Data Networking/Fall 2013/Group12
Motivation
editLinux is an essential part of any networking firm today. It is an open source and freely available operating system. To get hands on exposure to its various features and diversity in applications we decided to take up this project and get familiar to Linux Ubuntu OS.
Understanding the Protocol
editDHCP:
• Dynamic Host Configuration Protocol is used for assigning IP addresses dynamically to hosts that connect to the network.
• It is referred to as a plug-and-play protocol.
• It is used to ease the task of assigning IPs to clients each time they enter a network. When a client enters a network, the DHCP server assigns IPs from a pool of free IPs with certain lease period. In case if the same host returns to the network within the lease time it will be assigned same IP address.
• It is also used to provide additional information like subnet mask, default gateway and local DNS server.
• It makes management stress-free as the changes in the DNS server IP need to be made only in the DHCP server and not in each client.
• It also prevents conflicts in assigning IPs.
• DHCP uses unique identifier to assign IP address. It uses MAC address for assigning IPv4 addresses and DU ID for assigning IPv6 addresses.
• The different types of messages exchanged between client and the server are DHCP Discover, DHCP Offer, DHCP request and DHCP Acknowledgement.
• It uses the well-defined port numbers 67(server) and 68(client).
DNS:
• Domain Name server is used to translate hostnames to corresponding IP (Internet Protocol) addresses, as well as it provides reverse lookup for IP addresses.
• Data in the form of resource records is stored in the data-base of the DNS server.
• The information about domain is stored in the zone file of the DNS.
• The different types of DNS records stored are:
a) Type A record: This record is used to resolve IP for the given host name
b) NS record : This record is used to map, the domain name of the server to the authoritative DNS server .
c) CNAME record : This record is used to assign alias to the domain name.
d) MX record : This record is used to map the domain name to the list of MX (mail exchange) servers.
e) Pointer record: This record is used to map an IPv4 to the canonical name of the host.
f) AAAA record: This record is used to map a hostname to the 128-bit IPv6 address.
• DNS uses both TCP and UDP.
• Port number 53 is used for DNS.
• There are different types of DNS servers available are:
a)BIND9
b)POSADIS
c)PowerDNS
Web Server:
• A web server is used to host the web pages.
• The web server is always on and operates on-demand. We have used the apache2 web server due to its ubiquitous nature.
• A web page consists of objects in the form of HTML file, images, videos, URLs or applets.
• The web server uses HTTP (Hyper Text Transfer Protocol) and operates on port 80.
Firewall
• Firewall is a scheme designed to thwart unauthorized attack to or from outside network.
• It can be a software or/and a hardware implementation.
• Moreover, firewall controls the outgoing and the incoming traffic from the network by scrutinizing the packets and allowing only the packets from the legitimate users.
The Requirements
editThe motive behind this project is to design a network that has a DHCP server, DNS server and Web server/Firewall configured to support a client’s request to access a web page. The client will require an IP address in order to communicate with other hosts and access the internet. The DHCP is designed for this very purpose of assigning any client that joins the network an IP from a pool of IPs that are currently free. It will also push other information like DNS server IP, subnet mask and default gateway. Once the client gets an IP address, he/she will log into the web browser and type the URL. The URL will be the hostname of the website which needs to be resolved into an IP address. The DNS server aids to this request. It takes the client’s request containing the hostname and sends the IP in response. Now the client’s browser will establish a connection with the web server which will respond with a web page that the client requested. The web server is protected by a firewall that is configured to block unauthorized requests. The web server runs a back-up mechanism to transfer vital files from the web server to the DNS server using FTP.
Steps to perform the setup / installation
editDNS (Domain Name Server):
Configuration Steps:
Primary DNS Server (IPv4 and IPv6)
• sudo apt-get install bind9 (to install dns bind server)
• sudo nano /etc/network/interfaces (to edit network interfaces)
• sudo cp /etc/bind/db.127 /etc/bind/db.192.168.1 (use db.127 as template to copy reverse lookup records)
• sudo nano /etc/bind/db.192.168.1 (to add reverse lookup records)
• sudo cp /etc/bind/db.local /etc/bind/db.group12.com (use db.local as template to copy forward lookup records)
• sudo nano /etc/bind/db.group12.com (to add forward lookup records)
• sudo cp /etc/bind/db.127 /etc/bind/db.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f (use db.127 as template to copy reverse lookup records)
• sudo nano /etc/bind/db.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f (to add reverse lookup records)
• sudo nano /etc/bind/named.conf (to point named.conf.local and named.conf.options)
• sudo nano /etc/bind/named.conf.local (to create zones for type master)
• sudo nano /etc/bind/named.conf.options (to add forwarders)
• sudo /etc/init.d/bind9 restart (to restart the server)
Secondary DNS Server (We have configured secondary DNS server as a slave to primary server which will act as a domain name server in case primary dns server crashes)
• sudo apt-get install bind9 (to install dns bind server)
• sudo nano /etc/network/interfaces (to edit network interfaces)
• sudo cp /etc/bind/db.127 /etc/bind/db.192.168.1 (use db.127 as template to copy reverse lookup records)
• sudo nano /etc/bind/db.192.168.1 (to add reverse lookup records)
• sudo cp /etc/bind/db.local /etc/bind/db.group12.com (use db.local as template to copy forward lookup records)
• sudo nano /etc/bind/db.group12.com (to add forward lookup records)
• sudo cp /etc/bind/db.127 /etc/bind/db.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f (use db.127 as template to copy reverse lookup records)
• sudo nano /etc/bind/db.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f (to add reverse lookup records)
• sudo nano /etc/bind/named.conf (to point named.conf.local and named.conf.options)
• sudo nano /etc/bind/named.conf.local (to create zones for type slave) (This forward and reverse look up files needs to be placed in /var/cache/bind/ instead of /etc/bind/ because by default AppArmor allows write permission in this folders only)
• sudo nano /etc/bind/named.conf.options (to add forwarders)
• sudo /etc/init.d/bind9 restart (to restart the server)
DHCP (Dynamic Host Configuration Protocol) Server:
Whenever a client enters the network it will need an IP address to communicate. It will contact the DHCP server which assigns it an IP address from the pool of freely available IPs. Along with this it pushes additional information like default gateway, subnet mask and DNS server IP. DHCP uses the BOOTP protocol. It uses the well-known port numbers 67 (server) and 68 (client).
Configuration Steps:
DHCP (IPv4)
• sudo apt-get install isc-dhcp-server (install)
• sudo nano /etc/default/isc-dhcp-server (Change the line that says interface to: Interface "eth0")
• sudo nano /etc/dhcp/dhcpd.conf (To configure dhcp to provide IPv4 addresses)
• sudo /etc/init.d/isc-dhcp-server restart
• sudo /etc/init.d/networking restart
DHCP (IPv6)
• sudo apt-get install radvd
• sudo nano /etc/radvd.conf (To configure radvd to act as primary source for advertising routes and global addresses)
• sudo nano /etc/dhcp/dhcpd6.conf (To configure dhcp to provide IPv6 addresses)
• sudo nano /etc/sysctl.conf (To enable IP forwarding)
• sudo sysctl -p
• sudo /etc/init.d/radvd restart
• sudo /etc/init.d/isc-dhcp-server6 restart
• sudo /etc/init.d/isc-dhcp-server restart
Web Server:
It is used to host websites and store the web pages.
It uses HTTP protocol that operates on port 80.
Configuration Steps:
• sudo apt-get install apache2 (Install Apache Web server)
• sudo mkdir –p /var/www/group12.com/public_html
• sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/group12.com
• sudo nano /etc/apache2/sites-available/group12.com (Edit the directory to point to the required path)
• cd /var/www/group12.com/public_html (Create HTML page)
• nano index.html
• sudo a2ensite group12.com (To start the service)
• sudo service apache2 restart (To start the service)
• sudo netstat –ltnp (Check the ports on which web server is listening)
Firewall:
In Linux Kernel (Ubuntu) packet filtering system is present which is called net filter and the way to manage these net filters is iptables commands. The UFW i.e. Uncomplicated Firewall is most well suited for firewall which are host based and basically for iptables.
Configuration Steps:
1)Initially, check the status of UFW
2)Enable the UFW if it is disabled
3)Open the port which are to be allowed and similarly close the ports which are needed to be denied.
4)For granting access to specific hosts to some port then allow ssh access from host to any IP address present on the particular hosts.
Commands:
As we implemented, iptables are effective but we need to save it. It gets deleted whenever the server is rebooted. So in order to store them we have to use the following commands.
• sudo apt-get install iptables-persistent
• sudo service iptables-persistent start
The following commands have been implemented in such a way that all the ICMP packets coming will be blocked whereas the outgoing ICMP packets are allowed. Here, -A means Append an IPTABLE entry. –p is any specific protocol like here its ICMP to which connection is to me established. –o/ -i is for the output/ input to eth0. If we want to specify any particular source or destination we need to specify using –s or –d along with the ip address. –j ACCEPT/DROP commands the packet to jump to ACCEPT / DROP with all other connections untouched.
• sudo iptables –A OUTPUT –p icmp –o eth0 –j ACCEPT
• sudo iptables –A INPUT –p icmp –icmp-type echo-reply –s 0/0 –i eth0 –j ACCEPT
• sudo iptables –A INPUT –p icmp –icmp-type destination-unreachable –s 0/0 –i eth0 –j ACCEPT
• sudo iptables –A INPUT –p icmp –icmp-type time-exceeded –s 0/0 –i eth0 –j ACCEPT
• sudo iptables –A INPUT –p icmp –i eth0 –j DROP (Drop the ICMP outgoing packets everywhere)
Similarly as explained above, we used –p is any specific protocol like here its TCP to which connection is to me established. –dport is used to specify the port number through which packet is transmitting.
• sudo iptables –A INPUT –d 192.168.1.17 –p tcp –dport 20 –j DROP (Drop the ftp data transfer outgoing packets everywhere)
• sudo iptables –A INPUT –d 192.168.1.17 –p tcp –dport 21 –j DROP (Drop the ftp control outgoing packets everywhere)
• sudo iptables –A INPUT –d 192.168.1.17 –p tcp –dport 22 –j DROP (Drop the ssh outgoing packets everywhere)
• sudo iptables –A INPUT –d 192.168.1.17 –p tcp –dport 23 –j DROP (Drop the telnet outgoing packets everywhere)
The following commands are to save and reload in the iptables-persistent whenever any changes are made.
• sudo /etc/init.d/iptables-persistent save
• sudo /etc/init.d/iptables-persistent reload
Backup:
Configuration Steps:
SSH Server
• sudo apt-get install openssh-server
• sudo /etc/init.d/ssh restart
• ssh-keygen -t dsa
• sudo nano /etc/ssh/sshd_config (To change the port number)
SSH Client
• sudo apt-get install openssh-client
• ssh-keygen -t dsa
• ssh-copy-id -i ~/.ssh/id_dsa.pub harsh@192.168.1.109
• sudo nano /home/nighthunk/dnsbackup/schedule.sh (To write the bash script)
• crontab -e (To schedule the cron job)
• sudo /etc/init.d/cron restart
• crontab -l (To show scheduled jobs)
TELNET (http://ubuntuguide.net/install-and-enable-telnet-server-in-ubuntu-linux)
1.Install telnet use this command in terminal(Applications/Accessories/Terminal):
sudo apt-get install xinetd telnetd
2.Edit /etc/inetd.conf using your favourite file editor with root permission,add this line:
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
3.Edit /etc/xinetd.conf,make its content look like following:
- Simple configuration file for xinetd
- Some defaults, and include /etc/xinetd.d/
defaults {
- Please note that you need a log_type line to be able to use log_on_success
- and log_on_failure. The default is the following :
- log_type = SYSLOG daemon info
instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST cps = 25 30 }
4.You can change telnet port number by edit /etc/services with this line:
telnet 23/tcp
5.If you’re not satisfied with default configuration.Edit etc/xinetd.d/telnet, add following:
- default: on
- description: The telnet server serves telnet sessions; it uses
- unencrypted username/password pairs for authentication.
service telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }
add these lines as you like:
only_from = 192.168.120.0/24 #Only users in 192.168.120.0 can access to only_from = .bob.com #allow access from bob.com no_access = 192.168.120.{101,105} #not allow access from the two IP. access_times = 8:00-9:00 20:00-21:00 #allow access in the two times ......
6.Use this command to start telnet server:
sudo /etc/init.d/xinetd restart
Troubleshoot Steps
editDual Boot:
• Since Windows 8 is enabled with UEFI secure boot it doesn't allow dual boot without disabling the boot options.
• In order to install Ubuntu along side the windows 8 we must turn of the secure boot and mount the installation file on /root directory creating swap areas for windows and Ubuntu using USB/Disk Utility
DNS:
• Difficulties during installation of BIND9. Try to update packages using apt-get update command.
• BIND server restart issues due to error in configuration of zone files. Try to resolve each zone separately and try to resolve those addresses individually.
• IPv6 reverse look up response failed due to wrong subnet mask assigned in zone as well as in forward look up records.
DHCP:
• If the changes are made in /etc/network/interfaces file i.e. before restarting the machine if we don’t assign loopback interface it will not detect the interfaces when the machine reboots.
• Initially after installing the package, some errors were seen, but after executing the command, sudo apt-get update, the errors were resolved.
• The command /etc/default/isc-dhcp-server is used, errors were observed but after mentioning the interface ‘eth0’, the errors were resolved.
WEB SERVER:
• If apache server is not configured properly or it’s not running client may not be able to open the web pages.
• Initially we didn’t mention the path for directory containing HTML pages, clients were not able to access the website. After providing the path for directory in the sites-available this problem was solved.
• We tried integrating PHP and AJAX pages but due to incompatibility with XAMPP couldn’t integrate local machines database to the web page hosted by the web server.
FIREWALL:
We configured ufw but ICMP packets were not being blocked. So we switched to IPTABLES.
BACKUP:
• We were trying to give the command “./schedule.sh”. We found that crontab doesn’t support this syntax hence we used bash in the crontab and hence problem was resolved.
• We were trying to give sleep command in the script which was not support hence we tried using without it and got out problem solved.
• Initially we used script to bypass the password asked for each login using SPAWN, EXPECT and SEND command. But this commands are also not supported by the cron jobs.
Testing
edit1) DHCP -ifconfig is used to display IP addresses, default gateway and subnet mask from the defined range.
2) DNS
- Dig hostname
- Dig –x IPAddress
- Host IPAddress
- Nslookup hostname
- Nslookup IPAddress
- Ping IPAddress
- Ping hostname
- Ping6 –c 1 IPv6Address
- Ping6 hostname
- Enter this URL in the browser: www.group12.com, web.group12.com
3) WEB SERVER
-Enter this URL in the browser: www.group12.com
4) FIREWALL
- ping IP address
- telnet IP address
- ftp IP address
- ssh IP adress
5) BACKUP -Check the folder where backup is scheduled to transfer the file
Future Prospects
edit1)For now we are using link local addresses i.e. FE80 range in IPv6 which acts as a private range like 192.168.1.0 network in IPv4. In future we can use Global addresses as well which will keep IPv6 address attached to particular host without running out of public IP range.
2)We can put in many different levels of hierarchy in Domain name System, namely authoritative and top level domain servers.
3)In future the web servers can be designed in such a way that the HTML pages will be integrated with the database and the backend systems. The HTML pages can be made user-friendly and can incorporate references for multiple objects. We can use XAMPP which is a common package for PHP, MYSQL and Apache server.
4)For future growth of firewall we can incorporate various new features such as, Anti-malware, user authentication, application level firewalling, URL filtering and customizable application proxies.
5)Inspite of having scheduled backup we can add more advancements such as having online backup. Where we can store the backed up files over the internet, which will help the users to access their files and folders anytime and anywhere. Also there can be a provision
Additional Implementation
edit1) VPN (Virtual Private Network): It is an application that is used to provide private communication over public infrastructure. It provides secure connection between 2 computers. It uses point-to-point encryption scheme. It uses tunneling protocol. We have used pptpd package to implement VPN.
Steps:
Server
• sudo apt-get install pptpd (install)
• sudo nano /etc/pptpd.conf (Edit the configuration file to give client and server IP)
• sudo nano /etc/ppp/chap-secrets (Edit the file to create users)
• sudo nano /etc/ppp/pptpd-options (Edit the file to give DNS server IP)
• service pptpd restart
Client
• Set up a VPN connection using network services.
Test: • netstat –alpn | grep :1723 (Check if it the server is accepting connections)
• Ifconfig (Check IP assigned to VPN connection)
2) SSH (Secure Shell): We have used ssh between the openssh server and openssh client for secure transfer of the keys. The client and server generate private and public keys. The client sends its public key to the server which the server makes a note of. The client records the server in its known hosts. Whenever the client sends data to the server it encrypts it using its private key. The server has the client's public key and hence it can receive the data and decrypt it. The steps are mentioned under 'Backup'.
3) NFS (Network File System): It is a distributed file system. It facilitates sharing a directory that is present on the server to multiple clients. The clients mounts the directory that is shared onto their file system and it becomes a part of their own file system and they can access it remotely at their locations.
Steps:
Server
• sudo apt-get install nfs-kernel-server (install)
• sudo nano /etc/exports (Edit to configure the directory to be mounted)
• sudo nano /etc/init.d/nfs-kernel-server
Client
• sudo apt-get install nfs-common (install)
• mount –t nfs 192.168.1.25:/home /home/nfs (mount server directory on client directory)
• sudo nano /etc/fstab (make the entry persistent)
4) Secondary DNS: We have configured a secondary DNS server that fetches records from the primary DNS server. This is mainly done keeping in mind the redundancy parameter. Incase if the primary DNS fails or needs to be shut down for maintenance then the secondary DNS serves the function of resolving host names to IP addresses. The steps are mentioned under 'DNS'.
5) Secure SCP: We have hosted the ssh server on port 2013 instead of the standard port 22. This is for enhanced security and preventing DOS (denial of service) attacks. The steps are mentioned under 'Backup'.
6) Shell script: We have used shell scripts for implementing backup from one server to the other. The scripts are then scheduled to run automatically using cron utility.
7) HTML Pages: We have created multiple HTML pages and linked them on the base HTML page.
8) Backup using NFS: A automated script is used to send backup files from DNS to DHCP server and then the DHCP server is used to zip them with DHCP configuration files and send it to the secondary DNS server (also configured as an openssh-server). This is possible since one of the directory on secondary DNS is mounted on the DHCP server. The steps are mentioned under 'NFS'.
References
editBooks Referred:
1. Computer Networking: A Top-Down Approach 6th edition by James F. Kurose, Keith W. Ross
2. Computer Networks 5th Edition by Andrew S. Tanenbaum
Websites Referred:
1. https://help.ubuntu.com/community
2. https://www.linuxproblem.org