam_limits.so # /etc/security/limits.conf
pam_deny.so # Always deny (default)
pam_permit.so # Always permit
pam_wheel.so # Restrict to wheel group
pam_tally2.so # Lock after failed attempts
pam_cracklib.so # Password strength check
pam_listfile.so # Restrict based on file lists
# Manage PAM
pam_tally2 --user alice --reset # Reset failed login count
210.3 LDAP Client Configuration
# OpenLDAP client config
cat /etc/ldap/ldap.conf
# BASE dc=example,dc=com
# URI ldap://ldap.example.com
# TLS_CACERT /etc/ssl/certs/ca.crt
# LDAP search
ldapsearch -x -b "dc=example,dc=com" "(uid=alice)"
ldapsearch -x -H ldap://ldap.example.com -b "dc=example,dc=com" "(&(uid=alice)(objectClass=posixAccount))"
# Bind as user
ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
# LDAP troubleshooting
ldapwhoami -x -D "cn=admin,dc=example,dc=com" -W
ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f newuser.ldif
ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify.ldif
ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=bob,dc=example,dc=com"
# LDIF format
# dn: uid=alice,ou=people,dc=example,dc=com
# objectClass: inetOrgPerson
# objectClass: posixAccount
# cn: Alice Smith
# sn: Smith
# uid: alice
# uidNumber: 1001
# gidNumber: 100
# homeDirectory: /home/alice
# loginShell: /bin/bash
# userPassword: {SSHA}encryptedpassword
# nsswitch.conf with LDAP
cat /etc/nsswitch.conf
# passwd: files ldap
# group: files ldap
# shadow: files ldap
Topic 211: Email Services (weight 4)
211.1 Manage Mail Queues
# Postfix queue management
mailq # Show queue
postqueue -p # Same as mailq
postqueue -f # Flush queue
postsuper -d ALL # Delete all messages
postsuper -d queue_id # Delete specific message
postsuper -r queue_id # Requeue (re-attempt delivery)
postsuper -H queue_id # Hold message
postsuper -h queue_id # Unhold
postqueue -s # Schedule deferred delivery
# Mail queue locations
/var/spool/postfix/maildrop/ # Incoming
/var/spool/postfix/incoming/ # In queue
/var/spool/postfix/active/ # Being processed
/var/spool/postfix/deferred/ # Deferred (delivery failed)
/var/spool/postfix/defer/ # Deferral details
/var/spool/postfix/bounce/ # Bounce messages
/var/spool/postfix/hold/ # Held messages
211.2 Configure Mail Transfer Agent (Postfix)
# Main config
cat /etc/postfix/main.cf
# Basic configuration
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
# Relay control
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Virtual domains
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
# Restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
# Access control
cat /etc/postfix/access
# spammer@example.com REJECT
# example.com OK
postmap /etc/postfix/access
# Management
postfix check # Check config
postfix reload
postfix stop
postfix start
systemctl restart postfix
211.3 Mail-Related Logging
# Postfix logs
tail -f /var/log/mail.log # Debian
tail -f /var/log/maillog # RHEL
# Log analysis
pflogsumm /var/log/mail.log # Postfix log summary
grep "status=sent" /var/log/mail.log | wc -l # Sent count
grep "status=bounced" /var/log/mail.log | wc -l # Bounce count
grep "reject" /var/log/mail.log | tail -20
# Postfix activity
postfix flush # Force delivery attempt
qshape deferred # Deferred queue patterns
mailq | grep -c "^[0-9A-F]" # Queue size
# Track specific email
grep "alice@example.com" /var/log/mail.log
Topic 212: System Security (weight 12)
212.1 Configure Router Security
# Kernel network parameters
sysctl net.ipv4.ip_forward
sysctl net.ipv4.conf.all.rp_filter=1 # Reverse path filtering
sysctl net.ipv4.conf.default.accept_source_route=0
sysctl net.ipv4.tcp_syncookies=1 # SYN flood protection
sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv6.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.log_martians=1
# iptables rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# NAT/forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
# Save and restore
iptables-save > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
212.2 Manage SSH Servers and Clients
cat /etc/ssh/sshd_config
# Security hardening
Port 2222 # Non-default port
PermitRootLogin no # Disable root login
PasswordAuthentication no # Key-only auth
PubkeyAuthentication yes
PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512
AllowUsers alice bob # Restrict users
AllowGroups ssh-users # Restrict groups
MaxAuthTries 3 # Max auth attempts
ClientAliveInterval 300 # Keepalive
ClientAliveCountMax 0
UseDNS no # Skip DNS reverse lookup (faster)
X11Forwarding no # Disable X11 forwarding
AllowTcpForwarding yes # For port forwarding
# SSH client config (~/.ssh/config)
Host *.example.com
User alice
Port 2222
IdentityFile ~/.ssh/ed25519
ForwardAgent yes
Host myserver
HostName 192.168.1.10
User alice
LocalForward 8080 localhost:80 # Local port forwarding
RemoteForward 9090 localhost:80 # Remote forwarding
# SSH tunneling
ssh -L 8080:localhost:80 user@host # Local tunnel
ssh -R 9090:localhost:80 user@host # Remote tunnel
ssh -D 1080 user@host # SOCKS proxy
# SSH agent forwarding
ssh -A user@host
# Forward your local SSH agent for chained logins
# SSH key management
ssh-keygen -t ed25519 -f ~/.ssh/server_key
ssh-copy-id -i ~/.ssh/server_key.pub user@host
ssh-add ~/.ssh/server_key
# Restrict key to specific commands
cat ~/.ssh/authorized_keys
# command="/usr/bin/rsync --server -vlogDtprze.iLsf . /backup" ssh-ed25519 AAAA...
212.3 Security Tasks
# Port scanning
nmap localhost
nmap -sV 192.168.1.0/24 # Service version detection
nmap -O 192.168.1.10 # OS detection
nmap -sS -p 1-65535 host # SYN scan all ports
# Intrusion detection
rkhunter --check # Rootkit hunter
chkrootkit # Alternative rootkit checker
tripwire --check # File integrity checker
aide --check # Advanced intrusion detection
# Open file security
lsof -i :22 # Who's connected on port 22
lsof +D /var/www # Open files in directory
fuser -v /var/www # Processes using directory
fuser 80/tcp # Process using port 80
# System audit
auditctl -l # List audit rules
auditctl -a exit,always -S execve # Audit all command execution
ausearch -c /usr/bin/ssh # Search audit log
aureport -x # Executable summary
# Logwatch
logwatch --detail High --mailto admin@example.com
# psacct / acct process accounting
accton /var/log/account/pacct
lastcomm # Show last commands executed
sa # Process accounting summary
212.4 Configure OpenVPN
# Server configuration
cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.10"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
# Generate keys
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
openvpn --genkey --secret ta.key # TLS auth key
# Client config
cat client.ovpn
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
# Management
systemctl start openvpn@server
systemctl enable openvpn@server
tail -f /var/log/openvpn.log
212.5 Security and System Policies
# AppArmor
aa-status # Show profiles
aa-enforce /path/to/binary # Enforce profile
aa-complain /path/to/binary # Log violations only
cat /etc/apparmor.d/bin.ping
# SELinux
getenforce # Show mode (Enforcing/Permissive/Disabled)
setenforce 0 # Set permissive
setenforce 1 # Set enforcing
sestatus # Full SELinux status
ls -Z /etc/shadow # Security context
chcon -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html
semanage port -a -t http_port_t -p tcp 8080
ausearch -m avc # SELinux denial audit
# chroot jail
chroot /newroot /bin/bash
# Classic chroot jail: copy binaries and libraries
mkdir -p /jail/{bin,lib64,etc}
cp /bin/bash /jail/bin/
ldd /bin/bash # Find required libraries
cp /lib64/lib* /jail/lib64/
chroot /jail /bin/bash
# systemd security
systemd-analyze security sshd.service # Security score
cat /etc/systemd/system/service.d/override.conf
# [Service]
# ProtectSystem=full
# ProtectHome=true
# PrivateTmp=true
# NoNewPrivileges=true
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Topic 213: Troubleshooting (weight 8)
213.1 Identify and Troubleshooting Boot Issues
# Boot failure debugging
# 1. Check kernel messages
dmesg | grep -i error
dmesg | grep -i fail
# 2. Check systemd journal
journalctl -xb # Boot log with explanations
journalctl -p err # Error priority
journalctl -k # Kernel messages for this boot
# 3. Check filesystem
fsck /dev/sda1
fsck -y /dev/sda1 # Auto repair
# 4. Hardware check
lshw
dmidecode # BIOS/DMI information
cat /proc/cpuinfo
cat /proc/meminfo
# Rescue media steps
# 1. Boot from live CD/USB
# 2. Mount root filesystem
# 3. Chroot
# 4. Fix issues (reinstall GRUB, fix fstab, repair packages)
# GRUB rescue
# At grub> prompt:
ls # List drives
set root=(hd0,msdos1)
linux /vmlinuz root=/dev/sda1
initrd /initrd.img
boot
213.2 Identify and Troubleshoot Resource Problems
# CPU
top -b -n 1 | head -20
htop
mpstat -P ALL 2 5
perf top # Live profiling
strace -p PID # System calls
ltrace -p PID # Library calls
# Memory
free -h
vmstat 2 10
cat /proc/meminfo
ps aux --sort=-%mem | head -10
smem -t -k # Per-process with shared memory
# Disk I/O
iostat -x 2 5
iotop
pidstat -d 2 5
lsblk -o NAME,SIZE,TYPE,MOUNTPOINT,FSTYPE,MODEL
# Network
ss -tulpn
ss -tan state established
netstat -i # Interface statistics
ethtool eth0 # NIC diagnostics
mii-tool eth0 # Link status (legacy)
# Segfault analysis
dmesg | tail -20 # kernel: segfault at ...
coredumpctl list
coredumpctl info PID
gdb -c core /usr/bin/program
213.3 Troubleshoot System Configurations
# strace (system call trace)
strace ls /tmp
strace -e open,read ls
strace -p 1234 # Attach to running process
strace -f command # Follow forks
strace -c command # Summary only
# ltrace (library call trace)
ltrace ls
ltrace -e malloc+free command # Trace memory allocation
# lsof (list open files)
lsof
lsof /var/log/syslog
lsof -u alice
lsof -i :80
lsof -p 1234
# tcpdump
tcpdump -i eth0 port 80 or port 443
tcpdump -i eth0 -w /tmp/capture.pcap
tcpdump -r /tmp/capture.pcap | head -50
# System rescue
# Check dmesg for hardware errors
# Check /var/log/syslog for service failures
# Check disk space with df -h
# Check inode usage with df -i
# Check for zombie processes with ps aux | grep Z
Exam Tips
- BIND and Postfix are the most configuration-heavy topics — practice writing zone files and main.cf from scratch.
- Know iptables syntax thoroughly — chains, tables, targets, state matching, NAT rules.
- Samba and NFS come up in scenario-based questions — understand permissions mapping between Linux and Windows.
- PAM module stacking — know the order and control flags (required/requisite/sufficient/optional).
- Understand OpenVPN key generation — CA, server, client certificate chain.
- Log analysis is critical — know where Postfix, Apache, and Samba keep their logs.
Test Your Knowledge with Practice Exams
Ready to put this knowledge to the test? Our LPI practice portal includes 200+ realistic questions covering LPIC-1, LPIC-2, LPIC-3, and DevOps Tools Engineer certifications. Study mode, timed exams, domain breakdowns, and weak-area analysis included.
Related Articles
- LPIC-2 201-450 Deep Dive — System startup, kernel, storage, and advanced networking
- LPIC-2 Certification Guide — Overview of the full LPIC-2 certification path
- LPIC-1 101-500 Deep Dive — System architecture and package management fundamentals
- LPIC-1 102-500 Deep Dive — Shell scripting, networking, and security basics
- LPIC-1 & LPIC-2 Command Cheat Sheet — Quick reference for essential commands
- 50 Free LPIC-2 Practice Questions — Test your knowledge across all LPIC-2 topics
- Browse All LPI Resources — Full library of study guides, deep dives, and practice questions