SA 期末考古

# SA 期末考古 ## 2018年 (感謝朱蝶QQ應該感謝祈安<3) ![](https://i.imgur.com/y1aAeWG.jpg) ![](https://i.imgur.com/Bl4wqDU.jpg) ![](https://i.imgur.com/2BqdMIb.jpg) ### 選擇 #### 1. C? #### 2. C #### 3. D #### 4. B #### 5. D 8種: HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT #### 6. A forward proxy: 提供使用者cache reverse proxy: server admin用來做load balance(分配工作到不同Server) #### 7. D #### 8. A #### 9. C #### 10. B handshake -> Asymmetric data -> Symmetric ### 問答 #### 1. - A: Netmask -> 255.255.255.192 - B: Network ID -> 140.113.55.64 - C: Broadcast Address -> 140.113.55.127 - D: ...65 ~ ...126, 共 62 個 #### 2. - A: - Full: 每個檔案都會被寫進備份中。如果兩個備份時間點之間，資料沒有任何更動，那麼所有備份資料都是一樣的。系統不會檢查自上次備份後，檔案有沒有被更動過 - Incremental: 資料備份前會先判斷，檔案的最後修改時間是否比上次備份的時間來得晚。如果不是的話，那表示自上次備份後，這檔案並沒有被更動過，所以這次不需要備份 - B: 1 > 3 > 我覺得是1->3 - C: 1 > 3 > 5 > 我覺得是1->3->5 ![](https://i.imgur.com/LbmvQ9A.png) #### 3. - A: `yppasswdd` > 我覺得是yppasswdd耶 > yppasswd好像不是daemon > yppasswd -- server for updating NIS passwords > The rpc.yppasswdd utility allows users to change their NIS passwords and certain other information using the yppasswd(1) and ypchpass(1) commands. > 那就決定是 yppasswdd 了 - B: `ypbind -S sa2018,server1,server2 -m` - C: `/var/yp/ypservers` - D: ![](https://i.imgur.com/jI3kfPF.png) - E: - i: `ypcat -x 不確定` - ii: `ypcat passwd` #### 4. - A: - ro: read only - alldirs: allow any subdirectory to be mounted - maproot=nobody: maps root to the specified user (nobody). - cs_sa_stu: net group > cs_sa_stu: 應該是 net group (host name/net group/Internet subnetwork 只有這三種) - B: `nosuid` #### 5. - A: > /etc/services - B: `/etc/host.conf` 不確定 > 感覺/etc/nsswitch.conf 也有可能? > 助教 demo 的時候好像說應該是要改 nsswitch.conf > /etc/nsswitch.conf 可以哦 #### 6. - A: Host ![](https://i.imgur.com/28tTNPu.png) - B: - i: self-signed 的憑證不是由 Certificate Authority 所核發的 - ii: 1. 將自己的 CA 加入信任的 CA(應該說將 self-signed Certificate 加入信任的Certificate 吧 CA是Certificate Authority 的簡稱耶) 2. 將self-signed Certificate換成Certificate Authority所核發的 3. import the root certificate into the trust store for the browser - C: No https://cwiki.apache.org/confluence/display/httpd/NameBasedSSLVHosts > As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks. * 我覺得答案是YES耶第二段有寫會用first-listed的virtual host setup encryption layer * 我看網路上說法好像是不行，但是可以透過SNI協助來支援這個功能 https://stackoverflow.com/questions/517336/apache-name-virtual-host-with-ssl - D: | Name-Based Virtual Host | IP-Based Virtual Host | | - | - | | Single IP, several hostnames | Several IPs(or ports) | - E: Name-Based，減少 IP address 的佔用，不確定 #### 7. - A: There are serveral identical NFS and we would like to mount anyone of them > 降低單一server loading - B: - Read-only - These replicated filesystem should be truely identical #### 8. - A: 在乙太網路上僅僅知道某台主機的 IP address，並不能立即將封包傳送過去，必須先查明該主機的實體位(Physicaladdress/MACaddress)才能真正發送出去，而 ARP 協議的功用就是在於==將 IP address 轉換成實體位址，查詢目標設備的MAC地址== - B: - C: https://support.huawei.com/enterprise/en/doc/EDOC1000178170/4f5e0763/what-does-incomplete-mean-in-an-arp-entry https://networkengineering.stackexchange.com/questions/50843/what-are-the-reasons-for-seeing-an-incomplete-arp #### 9. - A: 不行，第二行 > 我覺得可以在 /etc/hosts.allow 中有 first match 的特性，也就是找到第一條符合的規則，後面的規則通通不再參考了。第一行應該就match了? - B: > rpcbind: 192.168.123.: allow > (log?) > rpcbind: 192.168.123.: spawn (echo Deny access from %h >> /var/log/rpcconn.log): allow #### 10. - A: ![](https://i.imgur.com/UzMVIxH.png) - B: > 如果是用`kldload`，一些像是`pf`, `ipfw`之類的有加到`rc.conf`重開機就會autoload，剩下的就要加到`loader.conf`才會。 - C: `sudo sysctl kern.maxprocperuid=1000` - D: 把 `kern.maxprocperuid=1000` 加到 `/etc/sysctl.conf` 裡面 #### 11. - A: `Ctrl + Alt + F1` https://www.ostechnix.com/how-to-switch-between-ttys-without-using-function-keys-in-linux/ >上面的好像是linux的 >https://www.freebsd.org/doc/handbook/consoles.html >Alt + F1-F8 - B: > edit /etc/ttys > https://www.freebsd.org/doc/handbook/consoles.html ## 2017年 ![](https://i.imgur.com/276mHzd.jpg) ![](https://i.imgur.com/7PoEiN8.jpg) ![](https://i.imgur.com/gG9AINJ.jpg) ### 選擇 #### 1. B #### 2. D #### 3. D https://reurl.cc/4gzoOX #### 4. C yppasswd - change password on the NIS Server ypset - tell ypbind which YP server process to use yppasswdd - Server daemon for yppasswd, ypchsh, ypchfn ypchsh - Change login shell on NIS Server ypchfn -Change GECOS information on NIS Server #### 5. C? #### 6. C #### 7. C nfsd - runs on a server to service NFS requests from client mountd - server for NFS mount requests from other client nfsiod - utility controls the maximum number of nfsiod kernel processes which run on an NFS client to service asynchronous I/O requests to its server. nmbd - NetBIOS name server to provide NetBIOS over IP naming services to clients #### 8. D iostat - report I/O statistics top - display and update information about the top cpu processes vmstat - report virtual memory statistics kldstat - display status of dynamic kernel linker #### 9. A CSMA/CD 應用在有線網路，CSMA/CA 則應用在無線網路 https://reurl.cc/QpqZpO #### 10. B ![](https://i.imgur.com/7MTccbl.png) ### 問答 #### 1. 140.113.66.168/28 = 140.113.66.1010 1000/28 * A: 255.255.255.240 = 255.255.255.1111 0000 * B: 140.113.66.160 = 140.113.66.1010 0000 * C: 140.113.66.175 = 140.113.66.1010 1111 * D: 175-160+1-2=14 = 140.113.66.161~140.113.66.174 #### 2. * A: Provide services for more than one domain-name(or IP) in one web server. * B: | Name-Based Virtual Host | IP-Based Virtual Host | | -------- | -------- | | Single IP, several hostnames | Several IPs(or ports) | * C: When a HTTP Request arrives, the server will find the best (most specific) matching **VirtualHost** argument based on the IP address and port used by the request. If there is more than one virtual host containing this best-match address and port combination, HTTP server will further compare the ServerName and ServerAlias directives to the server name present in the HTTP Request. **HTTP Request Header** ![](https://i.imgur.com/NilR2SE.png) (https://en.wikipedia.org/wiki/List_of_HTTP_header_fields) #### 3. * A: * Forward proxy * forward proxy proxies in behalf of clients * forward proxy hides the identities of clients * Reverse proxy * reverse proxy proxies in behalf of servers * reverse proxy hides the identities of servers * B: Reverse proxy #### 4. * A: A computer can have multiple simultaneous connections, all receiving data for different processes (mail, web, database, etc) on that computer. When the computer receives data, the port information allows it to give the data to the correct process. (The IP address identifies the computer host, and the port number specifies the particular process running on that host.) * B: /etc/services https://www.freebsd.org/cgi/man.cgi?services(5) #### 5. 假設網路卡名稱em0，兩個IP為192.168.1.2和192.168.1.3 /etc/rc.conf: hostname="sa.nctu.me" # default vsnl router interface defaultrouter="192.168.1.5" ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" ifconfig_em0_alias0="inet 192.168.1.3 netmask 255.255.255.0" #### 6. * A: 將自己的 CA 加入信任的 CA * B: No https://cwiki.apache.org/confluence/display/httpd/NameBasedSSLVHosts > Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. #### 7. || microkernel | monolithic kernel | |-|-|-| | 模組化設計程度 | 高 | 低 | | 最佳化程度 |低(不確定|高(不確定| | kernel 大小 | 小 | 大 | 最佳化註解：for monolithic kernel, a kernel can call every function directly since everything is placed in the kernel. #### 8. * A: -alldirs: allow any subdirectory to be mounted -maproot: maps root to the specified user. * B: nosuid #### 9. * A: * B: * C: * pull: `ypxfr` * push: `yppush` * D: /var/yp/ypservers #### 10. * A: * Workaround：當問題始終無法解決, 於是想個方法忽略這個問題並使這個問題不致於影響你要用這程式達到的目的 > The Workaround field indicates if a workaround is available to system administrators who cannot immediately patch the system * Solution：當一個程式有了問題, 找出問題所在然後直接解決它 > The Solution field provides the instructions for patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely. * B: 他們查到問題了，但是還沒有compile成pkg。通常可以用ports更新來修復問題。 #### 11. (NIS P.7)(Security P.18) * A: 因為不需密碼即可登入 /.rhosts ro /etc/hosts.equiv permit root access Allow user to login(via rlogin) and copy files(rcp) between machines without passwords * B: * 在localhost的時候可以用? #### 12. * A: 不行，因為第二行`sshd:140.113.55.66:deny`不允許140.113.55.66使用sshd (我怎麼覺得可以啊... /etc/hosts.allow is scanned in ascending order for a matching rule. When a match is found, the rule is applied and the search process will stop) -> Security(P.25) * B: ``` identd:140.113.55.66:twist /bin/echo Hello, Randy identd:140.113.:allow ``` (https://www.freebsd.org/cgi/man.cgi?query=hosts.allow&sektion=5&n=1) #### 13. * A: `sudo sysctl security.bsd.unprivileged_read_msgbuf=0` * B: add `security.bsd.unprivileged_read_msgbuf=0` to `/etc/sysctl.conf`