Before you start
Learn what these tutorials can teach you and how you can get the most from them.
The Linux Professional Institute (LPI) certifies Linux system administrators at two levels: junior level (also called "certification level 1") and intermediate level (also called "certification level 2"). To attain certification level 1, you must pass exams 101 and 102; to attain certification level 2, you must pass exams 201 and 202.
developerWorks offers tutorials to help you prepare for each of the four exams. Each exam covers several topics, and each topic has a corresponding self-study tutorial on developerWorks. For LPI exam 202, the seven topics and corresponding developerWorks tutorials are:
|LPI exam 202 topic||developerWorks tutorial||Tutorial summary|
LPI exam 202 prep (topic 205):|
|Learn how to configure a basic TCP/IP network, from the hardware layer (usually Ethernet, modem, ISDN, or 802.11) through the routing of network addresses.|
LPI exam 202 prep (topic 206):|
Mail and news
|Learn how to use Linux as a mail server and as a news server. Learn about mail transport, local mail filtering, mailing list maintenance software, and server software for the NNTP protocol.|
LPI exam 202 prep (topic 207):|
|Learn how to use Linux as a DNS server, chiefly using BIND. Learn how to perform a basic BIND configuration, manage DNS zones, and secure a DNS server.|
LPI exam 202 prep (topic 208):|
|Learn how to install and configure the Apache Web server, and learn how to implement the Squid proxy server.|
LPI exam 202 prep (topic 210):|
Network client management
|Learn how to configure a DHCP server, an NIS client and server, an LDAP server, and PAM authentication support. See detailed objectives below.|
LPI exam 202 prep (topic 212):|
|(This tutorial) Learn how to configure a router, secure FTP servers, configure SSH, and perform various other security administration tasks. See detailed objectives below.|
LPI exam 202 prep (topic 214):|
To start preparing for certification level 1, see the developerWorks tutorials for LPI exam 101. To prepare for the other exam in certification level 2, see the developerWorks tutorials for LPI exam 201. Read more about the entire set of developerWorks LPI tutorials.
The Linux Professional Institute does not endorse any third-party exam preparation material or techniques in particular. For details, please contact firstname.lastname@example.org.
Welcome to "System security," the sixth of seven tutorials covering intermediate network administration on Linux. In this tutorial, you learn about a wide array of topics related to using Linux as a security-conscious network server. Such issues as routing, firewalls, and NAT translation (and the tools to manage them) are covered, as well as setting security policies for FTP and SSH. You also learn about general access control with tcpd, hosts.allow, and friends (revisiting the discussion in LPI exam 201 prep (topic 209): File and service sharing). Finally, you learn about some basic security monitoring tools, as well as where to find security resources.
As with the other tutorials in the developerWorks 201 and 202 series, this tutorial is intended to serve as a study guide and entry point for exam preparation, rather than complete documentation on the subject. Readers are encouraged to consult LPI's detailed objectives list and to supplement the information provided here with other material as needed.
This tutorial is organized according to the LPI objectives for this topic. Very roughly, expect more questions on the exam for objectives with higher weight.
|LPI exam objective||Objective weight||Objective summary|
Configuring a router
|Weight 2||Configure a system to perform network address translation (NAT, IP masquerading), and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules, and averting attacks.|
Securing FTP servers
|Weight 2||Configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.|
Secure shell (SSH)
|Weight 2||Configure an SSH daemon. This objective includes managing keys, configuring SSH for users, forwarding an application protocol over SSH, and managing the SSH login.|
|Weight 1||Configure tcpwrappers to allow connections to specified servers only from certain hosts or subnets.|
|Weight 3||Install and configure a secure authentication system; perform basic security auditing of source code; receive security alerts from various sources; audit servers for open e-mail relays and anonymous FTP servers; install, configure, and run intrusion detection systems; and apply security patches and bug fixes.|
To get the most from this tutorial, you should already have a basic knowledge of Linux and a working Linux system on which you can practice the commands covered in this tutorial.
As with most Linux tools, it is always useful to examine the manpages for any utilities discussed. Versions and switches might change between utility or kernel version or with different Linux distributions. For more in-depth information, the Linux Documentation Project has a variety of useful documents, especially its HOWTOs. Also, a variety of books on Linux system security have been published; I have found O'Reilly's TCP/IP Network Administration, by Craig Hunt to be quite helpful. See the Resources section for links.