nerdexam
CompTIA

XK0-004 · Question #440

An administrator is reviewing web application logs and discovers several external addresses are trying to perform port scans, SQL injections, or URL oVectory traversal attacks. The administrator is ab

The correct answer is D. firewall-csid --permanent --ipset=badip --add-entries-from-files=opt/webapp/sec.log. This question tests the administrator's ability to use firewall-cmd to block a list of malicious IP addresses loaded from a log file using an ipset.

Security

Question

An administrator is reviewing web application logs and discovers several external addresses are trying to perform port scans, SQL injections, or URL oVectory traversal attacks. The administrator is able to create an automated security log for malicious traffic IP addresses and requests. The secunty administrator then uses the following information to protect the server:

Which of the following actions should the security administrator recommend to protect the server?

Exhibit

XK0-004 question #440 exhibit

Options

  • Aipaat create badip /opt'webapp/sec.log && ipaat add badip huh lip
  • Bipaat create hash badip:ip I firewall-cmd reload
  • Cfirewall-cmd --permanent --zone"public ipset create badip hash:ip
  • Dfirewall-csid --permanent --ipset=badip --add-entries-from-files=opt/webapp/sec.log

How the community answered

(38 responses)
  • A
    21% (8)
  • B
    5% (2)
  • C
    13% (5)
  • D
    61% (23)

Why each option

This question tests the administrator's ability to use firewall-cmd to block a list of malicious IP addresses loaded from a log file using an ipset.

Aipaat create badip /opt'webapp/sec.log && ipaat add badip huh lip

'ipaat' is not a valid Linux command, and the syntax shown does not correspond to any real ipset or firewalld operation.

Bipaat create hash badip:ip I firewall-cmd reload

'ipaat' is not a valid command, and piping to 'firewall-cmd reload' does not correctly create or populate an ipset with entries from a log file.

Cfirewall-cmd --permanent --zone"public ipset create badip hash:ip

This command only creates an empty ipset of type hash:ip in the public zone but does not populate it with the malicious IP addresses from the log file.

Dfirewall-csid --permanent --ipset=badip --add-entries-from-files=opt/webapp/sec.logCorrect

The firewall-cmd --permanent --ipset=badip --add-entries-from-file option reads IP addresses directly from a specified file and adds them to an existing ipset named 'badip', making the blocks persistent across reboots. This is the correct firewalld mechanism for bulk-loading IP block lists from an automated security log. The --permanent flag ensures the rules survive a firewall service restart.

Concept tested: firewalld ipset bulk IP blocking from file

Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-and-configuring-firewalld_securing-networks#blocking-ip-addresses-using-an-ipset_using-and-configuring-firewalld

Topics

#firewall-cmd#ipset#IP blocking#intrusion prevention

Community Discussion

No community discussion yet for this question.

Full XK0-004 Practice