LPIC-2: Linux Engineer Exam 202
Senior Vice President of Content
This course is designed to follow the Linux Professional Institute's Level 2 Exam 2 objectives. Upon completion of this course and with the associated downloadable materials, the student should be prepared to successfully complete the final exam in the LPIC-2 certification.
As of August 2018 this course has been updated to v4.5 of the LPIC Objectives.
About the Course
We will talk through all the exam objectives and what we are going to cover in this course.
About the Course Author
Let's talk about the course author, what you can expect from this course, and other key information!
Important Information about LPI Exam Discount Vouchers for 2019
Please view the following video for important information regarding LPI exam vouchers for 2019.
Introduction to LPIC-2 and the Exam
In this video, we will talk about the LPIC-2 Exam specifically and the best way to prepare.
How to Use the Linux Academy Cloud Playground for this Course
This video provides an initial walkthrough on how to access and use Linux Academy's new Cloud Playground. The new service has replaced our now deprecated "Cloud Servers" platform. It is important to note that some videos in this course may use/refer to the old "Cloud Servers" platform, so here are a few important notes to remember and use:_1) If you see the instructor using (and/or telling you to use) login credentials such as "user" or "linuxacademy" AND the password "123456" - they will no longer work. Use the specific credentials provided to you (for the server you are using) in the new Cloud Playground user interface. 2) You cannot log into the Cloud Playground servers as the root user. However, you can access the root shell by using the command sudo -i. NOTE: In this course, you may see the instructor running commands as the root user. In order to follow along with those commands, you must run the sudo -i command first. Otherwise, you will get a permissions error.3) To access the servers GUI (if you provisioned a distribution that has one), you need to select "Actions" then "Graphical Shell" for your server in the Cloud Playground. NOTE: You cannot access the GUI via VNC Viewer as port 5901 is blocked. Detailed documentation on the new Cloud Playground can be found here: https://support.linuxacademy.com/hc/en-us/articles/360019096651-Cloud-Playground-FAQ
Topic 207: Domain Name Server
207.1 - Basic DNS Server Configuration (DNS Client Configuration and Terms)
Description: Candidates should be able to configure BIND to function as a caching-only DNS server. This objective includes the ability to managing a running server and configuring logging. Key Knowledge Areas: BIND 9.x configuration files, terms and utilities; defining the location of the BIND zone files in BIND configuration files; reloading modified configuration and zone files; awareness of dnsmasq, djbdns, and PowerDNS as alternate name servers.
207.1 - Basic DNS Server Configuration (BIND Installation - Caching Name Server)
Install the packages needed for our BIND caching name server, and a quick walkthrough of the major components and options in the primary configuration file, /etc/named.conf.
207.1 - Basic DNS Server Configuration (BIND Service Start and rndc Command)
We will be starting our named BIND service and learning about the rndc command. We will use that command to create a secure key, a secure configuration for controlling our server, and then use it to manage our caches and zones as needed. Finally, we will test our Caching DNS Server with the appropriate client utilities.
207.1 - Basic DNS Server Configuration (named-checkconf)
This is a quick video covering the utility named-checkconf.
207.2 - Create and Maintain DNS Zones (Configuring for Zones)
In this video, we will begin adding the necessary information on the domain (zones) that our DNS server will be responsible for. We will take a look at the master and slave configuration for both the forward and reverse lookup zones in the /etc/named.conf file.
207.2 - Create and Maintain DNS Zones (Zone Files and Record Types)
This presentation will go over all the most common DNS forward and reverse zone record types you need to be familiar with for the exam and for later creation of our zone files.
207.2 - Create and Maintain DNS Zones (Finalize /etc/named.conf for Master DNS Server)
We will quickly complete the service configuration (/etc/named.conf) for our instance by talking about several settings for querying and updates before we move on to creating our zone files.
207.2 - Create and Maintain DNS Zones (Create Forward and Reverse Zone Files and Testing the Configuration)
As a final step, we will create the forward and reverse zone files for our test domain, test our configuration using the appropriate tools, and then run typical DNS client commands to be sure the output for our domains are what we expect.
207.2 - Basic DNS Server Configuration (named-checkzone, named-compilezone, and the masterfile-format setting)
A video that covers named-checkzone, named-compilezone, and the masterfile-format setting.
207.3 - Securing a DNS Server (Split DNS Configuration for Security)
Conceptually, a split DNS configuration needs some discussion. We will walk through a multi-server split DNS configuration and discuss why you would use it as well as how it would be implemented.
207.3 - Securing a DNS Server (Running BIND in a Chroot Jail)
As part of a secure BIND implementation, you can configure a new "root directory" to isolate the named service from any other directory or configuration file that could potentially be a security risk. This is done through the use of 'chroot jails'. In this video, we will manually configure a jail where our service to run securely.
207.3 - Securing a DNS Server (DNS Security Tools - Discussion, Keys and Signing a Zone File)
Transactions and updates between DNS servers are secured with the DNSSEC extensions. Using Transaction Signatures can help verify that an update or query comes from a trusted source. Further, using the DNSSEC tools, we can create public and private keys to use for those transactions and use them to sign zone files.
207.3 - Securing a DNS Server (DANE, TLSA records)
This video covers DANE and the anatomy of a TLSA record.
Exercise: Prepare Your System for a Secure DNS Server (chroot Jail Configuration)
Exercise: Create a DNS Server Forward Zone File
207 - Create a Caching-Only DNS Server
Topic 208: Web Services
208.1 - Implementing a Web Server (Apache - Configuration File and Basic Directives)
We will introduce the Apache web server and talk about some differences amongst distribution types and versions. Then we will install it and walk through the primary directives in the main configuration file that determine how the server behaves. Finally, we will enable and start the service and test that it is serving content.
208.1 - Implementing a Web Server (Enabling Modules - Perl)
In this video, we will talk about how to create a server-side CGI directory and enable Perl scripts to be called and their output displayed on the web client. We will install the mod_perl package, show that it is enabled, create the appropriate directives in the primary apache configuration file, and then test that it works as intended.
208.1 - Implementing a Web Server (Enabling Modules - PHP)
In this video, we will talk about how to enable PHP files. We will install the php package, show that it is enabled, and then test that it works as intended.
208.1 - Implementing a Web Server (Using Authentication for Security - htpasswd and mod_auth)
In this video, we will use the mod_auth module to enable basic authentication to secure a site directory's content to valid users with a password.
208.1 - Implementing a Web Server (Using Authentication for Security - htaccess file)
This video will present an alternative method of securing site content by user authentication through the .htaccess file. We will discuss how to implement it and why you may choose this method vs. the prior.
208.1 - Implementing a Web Server (Name-Based Virtual Hosts)
In this video, we will demonstrate how to create name-based virtual hosts (where each host will resolve to the same IP address).
208.1 - Implementing a Web Server (IP-Based Virtual Hosts)
Contrasting against the prior virtual host configuration, we will demonstrate a virtual host that is based upon having multiple IPs or network interfaces, each one responding to a site name.
208.1 - Implementing a Web Server (mod_access_compat)
This is a quick video explaining what mod_access_compat is.
208.2 - Apache Configuration for HTTPS (Generating SSL Signing Requests and Self-Signed Certificates)
In this video, we will use openssl and openssl-perl to generate a private key and a certificate signing request for a certificate authority to provide a full certificate for our site. Additionally, we will generate a key and a CSR and then sign the certificate ourselves to demonstrate the creation of a self-signed certificate.
208.2 - Apache Configuration for HTTPS (Configuring Apache for SSL Certificates)
Now that we have generated our certificates, we will configure our Apache instance to use them and then test that SSL is serving our content.
208.2 - Apache Configuration for HTTPS (SSL and SNI)
This is a quick video explaining what SNI is and when to use it.
208.3 - Implementing a Proxy Server (Squid - Forward Proxy Configuration)
We will introduce various types of proxy servers briefly and then begin an installation and walkthrough of a forward proxy server called Squid.
208.3 - Implementing a Proxy Server (Squid - Testing the Service)
Here we will test our squid proxy configuration by configuring a separate client instance to use lynx through it. We will disable squid as well as restricting the client network so you can see the different behaviors and then add JUST the client IP back in as an allowable client connection address.
208.4 - Implementing Nginx as a Web Server and a Reverse Proxy (Nginx - Installation and Configuration as Web Server)
Nginx can be used for various things, and in this video, we will be demonstrating the basic installation and configuration necessary for Nginx to run web services on a custom site we create and then test.
208.4 - Implementing Nginx as a Web Server and a Reverse Proxy (Nginx - Basic Reverse Proxy Configuration)
Wrapping up our Web Services section of the course, we will install and configure Nginx as a basic reverse proxy server. We will create a simple Apache server with custom content on a second server and configure our Nginx server to proxy that content when connected to over port 80.
Exercise: Implement an Nginx Web Server
Exercise: Create an Nginx Reverse Proxy Configuration
Exercise: Generate Self-Signed SSL Certificates
208 - Implement an Apache Web Server with Perl CGI
208 - Implement an Apache Web Server with PHP Enabled
208 - Deploy and Test a Squid Forward Proxy Server
Topic 209: File Sharing
209.1 - SAMBA Server Configuration (Server Installation and Share Configuration)
Candidates should be able to set up a SAMBA server for various clients. This objective includes setting up Samba for login clients and setting up the workgroup in which a server participates and defining shared directories and printers. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested. Key Knowledge Areas: Samba 3 documentation, Samba configuration files, Samba tools and utilities, mounting Samba shares on Linux, Samba daemons, mapping Windows usernames to Linux usernames, user-level and share-level security
209.1 - SAMBA Server Configuration (Security and Account Management)
Now that we have installed and configured both our server and intended share, we need to create the user account(s) that can access it. Once we create accounts and a usermap file, we will then use various client utilities on the server to be sure that our share(s) are available.
209.1 - SAMBA Server Configuration (Client Configuration and Testing)
Finally, we have our server ready for connections, so we need to set up a client that can access, mount, and provide persistent connectivity on boot.
209.2 - NFS Server Configuration (NFSv3 Server Installation, Configuration and Testing)
Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS. Key Knowledge Areas: NFS version 3 configuration files, NFS tools and utilities, access restrictions to certain hosts and/or subnets, mount options on server and client, TCP wrappers, awareness of NFSv4
209.2 - NFS Server Configuration (NFSv3 Client Configuration and Share Mounting)
Now that our client is configured and secured as we need, we will configure a client to mount the share (both manually and automatically on boot), explain the various mount options, and show how the UID/GID mapping done previously carries permissions and ownership forward on all clients to the server.
209.2 - NFS Server Configuration (Differences between NFSv3 and NFSv4)
Candidates should be able to export filesystems using NFS. This objective will explain some of the differences between NFSv3 and NFSv4.
Exercise: Create a Samba Share
Exercise: Create an NFS Export File with Permissions
209 - Deploy a Samba Server
209 Deploy an NFS Server
Topic 210: Network Client Management
210.1 - DHCP Configuration (Overview and Configuration)
In this video, we will talk about key terms and definitions around DHCP configuration as well as talk through how a DHCP client and server communicate. After, we will walk through an example configuration that defines a DHCP server that will provide IP addresses to the defined network it is responsible for.
210.2 - PAM Authentication (Overview)
This video will serve as a basic overview of what PAM is and the advantages it offers on your system.
210.2 - PAM Authentication (Modules - pam_unix, pam_cracklib, pam_limits and pam_listfile)
Although there are a large number of modules to explore, we are going to key in with examples on the four we need to know for the exam.
210.2 - PAM Authentication (Authentication Order - /etc/nsswitch.conf)
Since the /etc/nsswitch.conf file can affect the order that services respond authoritatively or authenticate on your system, we will walk through the common configuration values and how they can affect PAM on our system.
210.2 - PAM Authentication (SSSD)
This lesson includes an overview of SSSD. We go over what it is, how to configure it, and how it works.
210.3 - Configuring an OpenLDAP Server (Overview)
This video will provide an overview of what OpenLDAP is and define the key terms we will be using throughout this section.
210.3 - Configuring an OpenLDAP Server (Installation and Initial Configuration)
We will walk through the client and server packages to be installed to support an OpenLDAP server. Additionally, we will make modifications to the appropriate /etc/slapd.conf sections as an example DN for our use.
210.3 - Configuring an OpenLDAP Server (LDIF Creation for Adding Objects)
Now that we have created our initial DN on our directory server, we need to learn how to create and import LDIF files containing attributes that will build OUs and allow us to associate records (people) with each.
210.4 - LDAP Client Usage (Client Utilities for Searching, Adding, and Deleting Records)
We wrap up our OpenLDAP coverage by going over the client utilities that can be used to access, search, update passwords, modify records, and delete objects in our directory.
Exercise: Secure User Access to VSFTPD Service with PAM Module
210 - Deploy an OpenLDAP Client and Server
Topic 211: Email Services
211.1 - Using Email Servers (Overview)
This video will introduce the student to a list of terms and technologies that will be referred to throughout our exploration and configuration of email services during the rest of this course section.
211.1 - Using Email Servers (Postfix Key Configuration Items and Input Files)
In this video, we will install (if needed) and configure postfix to handle SMTP delivery of email for our localhost/domain. We will walk through the key configuration items for our setup and then test that email works as expected. We will then create aliases for non-user accounts that will deliver to local accounts and talk about how to convert the aliases file to a binary format for our use. Finally, we will talk about the mail directory structure and logging available to monitor the delivery of email and the mail system in general.
211.2 - Managing Local Email Delivery (Rules-Based Message Management)
A brief discussion around applying rules and filters to your Mail Transfer Agents so that (sometimes) complex rules can be used to filter, back up, and sort email before it is picked up by clients.
211.3 - Managing Remote Email Delivery (Dovecot - POP3 and IMAP with TLS Configuration)
This video will see us install the dovecot email server used to provide POP3 and IMAP service (including TLS/SSL if desired). We will walk through the key configuration components, including the external configuration directives and their order of precedence. We will then start and test the POP3/IMAP and TLS versions of each service to be sure the referenced security certificates are valid and capable of being passed down to our hosts.
211.2 Managing Email Delivery (Sieve and Dovecot)
A brief discussion around applying rules and filters to your Mail Transfer Agents so that (sometimes) complex rules can be used to filter, back up, and sort email before it is picked up by clients.
Exercise: Deploy and Configure a Postfix Email Server
Exercise: Deploy and Configure a Courier IMAP and POP Server
211 - Creating a Local Email Delivery Server
Topic 212: System Security
212.1 - Configuring a Router (Configuring Linux for Routing and Using IPTables)
Setting up Linux as a router is a straightforward affair requiring only minimal configuration of a few kernel parameters. After we walk through that, we will spend the rest of this video talking about iptables. We will talk about key terms and definitions and provide examples of creating rules in a chain and then discuss the best way to practice.
212.2 - Securing FTP Servers (Server - vsftpd)
In this video, we will take a look at the most popular replacement FTP service called VSFTPD. Although not encrypted, this server is considered safer than standard FTP. We will walk through the installation and configuration of various directives that can help secure it in your environment.
212.2 - Securing FTP Servers (Server - pure-ftpd, proftpd, and Active/Passive Connections)
This video shows us installing and then running with several command line parameters, the pure-ftpd service (as well as reviewing the man page for where to find other options). We will then enable and disable anonymous access and show the behavior. We will wrap up by discussing proftpd as an option for FTP we need to be aware of for the exam and then discuss the difference between active and passive connections.
212.3 - Secure Shell (SSH Configuration Options)
We all know what SSH is, but you may not have a firm grasp at a number of common security-related configuration options available in the /etc/ssh/sshd_config and /etc/ssh/ssh_config files for both the OpenSSH-server and ssh client utilities. In this video, we will walk through those we need for the LPIC-2 exam and demonstrate how they affect user access and messages that we can display pre and post-authentication.
212.3 - Secure Shell (SSH Client Tools)
Now that our server is configured, we will walk through the SSH client utilities SSH, SCP, and SFTP. We will demonstate how to connect to a system and transfer files or run commands and finally explain how these systems are tracking in our known_hosts file.
212.3 - Secure Shell (Advanced SSH - Using SSH Keys for Authentication)
We can create and exchange a public key with remote systems so that we can use our private key thereafter to authenticate without a password if we choose. We will generate our keys and show two methods of exchanging them with the remote system. After, we can talk about two-factor authentication with a key passphrase to secure our keys and still have the convenience through using a special utility called the ssh-agent.
212.4 - Security Tasks (Review of Tools, Monitoring, and Organizations)
Security is an important part of being a system administrator. Here we will be discussing the tools, utilities, and organizations that we can rely on to help identify, report on, and mitigate vulnerabilities.
212.5 - IPTables Firewall (Discussion)
IPTables is the precursor to the "firewalld" firewall process we see in modern distributions. Let's walk through what it is and how it works while defining key concepts and terms. NOTE: Even though this video shows as 212.1, it is still relevant. The video covers iptables which covers the requirements for 212.5.
212.5 - OpenVPN Server Configuration
Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections. This video will go over how to configure OpenVPN on the server side.
212.5 - OpenVPN Client Configuration
Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections. This video will go over how to configure OpenVPN on the client side.
Exercise: Generate Public and Private SSH Keys
Exercise: Use Netcat to Set Up a Basic Network Listener to Test System Access
212 - Secure Shell and SSH Key Exchange
212 - Deploy and Test VSFTPD Server
Summary and Next Steps
Now that we have completed our content, let's talk about where you can go next – both inside Linux Academy and otherwise!