Chapter 18 Flashcards
Overseeing Linux Firewalls
Summarize various firewall features.
A firewall ACL identifies which network packets are allowed in or out. A stateless firewall views each packet’s control information and decides what to do with the packet based on the defined ACL rules. A stateful firewall tracks active network connections, such as TCP and UDP; keeps an eye on network status; and can determine if packets have fragmented. Firewalls employ the /etc/services file, which documents the different standard application services names and their corresponding port numbers, protocols, and aliases.
Describe firewalld and its commands.
For the firewalld service, network traffic is grouped into a zone, which is a predefined rule set. Each zone has a configuration file that defines this rule set, also called trust levels. The firewalld zone configuration files are stored in the /usr/lib/firewalld/zones/ directory. Customized or user-created zone configuration files are stored in the /etc/firewalld/zones/ directory. For firewalld, a service is a predefined configuration set for a particular service, such as DNS. When you modify the firewalld configuration, by default you modify the runtime environment, which is the active situation. The permanent environment is the firewall settings within the configuration files. The firewall-cmd utility allows you to view and interact with firewalld.
Describe iptables and its commands.
The iptables firewall service uses a series process called chains to handle network packets that enter the system. The chains determine the path each packet takes to the appropriate application as it enters the Linux system. Each chain has a policy value and contains tables that define rules for handling the packets. ACL rules in iptables have target values for identified packets, which determine the action taken on them. The iptables command allows you to view and interact with various iptables configuration settings.
Describe UFW and its commands.
The Uncomplicated Firewall (UFW) is the default firewall service on Ubuntu distributions. It is configured with the ufw command-line utility or the Gufw for the GUI. Default UFW policies are stored in the /etc/default/ufw configuration file. When creating new UFW rules, you can use either simple or full syntax. User-added UFW rules are stored in the /etc/ufw/user.rules file. UFW uses profiles for common applications and daemons, and they are stored in the /etc/ufw/applications.d/ directory.
Explain how to dynamically change packet filtering.
The DenyHosts application is a Python script, which helps protect against brute-force attacks coming through OpenSSH. It monitors sshd log messages and modifies the /etc/hosts.deny file to block an identified attack. The Fail2Ban service also monitors system logs, looking for repeated failures from the same host. If it detects a problem, Fail2Ban blocks the IP address of the offending host. An IPset is a named set of IP addresses, network interfaces, ports, MAC addresses, or subnets. By creating these sets, you can easily block the groupings through a firewall.
Which of the following is true concerning firewalls on Linux that were covered in this chapter? (Choose all that apply.)
They use ACLs for allowing packets. They detect malicious behavior. They inspect network packet control information. They use iptables embedded in the Linux kernel. They employ configuration files for persistency.
A, C, E. The Linux firewall applications covered in this chapter use access control lists (ACLs) to identify which network packets are allowed in or out of the system. Therefore, option A is a correct answer. They identify the network packets by inspecting their control information along with other network data. Thus, option C is also a correct choice. In addition, the Linux firewall applications use configuration files to maintain persistency, which allows the firewall configuration to survive system reboots and/or the firewall application being started or reloaded. Therefore, option E is also a correct answer. These firewalls cannot detect malicious behavior; they only follow predefined rules. Therefore, option B is a wrong answer. In addition, they use netfilter embedded in the Linux kernel and not iptables (which is instead a firewall service), so option D is also an incorrect choice.
Which of the following options best describes packet filtering?
Identifying network packets via their control information and allowing them into the system Identifying network packets via their control information and determining what to do based on ACL rules Identifying network packets via their payload and determining what to do based on ACL rules Identifying network packets by their source address and determining what to do based on ACL rules Identifying network packets by their payload and determining what to do based on their source address
B. Option B best describes packet filtering. Option A describes how packets are identified but only allows them into the system, and therefore is not the best answer. A packet’s payload refers to the data it is carrying. In packet filtering, packets are identified by their control information, such as their source IP address. Therefore, option C is not the correct answer either. Network packets can be identified by much more than just their source address, making option D a wrong answer. Option E is also a wrong answer because it focuses on the packet’s payload and not its control information.
Which of the following are benefits of a stateful firewall over a stateless firewall? (Choose all that apply.)
It operates faster. It is not as vulnerable to DDoS attacks. It determines if packets are fragmented. It operates faster for established connections. It is vulnerable to DDoS attacks.
C, D. A stateful firewall uses a memory table to track an established connection’s packets, making it faster for those connections. In addition, it can tell if packets are fragmented and thus protects the system from attacks that spread among multiple packets. Therefore, options C and D are the correct answers. Stateless firewalls operate faster overall, and they are not as vulnerable to DDoS attacks. Thus, options A and B are wrong answers. While stateful firewalls are vulnerable to DDoS attacks, it is not a benefit. Therefore, option E is also an incorrect choice.
The firewalld service uses _____ , which is a predefined rule set.
netfilter firewall-cmd Services reject Zones
E. With firewalld, network traffic is grouped into a zone, which is a predefined rule set, also called a trust level. Therefore, option E is the correct answer. While firewalld does employ the netfilter and the firewall-cmd commands, those items are not predefined rule sets, so options A and B are wrong answers. A service is a predefined configuration set for a particular service, such as DNS. Therefore, option C is an incorrect answer as well. Option D is an incorrect choice because the zone that rejects packets is called block.
Peter, a Linux system administrator, has been testing a new firewalld configuration. The test was successful. What should Peter do next?
Using super user privileges, issue the reboot command. Using super user privileges, issue the firewall-cmd --panic-on command. Nothing. If the test was successful, the runtime environment is the permanent environment. Issue the firewall-cmd --runtime-to-permanent command using super user privileges. Issue another firewall-cmd command, but add the --permanent option to it.
D. The firewalld’s runtime environment is the active firewall, but if the configuration is not saved as the permanent environment, it is not persistent. Therefore, after his successful tests, he should issue the firewall-cmd –runtime-to-permanent command to save the runtime environment to the permanent environment. Thus, option D is the correct answer. Rebooting the system would lose the tested runtime environment, so option A is a wrong answer. The –panic-on option blocks all incoming traffic, so option B is also an incorrect answer. The runtime environment is different than the permanent environment in this situation, so option C is a wrong choice. While the –permanent option will allow you to modify the runtime and permanent environment at the same time, Peter did not do this, so option E is also an incorrect answer.
Peter is a Linux system administrator of a system using the iptables service. He wants to add a rule to block only incoming ping packets and not send a rejection message to the source. What command should he employ?
sudo iptables -P INPUT DROP sudo iptables -A INPUT -p icmp -j REJECT sudo iptables -A INPUT -p icmp -j DROP sudo iptables -D INPUT -p icmp -j DROP sudo iptables -A OUTPUT -p icmp -j REJECT
C. To achieve the desired result, Peter will need to modify the iptables INPUT chain for the protocol ping uses, which is ICMP. Also, the target will need to be set to DROP, in order to not send any rejection message. Therefore, option C is the correct iptables command to use. The command in option A will set the policy to DROP for all incoming packets that do not have a rule in the INPUT chain, but that does not target ping packets. Therefore, option A is a wrong answer. The command in option B will send a rejection message, which is not desired, so it is also an incorrect answer. The command in option D is attempting to delete a rule, not add one. Therefore, option D is a wrong choice. The command in option E is modifying the OUTPUT chain instead of the INPUT chain, which will affect outbound network packets. Thus, option E is an incorrect choice.
Which of the following commands will allow you to view the various rules in a UFW firewall with their associated numbers?
sudo ufw show numeric sudo ufw status sudo ufw status verbose sudo ufw status numbered sudo ufw enable
D. The sudo ufw status numbered command will display the UFW firewall’s ACL rules with their associated numbers. Therefore, option D is the correct answer. Option A is made up and thus is a wrong answer. Both options B and C will show any rules, but they will not include their numbers, so those options are incorrect answers. The UFW command in option E enables the firewall but does not display ACL rules, so it is an incorrect choice as well.
Which of the following is an example of UFW simple syntax for blocking all incoming and outgoing OpenSSH connections without providing a blocking message?
sudo ufw deny 22/tcp sudo ufw drop 22/tcp sudo ufw reject 22/tcp sudo ufw accept 22/tcp sudo ufw block 22/tcp
A. While all these options use simple syntax, the ufw command in option A will block all incoming and outgoing OpenSSH connections and not send a blocking (rejection) message. Thus, option A is the correct answer. There is no drop argument in the ufw command, so option B is a wrong answer. The command in option C would send a rejection message. Thus, it is a wrong choice. The command in option D will allow OpenSSH connections, and therefore it is an incorrect answer. There is no block argument in the ufw command, so option E is also an incorrect choice.
Which of the following are true concerning both DenyHosts and Fail2Ban? (Choose all that apply.)
It is an intrusion detection system (IDS). It modifies the /etc/hosts.deny file. It only handles OpenSSH traffic. Its configuration file is named jail.conf. It can work with TCP Wrappers, iptables, and firewalld.
A, B. Options A and B are true statements concerning both DenyHosts and Fail2Ban. DenyHosts only works with OpenSSH traffic, while Fail2Ban can handle many different types of traffic. So option C is a wrong answer. Fail2Ban’s configuration file is named /etc/fail2ban/jail.conf, but the configuration file for DenyHosts is not. Therefore, option D is an incorrect answer as well. DenyHosts can only work with TCP Wrappers, whereas Fail2Ban can work with iptables, TCP Wrappers, firewalld, and so on. Thus, option E is an incorrect choice.
Virginia is administering a Linux system with a firewall. She has already set up an IPset and named it BlockThem. A new attack has begun to occur from the 72.32.138.96 address. Along with super user privileges, what command should she issue to add this IPv4 address to the IPset?
ipset create BlockThem hash:net ipset -n BlockThem hash:net ipset save -f /etc/ipset.conf ipset -A BlockThem 72.32.138.0/24 ipset add BlockThem 72.32.138.96
E. The command in option E will properly add the new IP address to the BlockThem IPset. Thus, it is the correct answer. The commands in options A and B create the IPset and do not add new addresses to it. Therefore, those options are wrong answers. The command in option C will save the current IPset configuration to the IPset configuration file. While this is something Virginia should do after the new address is added, it is not the currently needed command. Thus, option C is a wrong answer. The command in option D adds an entire subnet of addresses to the IPset and not a single IP address. Thus it is an incorrect answer as well.
