Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security+ Secure Protocols - Zero-Fluff, Hands-On Guide
Source: https://www.fatskills.com/comptia-security-/chapter/tech-comptia-security-secure-protocols-zero-fluff-hands-on-guide

CompTIA Security+ Secure Protocols - Zero-Fluff, Hands-On Guide

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

CompTIA Security+ Secure Protocols: Zero-Fluff, Hands-On Guide

(HTTPS, SSH, SFTP, SNMPv3, DNSSEC)

1. What This Is & Why It Matters

Secure protocols are the encrypted highways of your network. Without them, every login, file transfer, or device query is sent in plaintext—like shouting your password across a crowded room.

Real-world scenario: You’re a sysadmin at a healthcare company. A legacy medical device (MRI machine) still uses unencrypted SNMPv2 to report status. An attacker on the same network sniffs the traffic, extracts the community string (public), and reboots the device mid-scan, corrupting patient data. Now you’re explaining to the CISO why you didn’t enforce SNMPv3 (which encrypts credentials and data).

Or: Your dev team hardcodes FTP credentials in a script to pull logs. A junior engineer accidentally commits the script to GitHub. Now your AWS keys, database passwords, and internal IPs are exposed. If they’d used SFTP (SSH File Transfer Protocol), the credentials would’ve been encrypted in transit.

Why this matters in production: - Compliance: HIPAA, PCI-DSS, GDPR require encryption for sensitive data in transit. - Attack surface: Unencrypted protocols are low-hanging fruit for attackers (e.g., ARP spoofing + MITM). - Trust: Customers (and auditors) won’t tolerate plaintext logins in 2024.

Your superpower: You’ll spot unencrypted protocols in 5 seconds (e.g., telnet, FTP, HTTP, SNMPv1/v2) and replace them with secure alternatives—without breaking legacy systems.

2. Core Concepts & Components

? HTTPS (Hypertext Transfer Protocol Secure)

  • What it is: HTTP + TLS encryption (port 443).
  • Production insight: If your website uses http://, browsers flag it as "Not Secure" (Chrome/Firefox). PCI-DSS compliance fails if payment pages aren’t HTTPS.
  • Key components:
  • TLS (Transport Layer Security): Encrypts data in transit (replaces SSL).
  • Certificate Authority (CA): Issues trusted certs (e.g., Let’s Encrypt, DigiCert).
  • HSTS (HTTP Strict Transport Security): Forces browsers to only use HTTPS (prevents downgrade attacks).

? SSH (Secure Shell)

  • What it is: Encrypted remote access (port 22).
  • Production insight: If you use telnet or rlogin, stop immediately. SSH encrypts everything (credentials, commands, file transfers).
  • Key components:
  • Key-based auth: More secure than passwords (use ssh-keygen).
  • SSH tunneling: Encrypts traffic for other protocols (e.g., mysql -h localhost -P 3306 over SSH).
  • SSH config file (~/.ssh/config): Simplifies connections (e.g., Host prod-server-ssh prod-server).

? SFTP (SSH File Transfer Protocol)

  • What it is: FTP over SSH (port 22, same as SSH).
  • Production insight: Never use FTP (plaintext credentials). SFTP is just as easy but encrypted.
  • Key components:
  • Chroot jail: Restricts users to their home directory (ChrootDirectory /home/%u in sshd_config).
  • Key-based auth: Avoids password brute-forcing.

? SNMPv3 (Simple Network Management Protocol v3)

  • What it is: Encrypted network device monitoring (ports 161/162).
  • Production insight: SNMPv1/v2 sends community strings in plaintext (default: public). SNMPv3 adds authentication + encryption.
  • Key components:
  • Security levels:
    • noAuthNoPriv: No auth, no encryption (useless).
    • authNoPriv: Auth (SHA/MD5), no encryption (better).
    • authPriv: Auth + encryption (AES/DES) (use this).
  • User-based security model (USM): Replaces community strings with usernames + passwords.

? DNSSEC (Domain Name System Security Extensions)

  • What it is: Cryptographically signs DNS records to prevent spoofing.
  • Production insight: Without DNSSEC, attackers can poison DNS caches (e.g., redirect bank.com to a fake site).
  • Key components:
  • RRSIG records: Cryptographic signatures for DNS records.
  • DS (Delegation Signer) records: Links child zones to parent zones.
  • NSEC/NSEC3: Proves non-existence of records (prevents "ghost" attacks).

3. Step-by-Step Hands-On

Task: Secure a Web Server with HTTPS (Let’s Encrypt)

Prerequisites: - A Linux server (Ubuntu 22.04 LTS). - A domain name (e.g., example.com). - Port 80 and 443 open in the firewall.

Step 1: Install Certbot (Let’s Encrypt client)

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Step 2: Obtain a TLS Certificate

sudo certbot --nginx -d example.com -d www.example.com
  • Follow prompts (enter email, agree to terms).
  • Certbot automatically configures Nginx to use HTTPS.

Step 3: Verify HTTPS Works

curl -I https://example.com

Expected output:

HTTP/2 200
server: nginx/1.18.0
strict-transport-security: max-age=31536000; includeSubDomains
  • strict-transport-security confirms HSTS is enabled.

Step 4: Auto-Renew Certificates (Cron Job)

sudo crontab -e

Add:

0 12 * * * /usr/bin/certbot renew --quiet
  • Certs expire every 90 days; this renews them automatically.

Task: Set Up SFTP with Chroot Jail

Prerequisites: - A Linux server (Ubuntu 22.04). - A user (sftpuser) who needs file access.

Step 1: Create a Chroot Directory

sudo mkdir -p /sftp/jail/sftpuser/uploads
sudo chown root:root /sftp/jail
sudo chown sftpuser:sftpuser /sftp/jail/sftpuser/uploads

Step 2: Configure SSH for SFTP

Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Add at the end:

Match User sftpuser
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /sftp/jail
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
  • ChrootDirectory restricts the user to /sftp/jail.
  • ForceCommand internal-sftp disables shell access.

Step 3: Restart SSH

sudo systemctl restart sshd

Step 4: Test SFTP Access

sftp [email protected]
  • Try uploading a file: put test.txt
  • Verify it lands in /sftp/jail/sftpuser/uploads.

Task: Configure SNMPv3 on a Cisco Router

Prerequisites: - A Cisco router (IOS 15+). - Console/SSH access.

Step 1: Enable SNMPv3

enable
configure terminal
snmp-server group V3GROUP v3 priv
snmp-server user SNMPUSER V3GROUP v3 auth sha MyAuthPass123 priv aes 128 MyPrivPass123
snmp-server host 192.168.1.100 version 3 priv SNMPUSER
  • auth sha: Uses SHA for authentication.
  • priv aes 128: Encrypts traffic with AES-128.

Step 2: Verify SNMPv3

show snmp user

Expected output:

User name: SNMPUSER
Engine ID: 800000090300AABBCCDDEEFF
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: V3GROUP

Step 3: Test SNMPv3 from Linux

snmpwalk -v 3 -u SNMPUSER -a SHA -A MyAuthPass123 -x AES -X MyPrivPass123 192.168.1.1 system
  • If it returns router info, SNMPv3 is working.

4.-Production-Ready Best Practices

Security

  • HTTPS:
  • Use TLS 1.2+ (disable TLS 1.0/1.1).
  • Enable HSTS (Strict-Transport-Security: max-age=31536000).
  • Use OCSP stapling to speed up certificate revocation checks.
  • SSH:
  • Disable password auth (PasswordAuthentication no in sshd_config).
  • Use ed25519 keys (stronger than RSA).
  • Restrict SSH to specific IPs (AllowUsers [email protected]).
  • SFTP:
  • Disable shell access (ForceCommand internal-sftp).
  • Set umask 0027 to restrict file permissions.
  • SNMPv3:
  • Always use authPriv (auth + encryption).
  • Rotate SNMPv3 passwords every 90 days.
  • DNSSEC:
  • Sign all critical zones (e.g., example.com, mail.example.com).
  • Monitor DS record propagation (use dig +trace example.com DS).

Cost Optimization

  • HTTPS: Use Let’s Encrypt (free) instead of paid certs for internal services.
  • SSH: Use SSH certificates (instead of individual keys) for large teams.
  • SNMPv3: Limit polling frequency to reduce CPU load on devices.

Reliability & Maintainability

  • HTTPS: Automate cert renewal (e.g., certbot renew --dry-run).
  • SSH: Use Ansible to manage SSH keys across servers.
  • SFTP: Log all file transfers (/var/log/auth.log).
  • SNMPv3: Document SNMPv3 users in a password manager.

Observability

  • HTTPS: Monitor TLS handshake failures (indicates cert issues).
  • SSH: Alert on failed SSH logins (brute-force attempts).
  • SFTP: Log file uploads/downloads (for compliance).
  • SNMPv3: Monitor SNMP timeouts (device overload).
  • DNSSEC: Check RRSIG expiration (dig +dnssec example.com).

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Using HTTP instead of HTTPS Browser shows "Not Secure" Redirect HTTP-HTTPS (return 301 https://$host$request_uri; in Nginx).
SSH with password auth Brute-force attacks in /var/log/auth.log Disable password auth (PasswordAuthentication no).
FTP instead of SFTP Wireshark shows plaintext credentials Migrate to SFTP (sftp or scp).
SNMPv2 (plaintext community strings) snmpwalk shows public in logs Upgrade to SNMPv3 (authPriv).
DNS without DNSSEC dig +dnssec example.com shows no RRSIG Sign the zone (dnssec-signzone).
Self-signed HTTPS certs Browser warns "Your connection is not private" Use Let’s Encrypt or a trusted CA.
SSH keys with weak passphrases Keys stolen from GitHub Use ed25519 keys + strong passphrases.

6.-Exam/Certification Focus (CompTIA Security+)

Typical Question Patterns

  1. "Which protocol encrypts file transfers?"
  2. ? FTP (plaintext)

  3. SFTP (SSH-based) or FTPS (FTP + TLS)

  4. "What’s the difference between SNMPv2 and SNMPv3?"

  5. SNMPv2: Plaintext community strings (e.g., public).

  6. SNMPv3: Encrypted auth + privacy (authPriv).

  7. "How do you prevent DNS spoofing?"

  8. ? DNSSEC (cryptographic signatures).

  9. DNS over HTTPS (DoH) (doesn’t prevent spoofing, just encrypts queries).

  10. "Which SSH key type is most secure?"

  11. ? ed25519 (faster + more secure than RSA).

  12. DSA (deprecated).

  13. "What’s the default port for HTTPS?"

  14. ? 443
  15. ? 80 (HTTP), 22 (SSH), 21 (FTP).

Trap Distinctions

Concept Trap Answer Correct Answer
HTTPS vs. HTTP "HTTPS is just HTTP with a padlock" HTTPS = HTTP + TLS encryption (prevents MITM).
SFTP vs. FTPS "They’re the same" SFTP = SSH-based (port 22). FTPS = FTP + TLS (port 990).
SNMPv3 security levels "All SNMPv3 is encrypted" Only authPriv encrypts. noAuthNoPriv is worse than SNMPv2.
DNSSEC "It encrypts DNS queries" It signs DNS records (prevents spoofing). Encryption = DoH/DoT.

7.-Hands-On Challenge

Challenge: Secure a Legacy Web App

Scenario: You inherit a legacy web app running on http://oldapp.example.com. The dev team says: - "We can’t use HTTPS because the app breaks on port 443." - "We use FTP to upload files."

Your task:
1. Force HTTPS without breaking the app.
2. Replace FTP with SFTP.
3. Verify both work.

Solution:
1. HTTPS (Nginx config): ```nginx server { listen 80; server_name oldapp.example.com; return 301 https://$host$request_uri; }

server { listen 443 ssl; server_name oldapp.example.com; ssl_certificate /etc/letsencrypt/live/oldapp.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/oldapp.example.com/privkey.pem; # App config here } ``` - Why it works: Redirects HTTP-HTTPS before the app sees the request.

  1. SFTP (vs. FTP): bash sudo apt install vsftpd sudo systemctl stop vsftpd # Disable FTP sudo apt install openssh-server sudo useradd -m -s /bin/false sftpuser # No shell access sudo mkdir -p /home/sftpuser/uploads sudo chown sftpuser:sftpuser /home/sftpuser/uploads
  2. Edit /etc/ssh/sshd_config: Match User sftpuser ForceCommand internal-sftp ChrootDirectory /home/sftpuser

  3. Restart SSH: sudo systemctl restart sshd.

  4. Verify:

  5. curl -I http://oldapp.example.com-Should redirect to HTTPS.
  6. sftp [email protected]-Should connect (no FTP).

8.-Rapid-Reference Crib Sheet

Protocol Port Secure Alternative Key Command Exam Trap
HTTP 80 HTTPS (443) curl -I https://example.com HSTS is not enabled by default.
FTP 21 SFTP (22) sftp user@host FTPS-SFTP (FTPS = FTP + TLS).
Telnet 23 SSH (22) ssh user@host SSH keys > passwords.
SNMPv2 161/162 SNMPv3 snmpwalk -v 3 -u user -a SHA -A pass -x AES -X pass host noAuthNoPriv is less secure than SNMPv2.
DNS 53 DNSSEC dig +dnssec example.com DNSSEC doesn’t encrypt queries (use DoH/DoT for that).

Default Credentials to Change: - SNMPv2: public (read-only), private (read-write). - SSH: Disable root login (PermitRootLogin no). - FTP: Anonymous login (anonymous:anonymous).

9.-Where to Go Next

  1. Let’s Encrypt Docs – Free HTTPS certs.
  2. OpenSSH Manual – SSH hardening.
  3. Cisco SNMPv3 Guide – SNMPv3 on Cisco devices.
  4. DNSSEC How-To – Signing your DNS zones.
  5. Nmap Cheat Sheet – Scan for insecure protocols (nmap -sV --script ssl-enum-ciphers example.com).

Final Pro Tip: Run this command right now on your network: ```bash sudo nmap -sV --script ssl-enum-ciphers -p 443,22,21,161 192.168


⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.