Data Networking/Fall 2015/Dfjz

Requirements

edit

DNS server

edit
  • Get a domain name for the start-up
  • Assign a set of IPV4 and IPV6 that have to be used for this project
  • Configure name servers to handle queries for the domain
  • Document the details for the future users
  • Assign one of the DNS server from BIND9, POSADIS or PowerDNS
  • Create any 5 DNS records
  • Create reverse domains in in-addr.arpa and ipv6.arpa
  • Configure a Master DNS server and Slave server
  • Test plan and implementation with example

 

DHCP server

edit
  • Assign a set of IPV4 and IPV6 that have to be used for this project
  • Dynamic allocation of network address
  • The Client-Server protocol
  • Test plan and implementation with example

 

Web Server & Firewall

edit
  • Use only one command line tools and package
  • Provide all the commands with a brief description
  • Provide the changes you have made to the files/folders for configuring the webserver as well as the firewall. Create the basic page to be server by this webserver
  • Make this page accessible to the clients in your network using the webserver
  • Make your server the most secured one in all possible ways

 

Back up

edit
  • Automate the process of backing up the data
  • The backup file should be zipped and sent to a different server
  • Describe briefly about how you backup automatically and how file transfer is made.
  • Provide the command and configuration for sending the zipped file to a different location
  • Mention which protocol you are using to complete this task

Hierarchy

edit
 
DFJZ Network

Behavior of the protocol

edit

Functionality of DNS [1]:

edit

The Domain Name System (DNS) is basically a large database which resides on various computers and it contains the names and IP addresses of various hosts on the internet and various domains. The Domain Name System is used to provide information to the Domain Name Service to use when queries are made. The service is the act of querying the database, and the system is the data structure and data itself. 

The Domain Name System is an essential component of the functionality of most Internet services because it is the Internet's primary directory service. In an internet based system, the DNS sends a query to the internet which is further processed to extract the IP address using following processes:

  • Recursive Process.
  • Iterative Process.

Depending on the query forwarded by the client, the DNS can perform two functions:

  • Forward DNS Query – Hostname to IP address.
  • Reverse DNS Query – IP address to Hostname.

There are three classes of DN servers.

  • Root DNS servers
  • TLD- top level domain DNS servers
  • Authoritative DNS servers

BIND

edit

Functionality of BIND [2]:

edit

BIND is an acronym for Berkley Internet Name Domain. Version 9 was developed by Nominum, Inc.The BIND 9 software distribution contains both a name server and a resolver library.

The BIND software distribution has three parts:

  1. Domain Name Resolver
    A resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. (Many operating system distributions use the BIND resolver library.) The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name.
  2. Domain Name Authority server
    An authoritative DNS server answers requests from resolvers, using information about the domain names it is authoritative for.  You can provide DNS services on the Internet by installing this software on a server and giving it information about your domain names.
  3. Tools
    We include a number of diagnostic and operational tools. Some of them, such as the popular DIG tool, are not specific to BIND and can be used with any DNS server.

Zones

edit

A zone consists of some parts of the domain tree for which name server has complete information. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones.

Authoritative Name Servers [3]:

edit

There are two types of Authoritative Name Servers:

  1. Master server (primary name server) – A master server stores the original master copies of all zone records. A host master only makes changes to master server zone records. Each slave server gets updates via special automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master records.
  2. Slave server (secondary name server) – A slave server is exact replica of master server. It is used to share DNS server load and to improve DNS zone availability in case master server fails. It is recommended that you should at least have 2 slave servers and one master server for each domain name.

DHCP [4]:

edit

The Dynamic Host Configuration Protocol (DHCP) is a network protocol used to assign IP addresses and provide configuration information to devices such as servers, desktops, or mobile devices, so they can communicate on a network using the Internet Protocol (IP). ISC DHCP is a collection of software that implements all aspects of the DHCP (Dynamic Host Configuration Protocol) suite. It includes:

  • A DHCP server, which receives clients’ requests and replies to them.
  • A DHCP client, which can be bundled with the operating system of a client computer or other IP capable device and which sends configuration requests to the server. Most devices and operating systems already have DHCP clients included.
  • A DHCP relay agent, which passes DHCP requests from one LAN to another so that there need not be a DHCP server on every LAN.

Apache [5]:

edit

Apache is probably the most popular Linux-based Web server application in use. Apache2 supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).

Firewall [6]:

edit

Firewalls are computer security systems that protect your office/home PCs or your network from intruders, hackers & malicious code. Firewalls protect you from offensive software that may come to reside on your systems or from prying hackers. In a day and age when online security concerns are the top priority of the computer users, Firewalls provide you with the necessary safety and protection.

ufw - Uncomplicated Firewall [7]

edit

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. ufw by default is initially disabled. From the ufw man page:

Back up:

edit

Backup refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event.

VPN:

edit

VPN stands for Virtual Private Network. It is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider.

NFS [8]:

edit

Network file system (NFS) is based on the Remote procedure call which allows the client to automatically mount remote file systems and therefore transparently provide an access to it as if the file system is local. It is a client/server application that lets a computer user view and optionally store and update file on a remote computer as though they were on the user's own computer. The user's system needs to have an NFS client and the other computer needs the NFS server. Both of them require that you also have TCP/IP installed since the NFS server and client use TCP/IP as the program that sends the files and updates back and forth. 

Implementation

edit

DNS Server

edit

Install DNS on local machine by using Ubuntu and Bind9
Step 1 : Change the interface accordingly (eth0 or wlan0)
Command:

                sudo nano /etc/network/interfaces 
                #Change lo to either eth0 or wlan0 and loopback to static
                auto eth0 
                iface eth0 inet static 
                address 10.10.10.5
                netmask 255.255.255.0
                gateway 10.10.10.1
                network 10.10.10.0
                broadcast 10.10.10.255
                dns-domain-nameserver 10.10.10.5
                dns-domain-search "dfjz.com"

Step 2: Restart the network
Command:

               sudo /etc/init.d/networking restart 


Step 3 : Install bind9 Command:

                sudo apt-get install bind9

Step 4 : Remove the comments from the forwarders
Command:

                sudo nano /etc/bind/named.conf.options 
                

Step 5 : Define the entries for Forward and Reverse lookup zones

Master DNS
                sudo nano /etc/bind/named.conf.local 

Forward zone:

                 zone "dfjz.com"  {
                type master; 
                file "/etc/bind/db.dfjz.com"; 
                allow-transfer { IP of slave; }; };                                                      
                Reverse zone:
                zone "10.10.10.in-addr.arpa" { type master;                                             
                allow-transfer {IP of slave; }; 
                file "/etc/bind/db.192";                   };
Slave zone

Forward zone:

                zone "projectlinuxnash.com" { 
                type slave;     
                masters { IP of master; };
                file "/var/cache/bind/db.projectlinuxnash.com";
                       };

Reverse zone:

                zone "2.168.192.in-addr.arpa" { 
                type slave;
                masters { IP of master; }; 
                file "/var/cache/bind/db.192"; 
                       };                                                      

Step 6 : Create these files when bind9 starts
Command: We need to copy these files to named.conf.local

                sudo cp /etc/bind/db.local /etc/bind/db.projectlinuxnash.com 

Step 7 : Edit the forward lookup zone
Command:

                sudo nano /etc/bind/db.dfjz.com 
                $TTL 604800
                @ IN SOA dfjz.com. root.dfjz.com. ( 
                2;       This is the serial number 
                604800;  Refresh rate 
                86400;   Retry 
                2419200; Expire
                604800); Negative Cache TTL 
                @ IN NS ubuntu.dfjz.com.
                @ IN A    10.10.10.5
                @ IN AAAA fe80::be77:37ff:fe7d:dc2d 
                #A record                   
                ubuntu     IN A    10.10.10.5         
                ubuntu1   IN A    10.10.10.6
                wp            IN A    10.10.10.10
                mail          MX 10        mail.dfjz.com.                  
                www        IN CNAME dfjz.com


DHCP Server

edit

Install DHCP server in IPv4 on local machine
Step 1 : Install dhcp server
Command:

           sudo apt-get install isc-dhcp-server 

Step 2 : configure dhcp server
Command:

           sudo nano /etc/dhcp/dhcpd.conf 
           subnet 10.10.10.0 netmask 255.255.255.0 {
           range 10.10.10.11 10.10.10.50;
           option domain-name-servers 10.10.10.5,10.10.10.6;
           option domain-name "dfjz.com";
           option routers 10.10.10.1;
           option broadcast-address 10.10.10.255;
           default-lease-time 600;
           max-lease-time 7200;
           }

Step 3 : assign fixed IP for webserver, master DNS and slave DNS, backup server, mail server
Command:
For webserver:

           host web0{
           hardware ethernet 00:0c:29:3e:ca:69;
           fixed-address 10.10.10.10;
           }

For master DNS and slave DNS:

           host dnsmaster0{
           hardware ethernet 00:0c:29:4c:8d:77;
           fixed-address 10.10.10.5;
           }
           host dnsslave0{
           hardware ethernet 00:0c:29:56:40:8c;
           fixed-address 10.10.10.6;
           }

for backup server:

          host backup0{
          hardware ethernet 00:0c:29:23:6b:90;
          fixed-address 10.10.10.7;
          }

for mail server:

          host mailserver0{
          hardware ethernet 00:0c:29:56:0d:d1;
          fixed-address 10.10.10.8;
          }

Step 4 : start the dhcp service
Command:

               sudo /etc/init.d/isc-dhcp-server start 

DHCP server in IPv6 on local machine
Step 1 : Install radvd
Command:

                sudo apt-get install radvd

Step 2 : configure radvd.conf
Command:

sudo nano /etc/radvd.conf

              interface eth0 {
              AdvSendAdvert on;
      	       MinRtrAdvInterval 3;
              MaxRtrAdvInterval 10;
      		prefix 2001:0db8:0100:f101::/64 {
               AdvOnLink on;
              	AdvAutonomous on;
               AdvRouterAddr on;
    	 	};
               };

Step 3 : modify sysctl.conf
Command:

               sudo nano /etc/sysctl.conf
               remove the “#” in front of ‘net.ipv6.conf.all.forwarding=1’
               sysctl –w net.ipv6.conf.all.forwarding=1 

Step 4 : start radvd service
Command:

               Service radvd start


Web Server

edit

Install Web server on local machine by using Apache as the web server. Step 1: Install apache2 Command:

               sudo apt-get install apache2 

Step 2: To check whether the web server is listening on port 80 Command:

               netstat -a | more 

Step 3: Restart the web server Command:

               sudo /etc/init.d/apache2 stop  # When you do netstat now, 
               then the computer is not shown as listening 
               sudo /etc/init.d/apache2 start 

Step 4: To edit the webpage for the server


Firewall

edit

Use ufw to set Firewall. It is built in along the Ubuntu system. Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.

Step 1: In order to block ICMP requests write the following command:

         sudo iptables -A INPUT -d <IP address of the destination> -p icmp -icmp -type 0 -j DROP 

Step 2: In order to prevent SSH login, write the following command:

         sudo iptables -A INPUT -s <IP address of the source> 
         -d <IP address of the destination> -p tcp -dport ssh - j DROP 

Step 3: In order to block FTP ports, write the following command:

        sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 20 –j DROP 
        sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 21 –j DROP 

Step 4: To block the port used by Telnet, write the following command:

        sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 23 –j DROP 

Step 5: To block webpage write the following command:

         sudo iptables –A INPUT –d <ip address of destination> –s <ip address of destination> –p tcp –dport –j DROP

Step 6: To start the firewall, write the following command:

          sudo ufw enable

Step 7: To shut dowm the firewall, write the following command:

          sudo ufw disable 

Step 8: To block a certain ip access

          sudo ufw allow proto tcp from <ip address of destination> to any port 22

Step 9: to unblock a certain ip access

          sudo ufw deny proto tcp from <ip address of destination> to any port 22

Back Up

edit
Server side

Step 1: Install ssh
Command:

               sudo apt-get install openssh-server

Client side: Step 1: authorize client(web server) to backup server
Command:

	        ssh xunpeng@10.10.10.7

Step 2: use ssh-keygen to create an encryption key pair public and private key
Command

              /home/xunpeng/.ssh/id_rsa   	#create directory 

Step 3: exit server

Step 4: copy id_rsa from server to client
Command:

               cd .ssh 
               scp xunpeng@10.10.10.7:.ssh/id_rsa . 
               chmod 600 id_rsa 
               ssh 10.10.10.7
               rsync –avz –e ssh /home/xunpeng/backup/ 
               xunpeng@10.10.10.7:/home/xunpeng/backup/

Step 6: automatic backup
Command:

               rsync –avz –e ssh /home/xunpeng/backup/ xunpeng@10.10.10.7:/home/xunpeng/backup/

Add-ons

edit

Step 1: Install pptpd which is a package used to configure VPN Command:

              sudo apt-get install pptpd 

Step 2: Edit the files in /etc/pptpd.conf and make the following changes

              localip <IP of VPN server>
              remoteip <Range of IPs of VPN clients>

Step 3: Edit /etc/ppp/pptpd-options file:

              ms-dns 8.8.8.8
              ms-dns 8.8.4.4 (Google DNS) 

Step 4: Restart the pptpd service
Command

              sudo service pptpd restart

Step 5: Set user id and password
Command:

             sudo nano /etc/ppp/chap-secrets 
             zhu pptpd 2500 *    # zhu is the user name, pptpd is the VPN server name,
             2500 is the password and * indicates for all IPs that fall in the VPN client range. 

Step 6:

             Edit /etc/sysctl.conf file and reset sysctl
             net.ipv4.net_forward=1
             sudo sysctl -p

Step 7: Firewall setting:

              iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE
              iptables --table nat --append POSTROUTING --out-interface ppp0 –j MASQUERADE 
              iptables –I INPUT –s 10.0.0.0/8 –i ppp0 –j ACCEPT 
              iptables --append FORWARD --i-interface eth0 –j ACCEPT
              iptables-save > firewall
              iptables-restore > firewall


Step 1: Install nis portmap

              sudo apt-get install nis portmap 

Step 2: Edit the domain name NISServer when installed

              sudo nano /etc/default/nis 
              set nisserver=master  // set the computer as the nis master server
              sudo nano /etc/yp.conf
              domain NISServer server ubuntu  // set the domain name as NISServer set the server name as Ubuntu
              sudo nano /etc/ypserv.securenets 
              change the “0.0.0.0   0.0.0.0”line into “255.255.255.0   192.168.0.*”
              sudo /usr/lib/yp/ypinit –m  //refresh the database of the server 

Step 3: For NIS Client

              sudo apt-get install portmap nis

Step 4: Edit the domain name NISServer

              sudo nano /etc/passwd 

Step 5:

           Add a line +::::::  #hash record 
              sudo nano /etc/group 
           Add a line +:::
              sudo nano /etc/shadow
           Add a line +::::::::
              sudo nano /etc/yp.conf
           Set the ypserver’s ip address


Commands to configure NFS:

For server follow these steps: Step 1:Install NFS Command:

           sudo apt-get install nfs-kernel-server 

Step 2:Edit the exports file Command:

            sudo nano /etc/exports
            /home/project/nfsroot *(rw,sync,no_root_squash) 

Step 3:Make a directory called nfsroot:

           sudo mkdir /home
           sudo mkdir /home/project
           sudo mkdir /home/project/nfsroot

Step 4: Restart the NFS server

           sudo service nfs-kernel-server start 

Create a file under folder nsfroot

cd /home/project/nsfroot/

           sudo touch test #Create a field named test
           sudo nano test #write information you want and this will become visible for the client
           ctrl + x - -> exit nano mode

Step 5: For Client NFS install nfs-common Command:

               sudo apt-get install nfs-common 

Step 6: Create directory file named nfs

               sudo mkdir -p /home/project
               sudo mkdir -p /home/project/nfs

Mount file

               sudo mkdir -p /mnt/export/home
               sudo mkdir -p /mnt/export/home/project

Step 7: Link the 2 directories and the mount the file to the server Command:

              sudo mount –t nfs 10.x.x.x:/home/project/nfsroot /home/project/nfs 

Check the path of the shared folder Command:

               sudo showmount –e 10.x.x.x #server ip

Network Time Protocol is used for synchronization between computer systems.

Step 1: Installation

           sudo apt-get install ntp

Step 2: configuration

           sudo nano /etc/ntp.conf
           change the following line:
           server ntp.ubuntu.com
           server pool.ntp.org

Mail Server

edit

Step1: Mail sever is configured using Postfix and dovecot Install postfix and dovecot using the following commands:

          sudo apt-get install postfix
          sudo apt-get install dovecot

Step 2: assign hostname in /etc/hostname For our mail server, we have assigned mail.dfjz.com

Step 3: add a host in /etc/hosts The host with IP address is listed in this file

            10.10.10.8     mail.dfjz.com

Step 4: configure postfix for SMTP-AUTH in /etc/postfix/main.cf

             Home_mailbox = Maildir/
             Smtpd_sasl_type = dovecot
             Smtpd_sasl_path = private/auth
             Smtpd_sasl_local_domain =
             Smtpd_sasl_security_options = noanonymous

Step 5: Generate a digital certificate for tls:

             Openssl genrsa –des3 –out server.key 2048
             Openssl rsa –in server.key –out server.key.insecure
             Mv server.key server.key.secure
             Mv server.key.insecure server.key

Step 6: Configure certificate path

             Sudo postconf –e ‘smtpd_tls_key_file = /etc/ssl/private/server.key’
             Sudo postconf –e ‘smtpd_tls_cert_file = /etc/ssl/certs/server.key’

Step 7: uncomment smtps and submission lines from /etc/postfix/master.cf file

Step 8: add smtp auth for /etc/dovecot/conf.d/10-master.conf file

Step 9: In the /etc/dovecot/conf.d/10-auth.conf, add auth_mechanisms = plain login

Step 10:

              sudo service postfix restart
              sudo service dovecot restart


Step-by-step procedure to implement the project

edit
  1. Implement DHCP server to distribute addresses dynamically to a client part of the network
  2. Assign network address and all its requirements
  3. Implement DNS server with at least five records using Bind9
  4. Implement Forward and reverse zones in the DNS
  5. Test Master and Slave DNS individually
  6. Test slave when master DNS is turned off
  7. Implement web Server using Apache
  8. Implement Firewall using above stated configuration
  9. Implement backup for the network
  10. In order to create a network, all the servers and clients must be connected to the same medium. This can be done using a switch or ad-hoc Network. For our project, we have chosen an ad-hoc network
  11. A hotspot is created to connect all the servers and clients
  12. Test the working of all the servers and the firewall and Backup


Testing Plan

edit
  1. Test the network
    • Ping to every server successfully
  2. Test DNS Server
    • use command ‘nslookup’
    • Type in domain name to see the IP address is mapped
    • Type in IPV4 address to see the domain name is mapped
    • Type in IPV6 address to see the domain name is mapped
  3. Test DHCP Server
    • Use ‘ifconfig’ to see the client or server can get the IP address (IPV4 and IPV6)
  4. Test Web Server
    • Open the web browser, type localhost to see it can access the website
  5. Test MySQL
    • Type the command MySQL –uroot –ppassword to login the MySQL Database
    • Type the command show database to see it can get the table of database
  6. Test Backup
    • Check the backup file in the backup server.
  7. Test VPN, NFS and etc.
    • Connect to the VPN Server to see it can get successfully
    • Type the command mount to get the NFS Server exported file, edit the file to see the server can get the latest edited file.
  8. Test Firewall
    • Access the website after enable and shut down the firewall.

Working with an example (Integration)

edit
DHCP Server
  1. Test of DHCP from VMware. The VMware host can get IP address and default router from the DHCP server.
  2. Test for DNS from Client2 IPv4, IPv6, Reverse DNS
  3. Test PXE from Client3
DNS Server
  1. Firstly, the master DNS is set up and tested if the mapping is done accurately
  2. The slave DNS is then set up and the transfer of zones is verified
  3. Ping from either DNS is tested using two separate VM’s on VMware

Future improvements

edit
  1. More add-ons can be implemented such as VLAN, encryption, etc.
  2. Security can be configured by implementing alerts to the network admin, whenever a user attempts to perform an action as the root user
  3. Implementation of LDAP

References

edit