Pick a real scenario, build the fix in a free local lab, and submit your work.
Want a guided order? Follow a path. Prefer to solve on your own machine? Set up your lab. Seen a problem worth solving? Propose a challenge.
A two-minute guided tour of the browser lab. Add one route, watch it work, and earn your first proof. No setup, no install.
~10 minOne /24, four segments with different host counts. Design a non-overlapping VLSM plan with no waste, apply it, and prove every segment reaches every other.
~35 minThe SSH server still allows root logins and password auth, the two settings every attacker hopes to find. Lock down sshd_config to key-only, no-root access.
~20 minTwo LANs, one router link between them, and no connectivity. Find the gap and fix it.
~30 minA config file with credentials is world-readable. Fix its ownership and permissions so the owner can write it, the app group can read it, and nobody else can touch it. It's the daily bread of Linux administration.
~20 minThe backup job is misconfigured and runs far too often. Fix the crontab so it runs once a day at 02:30, graded by actually testing when the schedule fires.
~15 minA new team needs accounts with the right group access. Developers, deploy, and one person who spans both. Write the user and group commands, graded on the resulting memberships.
~20 minAn application writes logs that nothing ever rotates, and the disk is filling up. Add a logrotate policy that rotates, caps, compresses, and retains a sane number of files.
~25 minA Compose stack starts the app the moment the database container starts, not when it can accept connections, so the app crashes on boot. Make it wait for a healthy database.
~25 minA stub site has no way out. Everything internal works, but nothing beyond the edge is reachable. Add the route that fixes it.
~25 minA service starts but never restarts on crash, runs as root, and won't come back after a reboot. Write a unit file that restarts on failure, runs as a non-root user, and starts at boot.
~20 minTwo switches share an 802.1Q trunk, but the two ends disagree on the native VLAN. Untagged frames land in the wrong VLAN. Align the native VLAN on both ends.
~35 minThere's one central DHCP server, and a subnet a router-hop away that leases nothing. Bridge the gap with a relay.
~50 minThe dev team shares /srv/projects, and the last "fix" was chmod 777. Set real group ownership, group collaboration rights, setgid inheritance, and lock everyone else out.
~20 minTwo tenants run on one host, each on its own bridge so they can't see each other. One VM is on the wrong bridge and can reach the other tenant. Move it back.
~35 minA site has a primary uplink and an idle backup. Add a floating static default route so the backup is used only when the primary's route is gone.
~35 minA Terraform IAM policy allows "*" on "*" (full admin) for a job that only reads and writes one bucket. Scope it to least privilege.
~30 minThree routers, OSPF area 0, but one adjacency is stuck. Two routers can ping each other yet never become neighbors. Diagnose why.
~50 minAn eBGP session between two providers won't establish, and even once it does, a prefix is missing. Fix both.
~60 minOne 10.20.0.0/24 block, four departments with very different sizes. A flat equal split doesn't fit. Design a VLSM plan that sizes each subnet to its host count.
~35 minA firewall log shows one host probing many ports in seconds, mixed with normal traffic. Write a threshold rule that flags the scanner without alerting on busy-but-benign hosts.
~40 minA legacy report tool is setuid-root AND world-writable, so any user can overwrite it and their code runs as root. Find the misconfiguration and fix the permissions without breaking the tool.
~25 minA warehouse, an office, a voice VLAN, a DMZ and a router link all have to fit in 172.16.4.0/23 with no overlap and no waste. Design the VLSM plan, apply it, and route between the segments.
~40 minNetwork changes shouldn't merge unreviewed. Write a CI workflow that checks out the repo and validates the configs on every pull request, the GitOps guardrail for network automation.
~30 minMaintaining firewall ACLs by hand drifts and errs. Render an extended ACL from a list of allowed services, so the policy is data and the device config is generated.
~40 minHand-configuring VLANs and access ports across switches doesn't scale. Write a template that renders the VLAN database and access-port config from a variables file.
~40 minAn inside LAN needs to reach the outside through a single public address. Routing's fine. The translation is what's missing.
~40 minThe guest network has a route straight into the services subnet, file server included. Write an extended ACL so guests get DNS and the portal, and nothing else.
~35 minA container image runs as root, floats on the latest tag, and bakes an API token into a layer. Fix the Dockerfile to a pinned base, a non-root user, and no secrets in the image.
~25 minThe web frontend still negotiates SSLv3 and RC4, protocols broken for a decade. Restrict nginx to modern TLS, strong ciphers, and turn on HSTS.
~25 minA GitHub Actions workflow pulls third-party actions by mutable tag and runs with a write-scoped token. Pin every action to a commit SHA and drop the token to least privilege.
~30 minA server's sysctl settings still route between interfaces and accept ICMP redirects. Lock the kernel network parameters down for a host that isn't a router.
~30 minThree VMs share one hypervisor bridge. Use VLAN filtering so the two sales VMs talk to each other while the engineering VM is isolated. That's the everyday job of virtual networking.
~35 minA security group leaves SSH and the database open to the whole internet. Rewrite the ingress rules so each service is reachable only from where it should be, graded by replaying traffic and flagging anything still exposed to 0.0.0.0/0.
~30 minThe deploy account has full root via sudo, far more than it needs. Scope it down to exactly one command (restarting the app), graded on the commands the rule actually grants.
~20 minThe edge ACL lets internal hosts browse out, but it also lets the internet open new connections inward. Restrict the inbound filter to established return traffic only.
~40 minA server accepts connections on every port from anywhere. Write an nftables ruleset that default-drops, allows web to all, and restricts SSH to the admin network, graded by replaying real connection attempts through your rules.
~35 minWrite an ACL that enforces a precise access policy, in the right place and direction, respecting the implicit deny.
~50 minAn open NTP daemon answers the whole internet and trusts unauthenticated upstreams. Restrict who it serves and require authenticated time.
~30 minTwo client subnets, one central DHCP server, one router relaying for them. One subnet gets addresses, the other gets nothing. Relay both.
~45 minBoth routers blast OSPF hellos onto their host LANs, a waste and an attack surface. Make the LAN interfaces passive without breaking the adjacency or losing the routes.
~30 minAn outside client needs to reach an inside web server through the router's single public IP, but only that one port, nothing else.
~40 minA router carries four separate static routes to four contiguous /24s. Collapse them into the single summary route that covers exactly those networks.
~30 minA Deployment runs a privileged, root container with no resource limits and no health checks. Bring it up to a baseline pod-security standard the way a real cluster admission controller would demand.
~35 minA three-tier docker-compose stack has every container on one flat network and the database published to the host. Split it into frontend/backend networks so the proxy can never touch the database.
~25 minA Terraform S3 bucket is public-read and unencrypted, a data breach waiting to happen. Fix the config to block public access and turn on encryption.
~25 minStop hand-writing configs. Write one Jinja2 template that generates every router's OSPF config from a vars file, and prove the rendered fabric actually converges.
~40 minA namespace has no default-deny, and the backend's NetworkPolicy allows ingress from every pod. Lock it to default-deny plus a targeted frontend to backend allow.
~35 minA hypervisor bridge fans two VLANs of VMs out to the physical NIC over a trunk. Web VMs reach the network; the DB VMs don't. Fix the trunk.
~40 minA unit file straight from a wiki page - root, no restart policy, no sandboxing. Harden it with a service account, restart-on-failure, and systemd's filesystem and privilege guards.
~25 minTwo links between switches should be one LACP port-channel, but a config mismatch keeps it down. Fix it so the bundle forms.
~40 minTwo routers share a link but never become OSPF neighbors, so neither learns the other's routes. Find why the adjacency is stuck and fix it.
~45 minR1 has a static route to an external block, but no other router knows about it. OSPF is up. The route just isn't getting into it.
~40 minA directly-connected server LAN isn't advertised into OSPF, so the neighbor can't reach it. Redistribute connected routes into OSPF.
~40 minAn inventory sync should poll every 15 minutes during business hours, weekdays only. Right now it fires around the clock, weekends included. Fix the schedule, graded by when it actually fires.
~20 minA client can't reach the web server, and there's more than one reason. An ACL over-blocks the web traffic, and replies have no way home. Find and fix both.
~45 minThree switches in a triangle, and STP elected the wrong root, so traffic takes a bad path. Make the intended switch the root, loop-free.
~40 minThree routers in a chain, and the far LAN is unreachable. The first hop is configured; the transit router and the return path are not.
~35 minTwo paths to the same destination, and OSPF is using the wrong one, the low-bandwidth backup link. Make it prefer the right path without breaking the backup.
~45 minSame-VLAN hosts reach each other, but inter-VLAN routing over a router-on-a-stick is broken. Find the L2/L3 gap.
~45 minA layer-3 switch should route between VLAN 10 and VLAN 20 using SVIs, but inter-VLAN routing is half-built. Finish it so the two VLANs can talk.
~45 minRead an auth.log, then write a threshold detection rule that flags the brute-force attacker without alerting on a user who just fat-fingered their password. Real detection engineering, graded on whether your rule actually fires correctly.
~40 minA BGP peer is sending you a prefix you never agreed to carry. The session is fine. You just need to accept what you want and drop the rest.
~45 minYou have two upstreams advertising the same destination. Make your router prefer one of them outbound, and steer inbound traffic the same way.
~75 minDon't configure by hand. Write an Ansible playbook that brings up OSPF consistently across three routers, idempotently.
~90 minA host is sneaking data out over DNS. Write a detection rule that flags the tunneling domain without firing on a busy CI box that legitimately makes lots of lookups. The trick is choosing what to group by.
~45 minA multi-site network is broken by three independent faults across L2, L3, and a filter. Restore end-to-end connectivity and document what you found.
~120 min