Data Networking/Fall 2015/Janane Suresh

Team

edit

Janane Suresh
Sunaina Selvaraj
Dharanish Kedarisetti
Rahul Kasanagottu

Motivation

edit

Linux Operating system has developed into a force in almost each and every networking application, which gives us the much required motivation to play around with the OS. Linux is one of the powerful open-source operating system. Linux OS is a key skill-set to possess for a successful career in networking. Hoping to develop a good proficiency in Linux, we have decided to approach this project.

Understanding the Protocol

edit


Domain Name System

edit

The main understanding involved in DNS is that it is used to resolve host name into IP address. When a particular website is typed in the address bar of the browser, DNS server finds out the corresponding IP address of the website and returns it to the user. Initially, a DNS query is made to the servers and the server replies back with a response about the IP address of the website. After the IP address is obtained, the host can be reachable to retrieve data from them. In order to reduce the latency, BIND9 server with caching can be used. The main advantage is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is considerably reduced, thereby decreasing the waiting time of the user to obtain the data from the webpage.

Dynamic Host Configuration Protocol

edit

Assigning IP addresses to the networking component can be done in the following ways.
i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator.
ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network.
iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.

Webserver & Firewall

edit

In order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network). Requirements The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.

Backup Server

edit

We automated the backup process. To do that the backup server and web server should be able to establish a secure connection using SSH. To send back up automatically without any human intervention we need to establish the connection without any password authentication.

The Requirements

edit

• Linux Based OS (We have used Ubuntu 14.04.1)
• Bind9 server to configure DNS.
• Isc-dhcp-server to configure DHCP.
• Apache2 to configure our web server.
• RSync tool for web backup server.

== The Steps to perform the setup / installation ==

Steps involved in the setup /installation

edit

DNS Configuration

edit

The following are the steps to be followed in order to configure BIND9 which is the DNS Software and check for the availability of Primary Name Server, Webserver, Secondary Name server.


  Primary Nameserver		  ns1.mylinuxproject.com		192.168.1.8
  Secondary Nameserver           ns2.mylinuxproject.com		192.168.1.9
  Webserver 		          www.mylinuxproject.com                192.168.1.3

1. To give a hostname .Here it is ns2

  sudo nano /etc/hostname 

2. To check the hosts by using

  cat /etc/hosts 


3. To check for IP address of DNS server use

  ifconfig 

and set manually to 192.168.1.9 as shown manually

ifconfig command is used to check for the IP address and clearly, It is observed that in this case the IP address is set to static 192.168.1.9

4. Installation of Bind :

  sudo apt-get install bind9  

5. To define forward lookupzone and Reverse lookupzone.

 sudo nano /etc/bind/named.conf.local 

is command used to edit named.conf.local file and apply the changes as below where forward and Reverse files are defined.

6. Configure named.conf.options

 sudo nano /etc/bind/named.conf.options
 Add forwarders {
# ISP DNS IP’s
192.168.1.1; 
8.8.8.8; 
8.8.4.4

};

7. Create two database files in a zone. – db.mylinuxproject.com and db.192.

  sudo mkdir /etc/bind/zones


8. Create Forward Zone File

  sudo nano /etc/bind/zones/db.mylinuxproject.com. 

command is used to edit mylinuxproject.com.com file with using the commands below the forward zone file is created.


9. Create Reverse Zone File

 sudo nano /etc/bind/zones/db.192 

command used to edit db.192.168.1 file and following below commands then Reverse Zone file is created.


10. STARTING BIND:

 sudo /etc/init.d/bind9 start 

Command is used to start the domain name service

DNS IPV6

edit

1. Do nslookup for domain name.

  nslookup -type=AAAA mylinuxproject.com  

This gives the IPV6 address fd01:db8:0:1::3

Master & Slave DNS

edit

Step 1: Edit /etc/hosts Command:

              sudo nano /etc/hosts

Add

              127.0.0.1   localhost
              192.168.1.8     ns1.mylinuxproject.com    ns1
              192.168.1.9     ns2.mylinuxproject.com    ns2


The above image shows the ifconfig details of the Slave DNS server.

Step 2: Edit /etc/bind/named.conf.local on the master virtual machine Command:

            sudo nano /etc/bind/named.conf.local

Edit

            # Forward zone
            zone "mylinuxproject.com" {
            type master;
            allow-transfer{192.168.1.9;};
            file "/etc/bind/zones/db.mylinuxproject.com";
            };
            # Reverse Zone

            zone "1.168.192.in-addr.arpa" {
            type master;
            allow-transfer{192.168.1.9;};
            file "/etc/bind/zones/db.192";
            };

Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine Command:

            sudo nano /etc/bind/named.conf.local

Edit

            # Forward zone
            zone "mylinuxproject.com" {
            type slave;
            masters{192.168.1.8; };
            file "/etc/bind/zones/db.mylinuxproject.com";
            };
            # Reverse Zone

            zone "1.168.192.in-addr.arpa" {
            type slave;
            masters{192.168.1.8; };
            file "/etc/bind/zones/db.192";
            };

DHCP Server

edit

1. Install DHCP Server

    sudo apt-get install isc-dhcp-server

2. Set the static Ip address of the DHCP server

    sudo nano /etc/network/interfaces 

Change lo to either eth0 or wlan0 and loopback to static

                auto eth0
                iface eth0 inet static 
                address 192.168.1.3
                netmask 255.255.255.0
                gateway 192.168.1.1
                network 192.168.0.0
                broadcast 192.168.1.255
                dns-domain-nameserver 192.168.1.2
                dns-domain-search fourtex.com

3. Configure the DHCP server

    sudo nano /etc/dhcp/dhcpd.conf
               authoritative;
               subnet 192.168.1.0 netmask 255.255.255.0{
               range 192.168.1.10 192.168.10.100;
option routers 192.168.1.1 option domain-name-servers 192.168.1.8 192.168.1.9; option broadcast-address 192.168.1.255; option domain-name "mylinuxproject.com"; default-lease-time 600; max-lease-time 7200; }

4. Restart the dhcp server

    sudo service isc-dhcp-server restart 

DHCP IPV6

edit

Step 1

copy the ISC-DHCP server file

  sudo  cp /etc/init.d/isc-dhcp-server /etc/init.d/isc-dhcp6-server 

copy the dhcpd.conf file to dhcpd6.conf

  sudo  cp /etc/dhcp/dhcpd.conf  /etc/dhcp/dhcpd6.conf

Make modifications to the isc-dhcp6-server so that it support ipv6 1. add -6 option whenever the dhcp process is called 2. change the “dhcp.leases: to “dhcp6.leases 3. Change the DHCPDIP variable to

  “/var/run/dhcp-server/dhcpd6.pid"

4. Modify the /etc/apparmor.d/usr.sbin.dhcpd” file to include the following lines

  network inet6 raw,
  @{PROC/[0-9]*/net/ifinet6 r,
  /var/lib/dhcp/dhcpd6.leases* lrw,
  /var/run/dhcp-server/dhcpd6,pid w,

restart the apparmor

  /etc/init.d/isc-dhcp6-server restart

Step 2 Configuring ISC-DHCP6 sever - dhcpd6.conf

The ISC-DHCP server configuration file is dhcpd.conf and can be accessed using the following command

   sudo nano /etc/dhcp/dhcpd6.conf

This command will allow to make changes in the dhcp configuration file "dhcpd.conf" which is at specified path. We are required to do the following modifications in dhcpd.conf file:

 default-lease-time 600;
 max-lease-time 7200;
 log-facility local7;
 subnet6 fd01:db8:0:1::/64 {

Range for clients

  range6 fd01:db8:0:1::A fd01:db8:0:1::64;
  }

Step 3 Securing DHCP server The following modifications are done to configuration file to secure the DHCP server

    ddns-update-style none;
    deny declines;
    deny bootp;

The DoS attack on DHCP server can be avoided by denying the DHCP decline messages and can deny supporting old bootp clients Step 4 Restart ISC-DHCP server

Now that the isc-dhcp-server configuration is complete, we need to reload the dhcp server, so that the new configurations can be implemented

   sudo service isc-dhcp6-server restart
   sudo service isc-dhcp6-server start
   sudo service isc-dhcp6-server stop

Step 5 Verifying.. Inorder to check the leases of the IP addresses assigned by the DHCP

    cd /var/lib/dhcp/
    ls -l
    cat dhcpd6.leases

APACHE2 Web Server Configuration

edit

Following are the steps and commands to be followed to configure a web server.

STEP 1: Install Apache2 Web Server Initially update the Ubuntu 14.04 and later download apache2. Update Linux files on Ubuntu 14.04 after entering into the root mode.

 sudo su
 apt-get update

Installing Apache2

 apt-get install apache2

We can check if apache2 is installed perfectly or not by typing https://localhost or 127.0.0.1 in web browser. In brief the following message is displayed.

It works! This is the default web page for this server. The web server software is running but no content has been added, yet.

STEP 2: Create directories We need to create the directory which contains the html page of our web server in www folder. The folder is to be modified to make it readable by web server.

  mkdir /var/www/mylinuxproject.com/ 
  chmod 755 /var/www/
  chown $USER:$USER /var/www/mylinuxproject.com/

Now we create the html page of our web server in the above created directory.

  nano /var/www/neunetworks.com/sample.html

STEP 3: Configuring apache2 files

apache2.conf is the main configuration file for the web-server. It contains default configuration details. It is the primary access point for the web-server to read details of the configuration.

 nano /etc/apache2/apache2.conf

vim Editor opens the file in editing mode. If we scroll down the file we can find a number of statements where add the following to the file.

   <Directory /var/www/mylinuxproject.com/>
           Options Indexes FollowSymLinks
           AllowOverride None
           Require all granted
   </Directory>

The directory contains definitions of how the web server handles various directories. By default there are not many restrictions set. And those apply to the root directory. By mentioning the path we define the directory We can add some additional interesting features such as TIMEOUT, KEEPALIVE, MaxKeepAllowRequests, KeepAliveTimeout to establish and handle http persistent connections by editing the global configuration section of this file.

AllowOverride is used when we need a file should be able to override the settings in the content directory.

Configuring dir.conf

We need to modify properties of html file so that it can be accessed by the web server.

  nano /etc/apache2/mods-available/dir.conf 

Scroll down and modify as following.

        <IfModule mod_dir.c>
        DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm sample.html
        </IfModule>

Configuring 000-default.conf

  nano /etc/apache2/sites-available/000-default.conf		 	 	 		

We need to change the server name and path of the directory to be accessed..

ServerAdmin webmaster@localhost

         ServerName mylinuxproject.com
         DocumentRoot /var/www/mylinuxproject.com

We need to restart apache2 to save the changes.

  service Apache2 restart

We can test if our web-server is working or not by typing

      https://localhost or 127.0.0.1 in web browser

Backup Configuration

edit

Step 1: Installing SSH We need to install SSH on web server and client server

 sudo su
 apt-get install ssh

Step 2: Generating key pair We need to log into the web server and generate a pair of public and private keys. private key must not be shared with any device. Public key is shared with other devices to establish a SSH connection

 ssh -keygen -t rsa

Step 3: Copying public key to backup server Public key that is id_rsa.pub is in the SSH directory. We need to securely copy it to the backup server 192.168.1.101 is IP of the backup server.

 cd .ssh
 scp id_rsa.pub 192.168.1.101:/tmp/

Step 4: Creating tar file of the contents the need to be backed up

  tar -cvpzf minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html


Step 5: Authorizing the public key On the backup server we need to copy the public key into authorized_keys to authorize the connection between the web server and backup server without authentication.

  cat /tmp/id_rsa.pub > .ssh/authorized_keys

Step 6: Automating Backup To automate and send backup every minute, we need to to edit crontab file. crontab -e

 * * * * * tar -cvpzf /home/rahulsankrut/minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html
 * * * * *scp /home/rahulsankrut/minutebackup.tar.gz 192.168.1.101:/home/ravi

Firewall

edit

Initially we need to install iptables.

  sudo su
  apt-get install iptables

We have three kinds of iptable targets ACCEPT DROP and REJECT. REJECT drops the packet with a message. Accepting loopback

  iptables -A INPUT -i lo -j ACCEPT

Accepting a HTTP request from particular network 192.168.1.0/24 through port 80

  iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

Accepting a SSH request from particular network 192.168.1.0/24 through port 22

  iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

Accepting an echo reply from particular network 192.168.1.0/24

  iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 0  -j ACCEPT

Rejecting an echo request from particular network 192.168.1.0/24 with a message

  iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8  -j REJECT --reject-with tcmp-host-unreachable

Rejecting TELNET request from particular network 192.168.1.0/24 through port 23

 iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 23 -j DROP

We can remove all the rules uploaded into the kernel by the following command

 iptables flush

We can remove individual rules by following commands Firstly we need to obtain the number of the rule that needs to be deleted.

 iptables -L --numbers

Now we can delete a specific rule with a number # by using this command

 iptables -D INPUT #

ADD-ONs

edit

a) PPTPD Server:

1) install pptpd server using apt-get

  # sudo apt-get install pptpd

2) Then we need to configure the pptpd.

  # sudo nano /etc/pptpd.conf

Add server IP and client IP at the end of the file. You can add like below:

    localip 192.168.1.6
    remoteip 192.168.1.10-100

Configure DNS servers to use when clients connect to this PPTP server Here the Localip is the IP address of the Server and the remote IP is the range of the DHCP

3) Configure DNS servers to use when clients connect to this PPTP server

 # sudo nano /etc/ppp/pptpd-options

Uncomment the ms-dns and add the IP addresses of the DNS used in the project

   ms-dns 192.168.1.8
   ms-dns 192.168.1.9

4) Now add a VPN user in /etc/ppp/chap-secrets file.

  # sudo nano /etc/ppp/chap-secrets
  # client   server  secret  IP addresses
  username * myPassword *

5) Finally start your server

  # /etc/init.d/pptpd restart

6) To enable IPv4 forward. Change /etc/sysctl.conf file, add forward rule below.

  # sudo nano /etc/sysctl.conf

Uncomment the line

  net.ipv4.ip_forward=1

b) Client side:

1) We need to go for the VPN Connections-Configure VPN-Add a connection.
2) Choose a connection type: PPTP- Point to Point tunneling protocol.
3) Create a VPN connection by choosing a name for the VPN connection, Gateway, Username and Password (which we had given for the PPTPD server)
4) After giving all this we need to choose the Advanced options and check box the MPPE (Point to Point Encryption) and save the above changes.
5) Finally we need to enable the VPN connection which we have created which will show a success message: VPN connection has been successfully established.


Mail Server

edit

Install the postfix package

   sudo apt-get install postfix

Configure step by step:

   sudo dpkg-reconfigure postfix

1. General Mail configuration: Internet Site
2. System mail name: mylinuxproject.com
3. Root recipient: <admin>
4. Other destinations for mail: server1.mylinuxproject, mylinuxproject.com, localhost.mylinuxproject.com, localhost
5. Force synchronous updates on mail queue?: No
6. Local networks: 127.0.0.0/8
7. Mailbox size limit (bytes): 0
8. Local address extension character: +
9. Internet protocols to use: all

3) Configure mailbox format for Maildir

 sudo postconf -e 'home_mailbox = Maildir/'b

 sudo postconf -e 'mailbox_command ='

4) Edit /etc/postfix/sasl/smtpd.conf as follow:

pwcheck_method: saslauthd
mech_list: plain login

5) Generate Certificates for TLS encryption:

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

6) Configure postfix and TLS for both incoming and outgoing mails:

 sudo postconf -e 'smtp_tls_security_level = may'
 sudo postconf -e 'smtpd_tls_security_level = may'
 sudo postconf -e 'smtpd_tls_auth_only = no'
 sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
 sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
 sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
 sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
 sudo postconf -e 'smtpd_tls_loglevel = 1'
 sudo postconf -e 'smtpd_tls_received_header = yes'
 sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
 sudo postconf -e 'tls_random_source = dev:/dev/urandom'
 sudo postconf -e 'myhostname = server1.example.com' 

7) Restart the postfix service:

 sudo /etc/init.d/postfix restart

Testing

edit

DNS TESTING

edit

1. Forward lookup Zone File

  nslookup ns2.mylinuxproject.com. 

2. Reverse lookup – using arpa Zone File

  nslookup 192.168.1.9

3. Dig – Using dig command – for Forward lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File

  dig ns2.mylinuxproject.com 


4. Dig command – For reverse lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File

  dig 192.168.1.9

DHCP TESTING

edit

1. Start the ISC- DHCP server

   sudo /etc/init.d/isc-dhcp-server restart

2. Start the ISC-DHCP6 server

   sudo /etc/init.d/isc-dhcp6-server restart

Future Prospects

edit

DHCP

• Create a superscope to solve the problem of dwindling IP addresses. If the Boston organization is growing faster than you can supply IP addresses, when we run short of IP addrsses. This is when a superscope comes into picture. A superscope is a versatile, cost-effective, and easy-to-use solution when you are running out of IP addresses on a network.

DNS
• Support for IPv6 addressing ensures that DNS servers will be able to support present and future DNS clients that are designed to take advantage of the benefits of IPv6 addresses. DNS servers can now return both IPv4 host (A) resource records and IPv6 host (AAAA) resource records in response to queries

SECURITY
• Increase overall security of the network by installing IPS and IDS to monitor the traffic flow between the network

Citations

edit

https://help.ubuntu.com/community/BIND9ServerHowto
https://help.ubuntu.com/10.04/serverguide/httpd.html
http://httpd.apache.org/docs/2.4/
https://help.ubuntu.com/community/isc-dhcp-server

Books

edit

• Computer Networking A TopDown Approach - KUROSE | ROSS