Data Networking/Fall 2015/Dfjz
Requirements
editDNS server
edit- Get a domain name for the start-up
- Assign a set of IPV4 and IPV6 that have to be used for this project
- Configure name servers to handle queries for the domain
- Document the details for the future users
- Assign one of the DNS server from BIND9, POSADIS or PowerDNS
- Create any 5 DNS records
- Create reverse domains in in-addr.arpa and ipv6.arpa
- Configure a Master DNS server and Slave server
- Test plan and implementation with example
DHCP server
edit- Assign a set of IPV4 and IPV6 that have to be used for this project
- Dynamic allocation of network address
- The Client-Server protocol
- Test plan and implementation with example
Web Server & Firewall
edit- Use only one command line tools and package
- Provide all the commands with a brief description
- Provide the changes you have made to the files/folders for configuring the webserver as well as the firewall. Create the basic page to be server by this webserver
- Make this page accessible to the clients in your network using the webserver
- Make your server the most secured one in all possible ways
Back up
edit- Automate the process of backing up the data
- The backup file should be zipped and sent to a different server
- Describe briefly about how you backup automatically and how file transfer is made.
- Provide the command and configuration for sending the zipped file to a different location
- Mention which protocol you are using to complete this task
Hierarchy
editBehavior of the protocol
editDNS
editFunctionality of DNS [1]:
editThe Domain Name System (DNS) is basically a large database which resides on various computers and it contains the names and IP addresses of various hosts on the internet and various domains. The Domain Name System is used to provide information to the Domain Name Service to use when queries are made. The service is the act of querying the database, and the system is the data structure and data itself.
The Domain Name System is an essential component of the functionality of most Internet services because it is the Internet's primary directory service. In an internet based system, the DNS sends a query to the internet which is further processed to extract the IP address using following processes:
- Recursive Process.
- Iterative Process.
Depending on the query forwarded by the client, the DNS can perform two functions:
- Forward DNS Query – Hostname to IP address.
- Reverse DNS Query – IP address to Hostname.
There are three classes of DN servers.
- Root DNS servers
- TLD- top level domain DNS servers
- Authoritative DNS servers
BIND
editFunctionality of BIND [2]:
editBIND is an acronym for Berkley Internet Name Domain. Version 9 was developed by Nominum, Inc.The BIND 9 software distribution contains both a name server and a resolver library.
The BIND software distribution has three parts:
- Domain Name Resolver
A resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. (Many operating system distributions use the BIND resolver library.) The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name. - Domain Name Authority server
An authoritative DNS server answers requests from resolvers, using information about the domain names it is authoritative for. You can provide DNS services on the Internet by installing this software on a server and giving it information about your domain names. - Tools
We include a number of diagnostic and operational tools. Some of them, such as the popular DIG tool, are not specific to BIND and can be used with any DNS server.
Zones
editA zone consists of some parts of the domain tree for which name server has complete information. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones.
Authoritative Name Servers [3]:
editThere are two types of Authoritative Name Servers:
- Master server (primary name server) – A master server stores the original master copies of all zone records. A host master only makes changes to master server zone records. Each slave server gets updates via special automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master records.
- Slave server (secondary name server) – A slave server is exact replica of master server. It is used to share DNS server load and to improve DNS zone availability in case master server fails. It is recommended that you should at least have 2 slave servers and one master server for each domain name.
DHCP [4]:
editThe Dynamic Host Configuration Protocol (DHCP) is a network protocol used to assign IP addresses and provide configuration information to devices such as servers, desktops, or mobile devices, so they can communicate on a network using the Internet Protocol (IP). ISC DHCP is a collection of software that implements all aspects of the DHCP (Dynamic Host Configuration Protocol) suite. It includes:
- A DHCP server, which receives clients’ requests and replies to them.
- A DHCP client, which can be bundled with the operating system of a client computer or other IP capable device and which sends configuration requests to the server. Most devices and operating systems already have DHCP clients included.
- A DHCP relay agent, which passes DHCP requests from one LAN to another so that there need not be a DHCP server on every LAN.
Apache [5]:
editApache is probably the most popular Linux-based Web server application in use. Apache2 supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).
Firewall [6]:
editFirewalls are computer security systems that protect your office/home PCs or your network from intruders, hackers & malicious code. Firewalls protect you from offensive software that may come to reside on your systems or from prying hackers. In a day and age when online security concerns are the top priority of the computer users, Firewalls provide you with the necessary safety and protection.
ufw - Uncomplicated Firewall [7]
editThe default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. ufw by default is initially disabled. From the ufw man page:
Back up:
editBackup refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event.
VPN:
editVPN stands for Virtual Private Network. It is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider.
NFS [8]:
editNetwork file system (NFS) is based on the Remote procedure call which allows the client to automatically mount remote file systems and therefore transparently provide an access to it as if the file system is local. It is a client/server application that lets a computer user view and optionally store and update file on a remote computer as though they were on the user's own computer. The user's system needs to have an NFS client and the other computer needs the NFS server. Both of them require that you also have TCP/IP installed since the NFS server and client use TCP/IP as the program that sends the files and updates back and forth.
Implementation
editDNS Server
editInstall DNS on local machine by using Ubuntu and Bind9
Step 1 : Change the interface accordingly (eth0 or wlan0)
Command:
sudo nano /etc/network/interfaces #Change lo to either eth0 or wlan0 and loopback to static auto eth0 iface eth0 inet static address 10.10.10.5 netmask 255.255.255.0 gateway 10.10.10.1 network 10.10.10.0 broadcast 10.10.10.255 dns-domain-nameserver 10.10.10.5 dns-domain-search "dfjz.com"
Step 2: Restart the network
Command:
sudo /etc/init.d/networking restart
Step 3 : Install bind9
Command:
sudo apt-get install bind9
Step 4 : Remove the comments from the forwarders
Command:
sudo nano /etc/bind/named.conf.options
Step 5 : Define the entries for Forward and Reverse lookup zones
- Master DNS
sudo nano /etc/bind/named.conf.local
Forward zone:
zone "dfjz.com" { type master; file "/etc/bind/db.dfjz.com"; allow-transfer { IP of slave; }; };
Reverse zone: zone "10.10.10.in-addr.arpa" { type master; allow-transfer {IP of slave; }; file "/etc/bind/db.192"; };
- Slave zone
Forward zone:
zone "projectlinuxnash.com" { type slave; masters { IP of master; }; file "/var/cache/bind/db.projectlinuxnash.com"; };
Reverse zone:
zone "2.168.192.in-addr.arpa" { type slave; masters { IP of master; }; file "/var/cache/bind/db.192"; };
Step 6 : Create these files when bind9 starts
Command: We need to copy these files to named.conf.local
sudo cp /etc/bind/db.local /etc/bind/db.projectlinuxnash.com
Step 7 : Edit the forward lookup zone
Command:
sudo nano /etc/bind/db.dfjz.com $TTL 604800 @ IN SOA dfjz.com. root.dfjz.com. ( 2; This is the serial number 604800; Refresh rate 86400; Retry 2419200; Expire 604800); Negative Cache TTL @ IN NS ubuntu.dfjz.com. @ IN A 10.10.10.5 @ IN AAAA fe80::be77:37ff:fe7d:dc2d #A record ubuntu IN A 10.10.10.5 ubuntu1 IN A 10.10.10.6 wp IN A 10.10.10.10 mail MX 10 mail.dfjz.com. www IN CNAME dfjz.com
DHCP Server
editInstall DHCP server in IPv4 on local machine
Step 1 : Install dhcp server
Command:
sudo apt-get install isc-dhcp-server
Step 2 : configure dhcp server
Command:
sudo nano /etc/dhcp/dhcpd.conf subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.11 10.10.10.50; option domain-name-servers 10.10.10.5,10.10.10.6; option domain-name "dfjz.com"; option routers 10.10.10.1; option broadcast-address 10.10.10.255; default-lease-time 600; max-lease-time 7200; }
Step 3 : assign fixed IP for webserver, master DNS and slave DNS, backup server, mail server
Command:
For webserver:
host web0{ hardware ethernet 00:0c:29:3e:ca:69; fixed-address 10.10.10.10; }
For master DNS and slave DNS:
host dnsmaster0{ hardware ethernet 00:0c:29:4c:8d:77; fixed-address 10.10.10.5; }
host dnsslave0{ hardware ethernet 00:0c:29:56:40:8c; fixed-address 10.10.10.6; }
for backup server:
host backup0{ hardware ethernet 00:0c:29:23:6b:90; fixed-address 10.10.10.7; }
for mail server:
host mailserver0{ hardware ethernet 00:0c:29:56:0d:d1; fixed-address 10.10.10.8; }
Step 4 : start the dhcp service
Command:
sudo /etc/init.d/isc-dhcp-server start
DHCP server in IPv6 on local machine
Step 1 : Install radvd
Command:
sudo apt-get install radvd
Step 2 : configure radvd.conf
Command:
sudo nano /etc/radvd.conf
interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2001:0db8:0100:f101::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; };
Step 3 : modify sysctl.conf
Command:
sudo nano /etc/sysctl.conf remove the “#” in front of ‘net.ipv6.conf.all.forwarding=1’ sysctl –w net.ipv6.conf.all.forwarding=1
Step 4 : start radvd service
Command:
Service radvd start
Web Server
editInstall Web server on local machine by using Apache as the web server. Step 1: Install apache2 Command:
sudo apt-get install apache2
Step 2: To check whether the web server is listening on port 80 Command:
netstat -a | more
Step 3: Restart the web server Command:
sudo /etc/init.d/apache2 stop # When you do netstat now, then the computer is not shown as listening sudo /etc/init.d/apache2 start
Step 4: To edit the webpage for the server
Firewall
editUse ufw to set Firewall. It is built in along the Ubuntu system. Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.
Step 1: In order to block ICMP requests write the following command:
sudo iptables -A INPUT -d <IP address of the destination> -p icmp -icmp -type 0 -j DROP
Step 2: In order to prevent SSH login, write the following command:
sudo iptables -A INPUT -s <IP address of the source> -d <IP address of the destination> -p tcp -dport ssh - j DROP
Step 3: In order to block FTP ports, write the following command:
sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 20 –j DROP sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 21 –j DROP
Step 4: To block the port used by Telnet, write the following command:
sudo iptables –A INPUT –d <ip address of destination> –p tcp –dport 23 –j DROP
Step 5: To block webpage write the following command:
sudo iptables –A INPUT –d <ip address of destination> –s <ip address of destination> –p tcp –dport –j DROP
Step 6: To start the firewall, write the following command:
sudo ufw enable
Step 7: To shut dowm the firewall, write the following command:
sudo ufw disable
Step 8: To block a certain ip access
sudo ufw allow proto tcp from <ip address of destination> to any port 22
Step 9: to unblock a certain ip access
sudo ufw deny proto tcp from <ip address of destination> to any port 22
Back Up
edit- Server side
Step 1: Install ssh
Command:
sudo apt-get install openssh-server
Client side:
Step 1: authorize client(web server) to backup server
Command:
ssh xunpeng@10.10.10.7
Step 2: use ssh-keygen to create an encryption key pair public and private key
Command
/home/xunpeng/.ssh/id_rsa #create directory
Step 3: exit server
Step 4: copy id_rsa from server to client
Command:
cd .ssh scp xunpeng@10.10.10.7:.ssh/id_rsa . chmod 600 id_rsa ssh 10.10.10.7 rsync –avz –e ssh /home/xunpeng/backup/ xunpeng@10.10.10.7:/home/xunpeng/backup/
Step 6: automatic backup
Command:
rsync –avz –e ssh /home/xunpeng/backup/ xunpeng@10.10.10.7:/home/xunpeng/backup/
Add-ons
editVPN
editStep 1: Install pptpd which is a package used to configure VPN Command:
sudo apt-get install pptpd
Step 2: Edit the files in /etc/pptpd.conf and make the following changes
localip <IP of VPN server> remoteip <Range of IPs of VPN clients>
Step 3: Edit /etc/ppp/pptpd-options file:
ms-dns 8.8.8.8 ms-dns 8.8.4.4 (Google DNS)
Step 4:
Restart the pptpd service
Command
sudo service pptpd restart
Step 5:
Set user id and password
Command:
sudo nano /etc/ppp/chap-secrets zhu pptpd 2500 * # zhu is the user name, pptpd is the VPN server name, 2500 is the password and * indicates for all IPs that fall in the VPN client range.
Step 6:
Edit /etc/sysctl.conf file and reset sysctl net.ipv4.net_forward=1 sudo sysctl -p
Step 7: Firewall setting:
iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE iptables --table nat --append POSTROUTING --out-interface ppp0 –j MASQUERADE iptables –I INPUT –s 10.0.0.0/8 –i ppp0 –j ACCEPT iptables --append FORWARD --i-interface eth0 –j ACCEPT iptables-save > firewall iptables-restore > firewall
NIS
editStep 1: Install nis portmap
sudo apt-get install nis portmap
Step 2: Edit the domain name NISServer when installed
sudo nano /etc/default/nis set nisserver=master // set the computer as the nis master server sudo nano /etc/yp.conf domain NISServer server ubuntu // set the domain name as NISServer set the server name as Ubuntu sudo nano /etc/ypserv.securenets change the “0.0.0.0 0.0.0.0”line into “255.255.255.0 192.168.0.*” sudo /usr/lib/yp/ypinit –m //refresh the database of the server
Step 3: For NIS Client
sudo apt-get install portmap nis
Step 4: Edit the domain name NISServer
sudo nano /etc/passwd
Step 5:
Add a line +:::::: #hash record sudo nano /etc/group Add a line +::: sudo nano /etc/shadow Add a line +:::::::: sudo nano /etc/yp.conf Set the ypserver’s ip address
NFS
editCommands to configure NFS:
For server follow these steps: Step 1:Install NFS Command:
sudo apt-get install nfs-kernel-server
Step 2:Edit the exports file Command:
sudo nano /etc/exports /home/project/nfsroot *(rw,sync,no_root_squash)
Step 3:Make a directory called nfsroot:
sudo mkdir /home sudo mkdir /home/project sudo mkdir /home/project/nfsroot
Step 4: Restart the NFS server
sudo service nfs-kernel-server start
Create a file under folder nsfroot
cd /home/project/nsfroot/
sudo touch test #Create a field named test sudo nano test #write information you want and this will become visible for the client ctrl + x - -> exit nano mode
Step 5: For Client NFS install nfs-common Command:
sudo apt-get install nfs-common
Step 6: Create directory file named nfs
sudo mkdir -p /home/project sudo mkdir -p /home/project/nfs
Mount file
sudo mkdir -p /mnt/export/home sudo mkdir -p /mnt/export/home/project
Step 7: Link the 2 directories and the mount the file to the server Command:
sudo mount –t nfs 10.x.x.x:/home/project/nfsroot /home/project/nfs
Check the path of the shared folder Command:
sudo showmount –e 10.x.x.x #server ip
NTP
editNetwork Time Protocol is used for synchronization between computer systems.
Step 1: Installation
sudo apt-get install ntp
Step 2: configuration
sudo nano /etc/ntp.conf change the following line: server ntp.ubuntu.com server pool.ntp.org
Mail Server
editStep1: Mail sever is configured using Postfix and dovecot Install postfix and dovecot using the following commands:
sudo apt-get install postfix sudo apt-get install dovecot
Step 2: assign hostname in /etc/hostname For our mail server, we have assigned mail.dfjz.com
Step 3: add a host in /etc/hosts The host with IP address is listed in this file
10.10.10.8 mail.dfjz.com
Step 4: configure postfix for SMTP-AUTH in /etc/postfix/main.cf
Home_mailbox = Maildir/ Smtpd_sasl_type = dovecot Smtpd_sasl_path = private/auth Smtpd_sasl_local_domain = Smtpd_sasl_security_options = noanonymous
Step 5: Generate a digital certificate for tls:
Openssl genrsa –des3 –out server.key 2048 Openssl rsa –in server.key –out server.key.insecure Mv server.key server.key.secure Mv server.key.insecure server.key
Step 6: Configure certificate path
Sudo postconf –e ‘smtpd_tls_key_file = /etc/ssl/private/server.key’ Sudo postconf –e ‘smtpd_tls_cert_file = /etc/ssl/certs/server.key’
Step 7: uncomment smtps and submission lines from /etc/postfix/master.cf file
Step 8: add smtp auth for /etc/dovecot/conf.d/10-master.conf file
Step 9: In the /etc/dovecot/conf.d/10-auth.conf, add auth_mechanisms = plain login
Step 10:
sudo service postfix restart sudo service dovecot restart
Step-by-step procedure to implement the project
edit- Implement DHCP server to distribute addresses dynamically to a client part of the network
- Assign network address and all its requirements
- Implement DNS server with at least five records using Bind9
- Implement Forward and reverse zones in the DNS
- Test Master and Slave DNS individually
- Test slave when master DNS is turned off
- Implement web Server using Apache
- Implement Firewall using above stated configuration
- Implement backup for the network
- In order to create a network, all the servers and clients must be connected to the same medium. This can be done using a switch or ad-hoc Network. For our project, we have chosen an ad-hoc network
- A hotspot is created to connect all the servers and clients
- Test the working of all the servers and the firewall and Backup
Testing Plan
edit- Test the network
- Ping to every server successfully
- Test DNS Server
- use command ‘nslookup’
- Type in domain name to see the IP address is mapped
- Type in IPV4 address to see the domain name is mapped
- Type in IPV6 address to see the domain name is mapped
- Test DHCP Server
- Use ‘ifconfig’ to see the client or server can get the IP address (IPV4 and IPV6)
- Test Web Server
- Open the web browser, type localhost to see it can access the website
- Test MySQL
- Type the command MySQL –uroot –ppassword to login the MySQL Database
- Type the command show database to see it can get the table of database
- Test Backup
- Check the backup file in the backup server.
- Test VPN, NFS and etc.
- Connect to the VPN Server to see it can get successfully
- Type the command mount to get the NFS Server exported file, edit the file to see the server can get the latest edited file.
- Test Firewall
- Access the website after enable and shut down the firewall.
Working with an example (Integration)
edit- DHCP Server
- Test of DHCP from VMware. The VMware host can get IP address and default router from the DHCP server.
- Test for DNS from Client2 IPv4, IPv6, Reverse DNS
- Test PXE from Client3
- DNS Server
- Firstly, the master DNS is set up and tested if the mapping is done accurately
- The slave DNS is then set up and the transfer of zones is verified
- Ping from either DNS is tested using two separate VM’s on VMware
Future improvements
edit- More add-ons can be implemented such as VLAN, encryption, etc.
- Security can be configured by implementing alerts to the network admin, whenever a user attempts to perform an action as the root user
- Implementation of LDAP
References
edit- [1] http://www.comptechdoc.org/independent/networking/guide/netdns.html
- [2] https://www.isc.org/downloads/bind/
- [3] http://www.dnsknowledge.com/whatis/authoritative-name-server/
- [4] https://www.isc.org/downloads/dhcp/
- [5] http://www.tldp.org/LDP/LG/issue12/server.html
- [6] http://www.firewallinformation.com/
- [7] https://help.ubuntu.com/12.04/serverguide/firewall.html
- [8] http://linuxconfig.org/how-to-configure-nfs-on-linux