Data Networking/Fall 2015/Janane Suresh
Team
editJanane Suresh
Sunaina Selvaraj
Dharanish Kedarisetti
Rahul Kasanagottu
Motivation
editLinux Operating system has developed into a force in almost each and every networking application, which gives us the much required motivation to play around with the OS. Linux is one of the powerful open-source operating system. Linux OS is a key skill-set to possess for a successful career in networking. Hoping to develop a good proficiency in Linux, we have decided to approach this project.
Understanding the Protocol
edit
Domain Name System
editThe main understanding involved in DNS is that it is used to resolve host name into IP address. When a particular website is typed in the address bar of the browser, DNS server finds out the corresponding IP address of the website and returns it to the user. Initially, a DNS query is made to the servers and the server replies back with a response about the IP address of the website. After the IP address is obtained, the host can be reachable to retrieve data from them. In order to reduce the latency, BIND9 server with caching can be used. The main advantage is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is considerably reduced, thereby decreasing the waiting time of the user to obtain the data from the webpage.
Dynamic Host Configuration Protocol
editAssigning IP addresses to the networking component can be done in the following ways.
i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator.
ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network.
iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.
Webserver & Firewall
editIn order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network).
Requirements
The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.
Backup Server
editWe automated the backup process. To do that the backup server and web server should be able to establish a secure connection using SSH. To send back up automatically without any human intervention we need to establish the connection without any password authentication.
The Requirements
edit• Linux Based OS (We have used Ubuntu 14.04.1)
• Bind9 server to configure DNS.
• Isc-dhcp-server to configure DHCP.
• Apache2 to configure our web server.
• RSync tool for web backup server.
== The Steps to perform the setup / installation ==
Steps involved in the setup /installation
editDNS Configuration
editThe following are the steps to be followed in order to configure BIND9 which is the DNS Software and check for the availability of Primary Name Server, Webserver, Secondary Name server.
Primary Nameserver ns1.mylinuxproject.com 192.168.1.8 Secondary Nameserver ns2.mylinuxproject.com 192.168.1.9 Webserver www.mylinuxproject.com 192.168.1.3
1. To give a hostname .Here it is ns2
sudo nano /etc/hostname
2. To check the hosts by using
cat /etc/hosts
3. To check for IP address of DNS server use
ifconfig
and set manually to 192.168.1.9 as shown manually
ifconfig command is used to check for the IP address and clearly, It is observed that in this case the IP address is set to static 192.168.1.9
4. Installation of Bind :
sudo apt-get install bind9
5. To define forward lookupzone and Reverse lookupzone.
sudo nano /etc/bind/named.conf.local
is command used to edit named.conf.local file and apply the changes as below where forward and Reverse files are defined.
6. Configure named.conf.options
sudo nano /etc/bind/named.conf.options Add forwarders { # ISP DNS IP’s 192.168.1.1;
8.8.8.8; 8.8.4.4
};
7. Create two database files in a zone. – db.mylinuxproject.com and db.192.
sudo mkdir /etc/bind/zones
8. Create Forward Zone File
sudo nano /etc/bind/zones/db.mylinuxproject.com.
command is used to edit mylinuxproject.com.com file with using the commands below the forward zone file is created.
9. Create Reverse Zone File
sudo nano /etc/bind/zones/db.192
command used to edit db.192.168.1 file and following below commands then Reverse Zone file is created.
10. STARTING BIND:
sudo /etc/init.d/bind9 start
Command is used to start the domain name service
DNS IPV6
edit1. Do nslookup for domain name.
nslookup -type=AAAA mylinuxproject.com
This gives the IPV6 address fd01:db8:0:1::3
Master & Slave DNS
editStep 1: Edit /etc/hosts Command:
sudo nano /etc/hosts
Add
127.0.0.1 localhost 192.168.1.8 ns1.mylinuxproject.com ns1 192.168.1.9 ns2.mylinuxproject.com ns2
The above image shows the ifconfig details of the Slave DNS server.
Step 2: Edit /etc/bind/named.conf.local on the master virtual machine Command:
sudo nano /etc/bind/named.conf.local
Edit
# Forward zone zone "mylinuxproject.com" { type master; allow-transfer{192.168.1.9;}; file "/etc/bind/zones/db.mylinuxproject.com"; };
# Reverse Zone zone "1.168.192.in-addr.arpa" { type master; allow-transfer{192.168.1.9;}; file "/etc/bind/zones/db.192"; };
Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine Command:
sudo nano /etc/bind/named.conf.local
Edit
# Forward zone zone "mylinuxproject.com" { type slave; masters{192.168.1.8; }; file "/etc/bind/zones/db.mylinuxproject.com"; };
# Reverse Zone zone "1.168.192.in-addr.arpa" { type slave; masters{192.168.1.8; }; file "/etc/bind/zones/db.192"; };
DHCP Server
edit1. Install DHCP Server
sudo apt-get install isc-dhcp-server
2. Set the static Ip address of the DHCP server
sudo nano /etc/network/interfaces
Change lo to either eth0 or wlan0 and loopback to static
auto eth0 iface eth0 inet static address 192.168.1.3 netmask 255.255.255.0 gateway 192.168.1.1 network 192.168.0.0 broadcast 192.168.1.255 dns-domain-nameserver 192.168.1.2 dns-domain-search fourtex.com
3. Configure the DHCP server
sudo nano /etc/dhcp/dhcpd.conf
authoritative; subnet 192.168.1.0 netmask 255.255.255.0{ range 192.168.1.10 192.168.10.100;
option routers 192.168.1.1 option domain-name-servers 192.168.1.8 192.168.1.9; option broadcast-address 192.168.1.255; option domain-name "mylinuxproject.com"; default-lease-time 600; max-lease-time 7200; }
4. Restart the dhcp server
sudo service isc-dhcp-server restart
DHCP IPV6
editStep 1
copy the ISC-DHCP server file
sudo cp /etc/init.d/isc-dhcp-server /etc/init.d/isc-dhcp6-server
copy the dhcpd.conf file to dhcpd6.conf
sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd6.conf
Make modifications to the isc-dhcp6-server so that it support ipv6 1. add -6 option whenever the dhcp process is called 2. change the “dhcp.leases: to “dhcp6.leases 3. Change the DHCPDIP variable to
“/var/run/dhcp-server/dhcpd6.pid"
4. Modify the /etc/apparmor.d/usr.sbin.dhcpd” file to include the following lines
network inet6 raw, @{PROC/[0-9]*/net/ifinet6 r, /var/lib/dhcp/dhcpd6.leases* lrw, /var/run/dhcp-server/dhcpd6,pid w,
restart the apparmor
/etc/init.d/isc-dhcp6-server restart
Step 2 Configuring ISC-DHCP6 sever - dhcpd6.conf
The ISC-DHCP server configuration file is dhcpd.conf and can be accessed using the following command
sudo nano /etc/dhcp/dhcpd6.conf
This command will allow to make changes in the dhcp configuration file "dhcpd.conf" which is at specified path. We are required to do the following modifications in dhcpd.conf file:
default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 fd01:db8:0:1::/64 {
Range for clients
range6 fd01:db8:0:1::A fd01:db8:0:1::64; }
Step 3 Securing DHCP server The following modifications are done to configuration file to secure the DHCP server
ddns-update-style none; deny declines; deny bootp;
The DoS attack on DHCP server can be avoided by denying the DHCP decline messages and can deny supporting old bootp clients Step 4 Restart ISC-DHCP server
Now that the isc-dhcp-server configuration is complete, we need to reload the dhcp server, so that the new configurations can be implemented
sudo service isc-dhcp6-server restart sudo service isc-dhcp6-server start sudo service isc-dhcp6-server stop
Step 5 Verifying.. Inorder to check the leases of the IP addresses assigned by the DHCP
cd /var/lib/dhcp/ ls -l cat dhcpd6.leases
APACHE2 Web Server Configuration
editFollowing are the steps and commands to be followed to configure a web server.
STEP 1: Install Apache2 Web Server Initially update the Ubuntu 14.04 and later download apache2. Update Linux files on Ubuntu 14.04 after entering into the root mode.
sudo su apt-get update
Installing Apache2
apt-get install apache2
We can check if apache2 is installed perfectly or not by typing https://localhost or 127.0.0.1 in web browser. In brief the following message is displayed.
It works! This is the default web page for this server. The web server software is running but no content has been added, yet.
STEP 2: Create directories We need to create the directory which contains the html page of our web server in www folder. The folder is to be modified to make it readable by web server.
mkdir /var/www/mylinuxproject.com/ chmod 755 /var/www/ chown $USER:$USER /var/www/mylinuxproject.com/
Now we create the html page of our web server in the above created directory.
nano /var/www/neunetworks.com/sample.html
STEP 3: Configuring apache2 files
apache2.conf is the main configuration file for the web-server. It contains default configuration details. It is the primary access point for the web-server to read details of the configuration.
nano /etc/apache2/apache2.conf
vim Editor opens the file in editing mode. If we scroll down the file we can find a number of statements where add the following to the file.
<Directory /var/www/mylinuxproject.com/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
The directory contains definitions of how the web server handles various directories. By default there are not many restrictions set. And those apply to the root directory. By mentioning the path we define the directory We can add some additional interesting features such as TIMEOUT, KEEPALIVE, MaxKeepAllowRequests, KeepAliveTimeout to establish and handle http persistent connections by editing the global configuration section of this file.
AllowOverride is used when we need a file should be able to override the settings in the content directory.
Configuring dir.conf
We need to modify properties of html file so that it can be accessed by the web server.
nano /etc/apache2/mods-available/dir.conf
Scroll down and modify as following.
<IfModule mod_dir.c> DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm sample.html </IfModule>
Configuring 000-default.conf
nano /etc/apache2/sites-available/000-default.conf
We need to change the server name and path of the directory to be accessed..
ServerAdmin webmaster@localhost
ServerName mylinuxproject.com DocumentRoot /var/www/mylinuxproject.com
We need to restart apache2 to save the changes.
service Apache2 restart
We can test if our web-server is working or not by typing
https://localhost or 127.0.0.1 in web browser
Backup Configuration
editStep 1: Installing SSH We need to install SSH on web server and client server
sudo su apt-get install ssh
Step 2: Generating key pair We need to log into the web server and generate a pair of public and private keys. private key must not be shared with any device. Public key is shared with other devices to establish a SSH connection
ssh -keygen -t rsa
Step 3: Copying public key to backup server Public key that is id_rsa.pub is in the SSH directory. We need to securely copy it to the backup server 192.168.1.101 is IP of the backup server.
cd .ssh scp id_rsa.pub 192.168.1.101:/tmp/
Step 4: Creating tar file of the contents the need to be backed up
tar -cvpzf minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html
Step 5: Authorizing the public key
On the backup server we need to copy the public key into authorized_keys to authorize the connection between the web server and backup server without authentication.
cat /tmp/id_rsa.pub > .ssh/authorized_keys
Step 6: Automating Backup To automate and send backup every minute, we need to to edit crontab file. crontab -e
* * * * * tar -cvpzf /home/rahulsankrut/minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html * * * * *scp /home/rahulsankrut/minutebackup.tar.gz 192.168.1.101:/home/ravi
Firewall
editInitially we need to install iptables.
sudo su apt-get install iptables
We have three kinds of iptable targets ACCEPT DROP and REJECT. REJECT drops the packet with a message. Accepting loopback
iptables -A INPUT -i lo -j ACCEPT
Accepting a HTTP request from particular network 192.168.1.0/24 through port 80
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Accepting a SSH request from particular network 192.168.1.0/24 through port 22
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
Accepting an echo reply from particular network 192.168.1.0/24
iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT
Rejecting an echo request from particular network 192.168.1.0/24 with a message
iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with tcmp-host-unreachable
Rejecting TELNET request from particular network 192.168.1.0/24 through port 23
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 23 -j DROP
We can remove all the rules uploaded into the kernel by the following command
iptables flush
We can remove individual rules by following commands Firstly we need to obtain the number of the rule that needs to be deleted.
iptables -L --numbers
Now we can delete a specific rule with a number # by using this command
iptables -D INPUT #
ADD-ONs
editVPN
edita) PPTPD Server:
1) install pptpd server using apt-get
# sudo apt-get install pptpd
2) Then we need to configure the pptpd.
# sudo nano /etc/pptpd.conf
Add server IP and client IP at the end of the file. You can add like below:
localip 192.168.1.6 remoteip 192.168.1.10-100
Configure DNS servers to use when clients connect to this PPTP server Here the Localip is the IP address of the Server and the remote IP is the range of the DHCP
3) Configure DNS servers to use when clients connect to this PPTP server
# sudo nano /etc/ppp/pptpd-options
Uncomment the ms-dns and add the IP addresses of the DNS used in the project
ms-dns 192.168.1.8 ms-dns 192.168.1.9
4) Now add a VPN user in /etc/ppp/chap-secrets file.
# sudo nano /etc/ppp/chap-secrets
# client server secret IP addresses username * myPassword *
5) Finally start your server
# /etc/init.d/pptpd restart
6) To enable IPv4 forward. Change /etc/sysctl.conf file, add forward rule below.
# sudo nano /etc/sysctl.conf
Uncomment the line
net.ipv4.ip_forward=1
b) Client side:
1) We need to go for the VPN Connections-Configure VPN-Add a connection.
2) Choose a connection type: PPTP- Point to Point tunneling protocol.
3) Create a VPN connection by choosing a name for the VPN connection, Gateway, Username and Password (which we had given for the PPTPD server)
4) After giving all this we need to choose the Advanced options and check box the MPPE (Point to Point Encryption) and save the above changes.
5) Finally we need to enable the VPN connection which we have created which will show a success message: VPN connection has been successfully established.
Mail Server
editInstall the postfix package
sudo apt-get install postfix
Configure step by step:
sudo dpkg-reconfigure postfix
1. General Mail configuration: Internet Site
2. System mail name: mylinuxproject.com
3. Root recipient: <admin>
4. Other destinations for mail: server1.mylinuxproject, mylinuxproject.com, localhost.mylinuxproject.com, localhost
5. Force synchronous updates on mail queue?: No
6. Local networks: 127.0.0.0/8
7. Mailbox size limit (bytes): 0
8. Local address extension character: +
9. Internet protocols to use: all
3) Configure mailbox format for Maildir
sudo postconf -e 'home_mailbox = Maildir/'b sudo postconf -e 'mailbox_command ='
4) Edit /etc/postfix/sasl/smtpd.conf as follow:
pwcheck_method: saslauthd mech_list: plain login
5) Generate Certificates for TLS encryption:
touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
6) Configure postfix and TLS for both incoming and outgoing mails:
sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = server1.example.com'
7) Restart the postfix service:
sudo /etc/init.d/postfix restart
Testing
editDNS TESTING
edit1. Forward lookup Zone File
nslookup ns2.mylinuxproject.com.
2. Reverse lookup – using arpa Zone File
nslookup 192.168.1.9
3. Dig – Using dig command – for Forward lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File
dig ns2.mylinuxproject.com
4. Dig command – For reverse lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File
dig 192.168.1.9
DHCP TESTING
edit1. Start the ISC- DHCP server
sudo /etc/init.d/isc-dhcp-server restart
2. Start the ISC-DHCP6 server
sudo /etc/init.d/isc-dhcp6-server restart
Future Prospects
editDHCP
• Create a superscope to solve the problem of dwindling IP addresses. If the Boston organization is growing faster than you can supply IP addresses, when we run short of IP addrsses. This is when a superscope comes into picture. A superscope is a versatile, cost-effective, and easy-to-use solution when you are running out of IP addresses on a network.
DNS
• Support for IPv6 addressing ensures that DNS servers will be able to support present and future DNS clients that are designed to take advantage of the benefits of IPv6 addresses. DNS servers can now return both IPv4 host (A) resource records and IPv6 host (AAAA) resource records in response to queries
SECURITY
• Increase overall security of the network by installing IPS and IDS to monitor the traffic flow between the network
Citations
edit• https://help.ubuntu.com/community/BIND9ServerHowto
• https://help.ubuntu.com/10.04/serverguide/httpd.html
• http://httpd.apache.org/docs/2.4/
• https://help.ubuntu.com/community/isc-dhcp-server
Books
edit• Computer Networking A TopDown Approach - KUROSE | ROSS