202-450 LPIC-2 - Exam 202 (part 2 of 2), version 4.5 Question and Answers

The Samba configuration parameter writeable is a synonym for the parameter read only. It has the opposite meaning, so setting writeable=no is equivalent to setting read only=yes. This parameter controls whether a user has the ability to create or modify files within a share12 References:

• LPIC-2 Overview
• LPIC-2 202-450
• smb.conf - Samba
• Samba share permissions simplified - nixCraft

 The NFSv4 pseudo file system is a virtual file system that provides a single root directory for all the exports on the NFS server. It allows the clients to see all the exports as a single file system, regardless of their physical locations on the server. The pseudo file system usually contains bind mounts of the directory trees to be exported, which are created using the mount --bind command. Bind mounts create a second mount point for an existing directory, without changing its attributes or permissions. This way, the pseudo file system can include directories from different file systems or partitions on the server123 References:

• NFSv4Howto - Community Help Wiki
• NFSv4: Enhancements and Best Practices Guide - NetApp
• File-System Namespace in NFS Version 4 - Oracle

 The command exportfs is used to configure which file systems a NFS server makes available to clients. The exportfs command maintains a table of exported file systems in the /etc/exports file, which specifies the directories to be shared and the options for each host or network. The exportfs command can also be used to add, remove, or refresh the exported file systems without restarting the NFS service123 References:

• 8.6. Configuring the NFS Server - Red Hat Customer Portal
• How to configure NFS on Linux - Learn Linux Configuration
• How to configure Network File System on Linux | Enable Sysadmin

The security option in the smb.conf file determines how Samba authenticates users who try to access its shares. The value of security = share means that Samba does not require a valid username and password for each connection, but only for each share. This allows users to access shares anonymously, without providing any credentials. This is useful for setting up a guest printer service, where anyone can print to a shared printer without logging in. However, this option is deprecated and not recommended for security reasons. The other options are either invalid or irrelevant for this question.

The cache_dir directive in the Squid configuration file specifies the type, location, size, and structure of the cache directory. The ufs type indicates that Squid uses the UNIX file system to store the cache files. The /var/spool/squid3/ is the path to the cache directory. The 1024 is the size of the cache in megabytes. The 16 and 256 are the number of first-level and second-level subdirectories that Squid creates under the cache directory.

Squid uses hexadecimal numbers to name the subdirectories, from 00 to FF. Therefore, there will be 16 first-level subdirectories, named 00, 01, 02, …, 0E, 0F. Under each first-level subdirectory, there will be 256 second-level subdirectories, named 00, 01, 02, …, FE, FF. For example, the subdirectory /var/spool/squid3/0F/FF will contain the cache files whose hash values end with 0FFF.

Therefore, the correct answer is A. 0F and E. 00, as they are the names of the first-level subdirectories that will exist directly within the directory /var/spool/squid3/. The other options are either invalid or second-level subdirectories that will not exist directly within the directory /var/spool/squid3/.

The rpc.idmapd service is a new component of NFSv4 that does not exist in NFSv3. It is responsible for mapping user and group IDs between the NFS client and server, using string names instead of numeric values. This allows for better security and compatibility across different systems. The rpc.idmapd service runs on both the NFS client and server and communicates with each other using the NFSv4 protocol. The other services, rpc.statd, nfsd, and rpc.mountd, are common to both NFSv3 and NFSv4, although they have some differences in functionality and behavior. References: 1, 2, 3

 The FTP names that are recognized as anonymous users in vsftpd when the option anonymous_enable is set to yes in the configuration file are anonymous and ftp. These are the default names that vsftpd accepts as valid anonymous users, and they can be used interchangeably. The anonymous user does not need to enter a password, but can optionally enter an email address as a password. The anonymous user has limited permissions and can only access the directory specified by the anon_root directive, which is usually /var/ftp or /srv/ftp. The anonymous user can download files from the server, but cannot upload or modify files, unless the anon_upload_enable and anon_mkdir_write_enable directives are also set to yes.

The other options are not recognized as anonymous users in vsftpd. Option C is incorrect, because vsftpd will reject any username that does not belong to an existing user or an anonymous user. Option D is incorrect, because nobody is a system user that has no permissions and is not related to FTP. Option E is incorrect, because guest is not a valid FTP name, unless the guest_enable directive is set to yes, which will make all non-anonymous users log in as the guest_username, which is usually ftp.

References:

• vsftpd.conf - config file for vsftpd
• How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04
• How to Configure vsftpd FTP Server on CentOS 8

DANE stands for DNS-based Authentication of Named Entities. It is a protocol that provides a way to verify the association of X 509 certificates to DNS host names. X 509 certificates are digital documents that contain the public key and identity information of an entity, such as a web server or an email server. They are used to establish secure connections and authenticate the identity of the entity. However, the traditional way of obtaining and validating X 509 certificates relies on a hierarchical system of trusted third parties, called certificate authorities (CAs), which can be vulnerable to attacks or compromise. DANE aims to enhance the security and trust of X 509 certificates by using DNSSEC, which is a set of extensions to DNS that provide cryptographic signatures and validation for DNS records. DANE allows the owner of a domain name to publish the X 509 certificate or its fingerprint in a DNS record, called a TLSA record, which can be verified by the DNSSEC chain of trust. This way, the client can check the authenticity of the certificate directly from the DNS, without relying on external CAs. DANE can also be used to specify which CAs are authorized to issue certificates for a domain name, or to indicate that no CA is needed at all. DANE can be applied to various protocols that use X 509 certificates, such as HTTPS, SMTP, IMAP, POP3, etc.

References:

• DANE - Wikipedia
• DNS-Based Authentication of Named Entities (DANE) - Internet Society
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol that allows a client to indicate which hostname it is trying to connect to at the start of the handshaking process1. This enables the server to present the appropriate certificate for the requested hostname, and thus allows multiple SSL/TLS secured virtual HTTP hosts to coexist on the same IP address12. SNI does not support transparent failover of TLS sessions from one web server to another, as this would require session resumption or renegotiation mechanisms1. SNI does not enable HTTP servers to update the DNS of their virtual hosts’ names using the X 509 certificates of the virtual hosts, as this would require a different protocol such as Dynamic DNS1. SNI does not provide a list of available virtual hosts to the client during the TLS handshake, as this would expose the server’s configuration and potentially compromise its security1. SNI submits the host name of the requested URL during the TLS handshake, as this is the information that the client needs to communicate to the server in order to select the correct certificate12. References:

• Server Name Indication - IBM
• Server Name Indication - Wikipedia

 OpenVAS is a network security scanner project that, at the core, is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications. It is an open-source tool that was forked from Nessus, a popular commercial scanner. OpenVAS can perform comprehensive scans of networks and hosts, as well as web application scanning and compliance testing. It also provides a graphical user interface (GUI) and a command-line interface (CLI) for managing scans and reports. References:

• Greenbone Vulnerability Management - Gentoo wiki
• The Best Network Vulnerability Scanners Tested in 2023 - Comparitech

 The objectClass attribute of an LDAP object defines which other attributes can be set for the object. The objectClass attribute is a multi-valued attribute that specifies one or more object classes that the object belongs to. Each object class has a schema that defines the mandatory and optional attributes that the object can have. The objectClass attribute is required for every LDAP object and determines the nature and characteristics of the object. References:

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• LDAP Object Classes

 The OpenLDAP attribute olcBackend is used to specify the backend type for a database entry in the cn=config DIT. The backend type determines how the data is stored and accessed by the OpenLDAP server. There are several backend types available, but not all of them can be used with the olcBackend attribute. The backend types that can be used with the olcBackend attribute are:

• bdb: The Berkeley Database backend, which uses the Berkeley DB library to store the data in files on disk. This backend supports transactions, indexing, replication, and caching. It is the default backend for OpenLDAP and is recommended for most applications.
• ldap: The LDAP backend, which uses another LDAP server as the data source. This backend allows the OpenLDAP server to act as a proxy or a gateway to another LDAP server. It can be used to merge data from multiple LDAP servers, to provide access control or schema mapping, or to implement load balancing or failover.
• text: The text backend, which uses plain text files to store the data. This backend is mainly used for testing purposes or for simple applications that do not require advanced features. It does not support indexing, replication, or caching.

The backend types that cannot be used with the olcBackend attribute are:

• xml: The XML backend, which uses XML files to store the data. This backend is experimental and not recommended for production use. It does not support indexing, replication, or caching.
• passwd: The passwd backend, which uses the /etc/passwd and /etc/group files as the data source. This backend is deprecated and should not be used. It does not support indexing, replication, or caching.

References:

• How To Configure OpenLDAP and Perform Administrative LDAP Tasks
• OpenLDAP Online Configuration Reference - Tyler’s Guides

The root element of the LDAP tree holding the configuration of an OpenLDAP server that is using directory based configuration is called cn=config. This is a special entry that is not part of the regular data DITs, but rather a separate DIT that can be used to configure the OpenLDAP server online. The cn=config entry contains various subentries that define the global and database-specific settings for the server. The cn=config entry can be accessed and modified using standard LDAP tools and methods, such as ldapsearch and ldapmodify12.

References:

• OpenLDAP Software 2.6 Administrator’s Guide: Configuring slapd: The official documentation of OpenLDAP on how to configure the slapd daemon, which includes the description of the cn=config entry and its subentries.
• How To Configure OpenLDAP and Perform Administrative LDAP Tasks | DigitalOcean: A tutorial from DigitalOcean on how to configure OpenLDAP and perform administrative LDAP tasks, which includes the use of the cn=config entry and the ldapsearch and ldapmodify tools.

The sshd configuration file is used to customize the behavior of the SSH server daemon. Some of the lines in the file can affect the security of the server and should be modified accordingly. The following are two examples of such lines:

• Protocol 2, 1: This line specifies the SSH protocol versions that are supported by the server. The possible values are 1 and 2, where 1 is the older and less secure version and 2 is the newer and more secure version. The recommended value is 2, as it provides stronger encryption, authentication, and integrity mechanisms. Allowing protocol 1 can expose the server to various attacks, such as man-in-the-middle, replay, and insertion attacks. Therefore, this line should be changed to Protocol 2 or commented out (as protocol 2 is the default value).
• PermitRootLogin yes: This line determines whether root login is allowed on the server. The possible values are yes, no, prohibit-password, and without-password. The value yes allows root login with any authentication method, including password. This can pose a serious security risk, as root is the most privileged user on the system and can perform any action. If an attacker manages to guess or obtain the root password, they can gain full control over the server. Therefore, this line should be changed to no or prohibit-password (which allows root login only with public key authentication) or commented out (as no is the default value).

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, The Best Ways to Secure Your SSH Server, Configure the /etc/ssh/sshd_config file

Linux SSH Server (sshd) Configuration and Security Options With ...1

The Best Ways to Secure Your SSH Server - How-To Geek

 A Fail2Ban jail is a combination of a filter and one or several actions. A filter defines a regular expression that matches a pattern corresponding to a failed login attempt or another suspicious activity. Actions define commands that are executed when the filter catches an abusive IP address. A jail can have active or inactive status1 References: 1: Fail2Ban Jails Management | Plesk Obsidian documentation 

The redirect action in a Sieve filter forwards a message to another email address without changing the message. The redirect action takes a single argument, which is the email address to forward the message to. The syntax of the redirect action is as follows:

redirect "email_address";

The redirect action does not affect the delivery of the message to the original recipient, unless the stop or keep actions are used. The redirect action can be combined with other actions or tests to create more complex filters. For example, the following Sieve filter will forward any messages from Alice to Bob, and then stop processing the rest of the script:

require "fileinto"; if address :is "from" "alice@example.com" { redirect "bob@example.com"; stop; }

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Sieve filter (advanced custom filters) | Proton, Proton Mail Support
• Sieve: An Email Filtering Language, RFC 5228
• Sieve Email Filtering | Tiger Technologies Support, Tiger Technologies Support
• [Sieve: A Mail Filtering Language], Sieve.Info

According to the configuration, the postmaster address is set to postmaster@domain.com. This means that any system-generated messages or notifications sent to the administrator of this domain will use this address as the sender. The postmaster address is also used to receive messages from external senders who need to contact the administrator for any reason, such as reporting spam or abuse. The postmaster address is a mandatory requirement for any mail server, as specified by the RFC 5321 standard. References:

• LPIC-2 exam 202 objectives, topic 207.3, Manage the postfix mail system
• RFC 5321, section 4.5.1, Postmaster Role

The LDIF file format does not accept any type of file encoding. It requires the file to be encoded in UTF-8, which is a Unicode encoding that supports all characters and languages. If the file contains non-UTF-8 characters, it may cause errors or data loss when importing or exporting LDIF data. Therefore, it is important to ensure that the LDIF file is encoded in UTF-8 before using it with LDAP tools or servers. References:

• LDIF File (What It Is and How to Open One) - Lifewire
• RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification

The commands nc and telnet can be used to connect and interact with remote TCP network services. nc stands for netcat, a utility that can read and write data across network connections using TCP or UDP protocols. telnet is a client-server protocol that allows a user to communicate with a remote host using a virtual terminal. Both commands can be used to test the connectivity and functionality of network services such as web servers, mail servers, FTP servers, etc. by specifying the host name or IP address and the port number of the service. References:

• LPIC-2 exam 201 topics, section 205.1, “Use and configure network monitoring tools”.
• LPIC-2 exam 202 topics, section 208.1, “Implementing a web server”.
• Linux Essentials 010 exam objectives, section 4.3, “Basic network configuration and troubleshooting”.

 The command that displays an overview of the Postfix queue content to help identify remote sites that are causing excessive mail traffic is qshape. This command shows the number of messages in the active, deferred, and hold queues, grouped by the next-hop domain name. It also shows the age distribution of the messages in each queue, which can help to identify domains that are slow or unreachable. The output of qshape looks like this:

The first column shows the next-hop domain name, or TOTAL for the sum of all domains. The second column shows the total number of messages in the queue for that domain. The remaining columns show the number of messages in different age ranges, in minutes. For example, the T column shows the number of messages that are less than 5 minutes old, the 5 column shows the number of messages that are between 5 and 10 minutes old, and so on. The last column shows the number of messages that are older than 1280 minutes (about 21 hours).

The qshape command can be used with different options to specify the queue name, the domain name pattern, the bucket size, the bucket count, the sort order, and the output format. For more information, see the qshape man page1.

References: You can find more information about the qshape command and its usage in the following resources:

• qshape - Postfix queue analysis tool
• Postfix Queue Management

The standard port used by OpenVPN is 1194. OpenVPN is a VPN daemon that supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport, and other features. OpenVPN can be configured to listen on any port, but the default port is 1194, which is registered with the IANA for OpenVPN. The port number can be specified in the OpenVPN configuration file using the port directive. For example:

port 1194

This will instruct OpenVPN to listen on port 1194. The port number must match on both the server and the client sides of the connection. The port number can also be specified as an argument to the openvpn command. For example:

openvpn --port 1194

This will run OpenVPN with port 1194 as the default port.

References:

• Reference Manual For OpenVPN 2.6 | OpenVPN
• Reference Manual For OpenVPN 2.0 | OpenVPN
• Which ports to open for VPN PPTP, L2TP, IPsec, OpenVPN and … - ITIGIC

Sieve is a language for filtering and sorting email messages on a mail server. Sieve core filters are the basic actions that can be applied to a message that matches a set of conditions. The following actions are available in Sieve core filters:

• discard: This action discards the message silently, without sending any notification to the sender or the recipient. This action is useful for deleting spam or unwanted messages.
• fileinto: This action delivers the message to a specified mailbox. The mailbox can be an existing one or a new one that is created by the action. This action is useful for organizing messages into different folders based on their content or headers.
• reject: This action rejects the message and sends a notification to the sender with a specified reason. The message is not delivered to the recipient. This action is useful for informing the sender that the message was not accepted due to some policy or error.

The other options are not valid actions in Sieve core filters. drop, relay, and fileinto are not recognized keywords by Sieve.

References:

• Sieve: An Email Filtering Language, section 2.10, “Actions”
• Sieve Tutorial, section 4, “Actions”

According to the OpenLDAP Software 2.6 Administrator’s Guide1, the default access control policy is allow read by all clients. This means that if there is no access directive, any client can read any entry or attribute in the directory, but cannot modify or delete them. Therefore, option C is the correct answer, as it represents this policy. Option A is incorrect, as it grants write access to all clients, which is not the default. Option B is incorrect, as it denies access to all clients, which is also not the default. Option D is incorrect, as it grants read and write access only to the rootdn, which is the superuser of the directory, and denies access to all other clients.

References:

• OpenLDAP Software 2.6 Administrator’s Guide: Access Control: The official documentation of OpenLDAP on how to configure access control for the directory server.

 A glue record is a DNS record that provides the IP address of a nameserver that is a subdomain of the domain being queried. For example, if the domain example.com has nameservers ns1.example.com and ns2.example.com, then the .com nameservers will provide glue records for ns1.example.com and ns2.example.com, along with the NS records for example.com. This way, the resolver can find the IP address of the nameservers without having to query them first, which would create a circular dependency12

The format of a glue record is:

nameserver A IP address

where nameserver is the hostname of the nameserver, A is the record type for IPv4 address, and IP address is the IPv4 address of the nameserver3

Therefore, the only option that matches this format is A. ns1.lab A 198.51.100.53. The other options are either missing the record type, the IP address, or the dot after the nameserver name4 References:

• DNS Tools - Glue Records
• What Is Glue Record: Everything You Wanted To Know
• Glue Records and Dedicated DNS - NS1, an IBM Company
• DNS Record Types - DNSimple Help

Glue Records and Dedicated DNS - NS1, an IBM Company

 The Dovecot configuration variable that specifies the location of user mail is mail_location. This variable defines the format and path of the mailboxes, and it can be overridden by userdb or namespace settings. The format of the mail_location specification is:

:[:=[:=...]]

where  is one of the supported mailbox formats, such as mbox, maildir, or dbox;  is the absolute path to the mail directory; and = are optional parameters that modify the behavior of the mailbox format.

For example, a mail_location setting for maildir format could look like this:

mail_location = maildir:~/Maildir

This means that the user’s mail is stored in the Maildir subdirectory of their home directory.

References: You can find more information about the mail_location variable and its parameters in the following resources:

• Mail Location Settings — Dovecot documentation
• Config Variables — Dovecot documentation

Sieve is a programming language used to filter emails by writing simple rules. To combine multiple conditions in a Sieve filter, you can use the allof or anyof keywords. The allof keyword means that all of the conditions must be true for the filter to apply, while the anyof keyword means that at least one of the conditions must be true. For example, the following Sieve filter will assign the label “Important” to any message that is from “boss@example.com” or has the subject “Urgent”:

if anyof (header :contains “From” “boss@example.com”, header :contains “Subject” “Urgent”) { fileinto “Important”; }

The following Sieve filter will assign the label “Spam” to any message that is not from “friend@example.com” and has the subject “Free offer”:

if allof (not header :contains “From” “friend@example.com”, header :contains “Subject” “Free offer”) { fileinto “Spam”; }

References: You can learn more about Sieve filters and logical combinations from the following sources:

• Sieve filter (advanced custom filters) | Proton
• RFC 5228 - Sieve: An Email Filtering Language

The command that displays NFS kernel statistics is nfsstat. This command can be used to show information about the number and type of NFS and RPC calls made by the NFS client or server. It can also be used to reset the statistics to zero, or to display information about mounted NFS file systems. The nfsstat command is part of the nfs-utils package and can be installed on most Linux distributions. For more information about the nfsstat command, you can refer to the following resources:

• 1: A Microsoft Learn article that explains the syntax and usage of the nfsstat command on Windows Server.
• 2: A Bing search result page that shows various links and snippets related to the nfsstat command.
• 3: A Red Hat article that demonstrates how to use the nfsstat and nfsiostat commands to troubleshoot NFS performance issues on Linux.

Dovecot supports various authentication mechanisms that can be used to verify the identity of the users who connect to the mail server. Authentication mechanisms are protocols that define how the client and the server exchange the user credentials, such as the username and the password. Some authentication mechanisms are plaintext, which means that the user credentials are sent without any encryption. Others are non-plaintext, which means that the user credentials are protected from eavesdropping or tampering by using some form of encryption or hashing. Dovecot supports the following authentication mechanisms:

• B. digest-md5: This is a non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The client and the server exchange a series of messages that include a nonce (a random number), a realm (a domain name), and a digest (a hashed combination of the username, password, nonce, and realm). This mechanism prevents replay attacks and supports mutual authentication, meaning that both the client and the server can verify each other’s identity. However, this mechanism is not widely supported by clients and has some security weaknesses12.
• C. cram-md5: This is another non-plaintext mechanism that uses a challenge-response scheme based on the MD5 hash function. The server sends a nonce to the client, and the client responds with the username and a digest of the password and the nonce. This mechanism protects the password from eavesdropping, but does not prevent replay attacks or support mutual authentication. It also requires the server to have access to the plaintext password or a special hashed version of it. This mechanism has somewhat good support in clients12.
• D. plain: This is the simplest and most common plaintext mechanism. The client simply sends the username and the password to the server without any encryption. This mechanism is supported by all clients, but it is vulnerable to eavesdropping and tampering. Therefore, it should only be used with SSL/TLS encryption to secure the connection12.

The other options are not supported by Dovecot as authentication mechanisms. A. ldap is not an authentication mechanism, but a protocol for accessing directory services. E. krb5 is not an authentication mechanism, but a network authentication protocol based on Kerberos. Dovecot supports Kerberos authentication through the GSSAPI mechanism

The samba-tool testparm command is a simple test program to check a Samba configuration file for internal correctness. It verifies that the file can be parsed and loaded by Samba without errors or warnings. If the command reports no problems, it means that the configuration file is valid and can be used by Samba. However, this does not guarantee that the services defined in the configuration file will operate as expected, or that the Samba services are running or enabled on the system. The command also does not check the firewall or netfilter rules on the Samba server, or the version of the configuration file used by the running Samba processes. Therefore, the only correct answer is A.

The command that is used to administer IPv6 netfilter rules is ip6tables. ip6tables is a command-line tool that allows the user to configure the tables, chains, and rules of the IPv6 packet filter in the Linux kernel. Netfilter is a framework that provides packet filtering, network address translation, and other functions for the Linux kernel. ip6tables can be used to create firewall rules, port forwarding rules, network address translation rules, and other types of rules that affect the flow of IPv6 packets. ip6tables has a similar syntax and functionality to iptables, which is the tool for IPv4 netfilter rules. However, ip6tables and iptables are independent of each other and have separate tables, chains, and rules. ip6tables can also be used in conjunction with ip6tables-restore and ip6tables-save, which are tools to save and restore the ip6tables rules to and from a file.

The other options are not correct. iptables is the tool for IPv4 netfilter rules, not IPv6. iptablesv6, iptables6, and ipv6tables are not valid commands in Linux.

References:

• ip6tables - Linux manual page
• Netfilter - Wikipedia
• How to Configure IPTables for IPv6 on Linux

The word missing from the excerpt of a named.conf file is “acl”. This is because the excerpt is defining an access control list (ACL) for the DNS server. The ACL is used to restrict access to the DNS server and is defined in the named.conf file. The syntax for defining an ACL is:

acl name { address_match_list; };

where name is the name of the ACL, and address_match_list is a list of IP addresses, networks, or keywords that match the clients that are allowed or denied access.References:

• LPIC-2 Overview
• LPIC-2 202-450
• BIND 9 Administrator Reference Manual

 The ErrorLog directive of the Apache HTTPD server defines the location and name of the file where the server will log any errors it encounters. The default value of this directive is logs/error_log, which means that the error log file will be stored in the logs subdirectory of the server root directory. The ErrorLog directive can also accept a filename relative to the server root, an absolute filename, or a pipe to a program that will handle the logging. For example, ErrorLog logs/my_error_log will store the error log file in the logs subdirectory with the name my_error_log, ErrorLog /var/log/httpd/error_log will store the error log file in the /var/log/httpd directory with the name error_log, and ErrorLog “|bin/rotatelogs logs/error_log 86400” will pipe the error log to the rotatelogs program that will rotate the log file every 86400 seconds. References: Log Files - Apache HTTP Server Version 2.4, Directive Quick Reference - Apache HTTP Server Version 2.4, How do I find Apache http server log files? – Code A Site Blog, mod_log_config - Apache HTTP Server Version 2.2