Data Networking/Fall 2015/MJH
Project Objective
editTo build a robust, secure, dynamic and intelligent network consisting of a DHCP server, DNS server, Web server with firewall and a client for a start-up company.
Project Team members
editManan Mehta
Jagruti Belani
Harsh Chheda
Network elements
editImplemented demo network consists of following elements:
- DHCP (Dynamic Host Configuration Protocol)
- DNS (Domain Name System)
- WEB SERVER, FIREWALL and BACKUP
- Client
Dynamic Host Configuration Protocol (DHCP)
editDHCP is a client/server protocol which dynamically assigns IP addresses to clients connected to the network along with other network information such as DNS IP address, default gateway etc. It lets network administrator to centrally manage and allocate IP addresses within the network.
Behavior of the protocol
editIt is a client-server protocol; which uses UDP at port 67. The server dynamically assigns IP addresses, subnet mask and gateways to clients from a pool of IP addresses given to it.
Signaling
editFollowing steps taken place in a DHCP scenario:
- First, all newly entered host have to locate DHCP server. For that, client sends a discovery request with client id 0.0.0.0 and destination address of 255.255.255.255
- When DHCP server receives a discovery request from client it sends DHCP offer message with valid subnet IP addresses in response.
- Newly arrived client will choose one offer from a number of available offers from different DHCP servers and send request to that particular server.
- That DHCP server will assign the IP address to the client and send an acknowledgement to the client.
DHCP Configuration
editMost widely used DHCP servers are
- Windows DHCP server
- ISC-DHCP server
We have used ISC-DHCP as it is open source software; which can be freely run on Linux machine and it’s mostly matches its performance environment. Following commands are used to implement DHCP server on ubuntu Linux machine.
1. Update package list
sudo apt-get update
2. Install DHCP server
sudo apt-get install isc-dhcp-server -y
3. Make changes into DHCP configuration file
sudo nano /etc/dhcp/dhcpd.conf
Following changes are made in DHCP file:
- While inspecting the dhcpd.conf file locate simple subnet configuration
- Here, mention Subnet mask, Gateway router, leasing address range for subnet, broadcast address and Default and Max lease time as per your network need
4. Configure static IP addresses for Web server and DNS server (as we don’t want DHCP to allocate dynamic IP addresses to these everytime)
sudo nano /etc/dhcp/dhcpd.conf
After doing all changes the DHCP configuration file will look like this.
5. Restart DHCP server to apply the changes.
sudo service isc-dhcp-server restart
After entering this command in terminal; the server must be in ok/started state, otherwise recheck the dhcpd.conf file.
Testing
edit1. DHCP leasing: - the leases on the DHCP server and the IP addresses that has been leased to the client can be verified by using the following command.
sudo tail /var/lib/dhcp/dhcpd.leases
2. DHCP LOG: - the log output of DHCP can be verified using this command.
sudo tail –f /var/log/syslog
Domain Name System (DNS)
editThe Domain Name System is a hierarchical database, its responsibility is to provide name against each public domain IP address and vice –versa for websites on Internet. It is an overhead application layer protocol. It is defined by RFC 1034 & RFC 1035.
Behaviour of Protocol
editDNS is a client-server type application layer protocol which uses UDP port 53. DNS client requests host mapping with a DNS request packet and the DNS server fetches the corresponding record, encapsulates it in a reply packet and sends it over UDP.
DNS Server
editThe authoritative name server of a company holds the records for its web servers, mail servers and canonical names of the servers. These records are configured in the DNS server by registrars certified by Internet Corporation for Assigned Names and Numbers (ICANN).
Signaling
editFollowing steps are performed in DNS request-reply cycle:
1. The client sends a DNS query to the LOCAL DNS.
2. The LOCAL DNS forwards query to the ROOT server and reply will be sent to LOCAL DNS containing NS and A records of corresponding TLD server.
3. The reply will be sent to ROOT DNS server containing NS and A records of corresponding AUTHORATIVE Name Server.
4. The ROOT server will then send a query to the AUTHORITATIVE server & will forward the reply to the LOCAL server.
DNS Configuration
editThe DNS Master server is given a static IP address.
The DNS Slave server is given a static IP address.
Some of the DNS software packages available are BIND, Power DNS and Posadis. Among all BIND is widely used and it fulfils all native requirement of DNS functionality like recursive, authoritative, cacheing name-server and it also contains a resolver client library. Whereas, Power DNS contains two different packages namely “PowerDNS Authoritative Server” & “PowerDNS Recursor”. The later package is more vulnerable (resolved as of now but still not recommended by network administrators). Posadis ,an open source DNS package, but it’s not maintained by any community and hence not preferable.
We have used BIND software. The latest version is Bind9.4 which supports a compile-time option for zone strategy in a variety of database formats. Moreover Bind9 also overcomes some serious security issues which were present in Bind 4 and Bind 8. Thus, Bind9 provides a robust architecture for our DNS server. Following steps are used to implement DNS server.
1.Update the package list.
sudo apt-get update
2.Install bind9.
sudo apt-get install bind9
3. Create a forward zone file.
sudo cp /etc/bind/db.local /etc/bind/zones/db.example.com
4. Open file /etc/bind/zones/db.example.com and edit it. After edition the file will look like below.
5. Create reverse zone file
sudo cp /etc/bind/db.127 /etc/bind/zones/db.192
6. Open file /etc/bind/zones/db.192 & edit it as below.
7. Open /etc/bind/named.conf.local file & add forward and reverse zones.
8. Change nameserver.
sudo nano /etc/resolv.conf
9. Restart Bind.
sudo service bind9 restart
WebServer, Firewall and backup
editWeb Server and Firewall
editWeb server Web server is an Information Technology tool which processes HTTP requests and distributes information in World Wide Web. The primary function of a web server is to store, process and deliver web pages to clients. Web server not necessarily always means to be an Internet server, large organizations have their own web servers which are used for their own Local Area Network to connect various devices within company premises. (e.g. printers, PCs, routers etc.) In any case, a server is an always ON machine & hence it must be kept at proper temperature to avoid breakdown due to overheating. A server is a heart of any network. If a server fails whole network will break down. Hence, organizations normally use a backup server in case of emergency (hot-standby configuration).
Behavior of Protocol
editHypertext Transfer Protocol (HTTP) is an Application Layer protocol most widely used in today’s Internet. It is defined in RFC 2616 (HTTP/1.1) which was modified into RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234 & RFC 7235. HTTP/2 is currently under development. Default port for HTTP is 80. In a typical HTTP communication, the client sends a request a page & establishes a TCP connection between itself & server via three-way handshake process. After the connection is establishes, client requests a web page. Server sends requested HTTP page over the TCP connection. The connection is either closed or kept open after the transfer depending upon the type of connection (i.e. persistent or non-persistent).
Signaling
edit1. The client obtains server IP address from DNS server. 2. Client initiates TCP connection by sending SYN message on port 80 of the server. 3. Server responds with SYN-ACK message thereby opening the port for the client to request the information. 4. Client completes three-way handshake process by sending ACK message. It also requests for basic HTML page along with this.
Web server configuration
editWe have used Apache2 Web Server. The main reason behind choosing Apache is that it provides more compatibility with add-on modules as well as speed and flexibility in small network like the one we have created. Following commands are used to install Web Server on Linux machine. 1. Install updates
sudo apt-get update
2. Install Web server Apache2
sudo apt-get install apache2
3. Make a directory
sudo mkdir /var/www/html
4. Create and edit html page
sudo nano index.html
5. Configuring 000-default.conf in Apache2. Add website folder in configuration file i.e. apache2 Edit the following file to make the web page accessible
sudo nano /etc/apache2/sites-available/000-default.conf
Add these commands in the file.
ServerAdmin webmaster@localhost ServerName example.com DocumentRoot /var/www/html/
Secure your Apache server using ssl
Install opensssl
sudo apt-get install openssl
Edit /etc/httpd/conf/ssl.conf
Create self-signed certificate Query server.example.com with “https” secured http using SSL Testing 1. Open the web browser and type web server IP address in the URL bar. Upon pressing ‘Enter’ you will get the web page of the project. 2. Do the above procedure; but this time type website name i.e. ‘example.com’. If you are getting the same web page that means your web server is working properly.
Firewall
editA firewall is a network security system, either hardware or software based, that controls incoming and outgoing network traffic based on set of rules. We can block certain packets by configuring our firewall to certain rules. Packages used We have used iptables package to modify the set of rules for our Firewall. Configuration IPTABLES: - a set of rules configured on Linux machine terminal. It has some built-in chains. 1. INPUT chain: - for packets coming into the machine 2. OUTPUT chain: - for packets generated inside and going outside of the machine. 3. FORWARD: - for packets routed through the local host Following commands are used to configure Firewall. 1. Rejects ping from any host to the server.
sudo iptables -A INPUT -p icmp -j REJECT
2. Reject telnet request from a particular host to the server.
sudo iptables -A INPUT -p tcp --dport 23 -j REJECT
3. Reject FTP request from any particular host to the server.
sudo iptables -A INPUT -d 192.168.100.63 -p tcp --dport 20 -j DROP sudo iptables -A INPUT -d 192.168.100.63 -p tcp --dport 21 -j DROP
4. Accept HTTP request from a particular network
sudo ufw allow from 192.168.100.0 port 80
5. Reject HTTP request from a particular host.
sudo iptables -A INPUT -p tcp -s 192.168.100.63 --dport 80 -j REJECT
6. Enable Firewall by following command
sudo ufw enable
7. After configuring Firewall rules, restart the web server in order to apply Firewall. Testing 1. To list all rules configured in firewall.
sudo iptables -L
2. To flush/remove the rule from iptable.
Web Server Backup
editTo add redundancy to our network and make it robust, we have to implement a backup to our web server. So that if our server fails, whole network will automatically route to the backup server & hence there will be no black out. Configuration backup 1. Generate public and private key
ssh-keygen
2. Share public and private keys with main server
ssh-copy-id –i ~/.ssh/id_rsa.pub @192.168.100.120
3. Install ‘Rsync’ in server yum install rsync 4. Schedule cronjob for backup using rsync
- /1 * * * * rsync –avz –e tar –zcvf /var/www/backup.tar.gz /var/www/html
- /2 * * * * rsync –avz –e ssh /var/www/html/index.html root@192.168.100.120:/backup
5. service crond restart
Testing
Archive and gzip /var/www/html directory Schedule cronjob on web server.
Backup server: backup.tar.gz
Algorithm and Flow chart
editAlgorithm 1. A client tries to connect to the network. 2. Once the client gets connected to the network, he will send an IP address request to DHCP server. 3. If DHCP request is successful, DHCP server will reply with an IP address Else DHCP will reply with ‘request fail.’ In this case, re-connect or contact network administrator for help. 4. Client wants to access the web page. if domain name is correct, a request will be sent to DNS for IP address of the domain. DNS will reply with IP address of the website. else if DNS reply fails An error message will be displayed saying, ‘server not found.’ else if URL entered is wrong An error message will be displayed saying, ‘webpage unavailable.’ Retry 5. Client accessed the web server. Now he sends HTTP request to the server. if the request is successful, Web page will be displayed else Error message like ‘no data received’ will be displayed. Retry sudo iptables –F
Add-ons implemented
editNetwork File System (NFS)
editIt is a file distribution system protocol. NFS allows a client to share its content with other users on the network. In order to access the file, all clients have to mount the shared directory to make it their own directory. Configuration Following commands are used to install and configure NFS server as well as client. 1. #yum install nfs* -y 2. Create nfs partition on nfs server and name it as /nfs_partition 3. Edit /etc/exports file as follows: 4. Give full permission to /nfs_partition and start rpcbind and nfs service Testing Check exported directory as follows:
NFS Client configuration:
1. Mount nfs_partition on client machine.
2. Access the nfs partition of nfs server.
File Transfer Protocol (FTP)
editFTP is used to transfer files from one computer to another over TCP connection. It is a client-server based protocol and uses separate connection for control and data signals. Configuration Following commands are used to implement FTP. 1. Update & install FTP package.
yum install vsftpd
2. Open file /etc/vsftpd.conf file & make following changes. Remove ‘#’ sign. vi /etc/vsftpd.conf
write_enable=yes anonymous=yes
3. Restart vsftp.
Service vsftpd restart
4. Create some files. FTP Server-
Testing Write following command on client to see shared files. Enter ‘username’ and ‘password’ to log in. Once accessed, client can make changes into the file also.
ftp 192.168.100.2
Virtual Private Network
editA virtual private network extends your private network to public network like Internet. It lets the client connect to the private network and behave as if it is connected to a public network, while retaining features of private network such as functionality, security and management policies. Resources are accessed in same way as in a private network. Configuration 1. Install packet ‘pptpd’ yum install pptpd 2. Edit file /etc/pptpd.conf as follows
vi /etc/pptpd.conf localip <VPN server IP> localip 192.168.100.2
remoteip <Range of IPs of VPN clients> remoteip 192.168.100.5-25 3. Edit /etc/ppp/pptpd/options file.
vi /etc/ppp/pptpd.options ms-dns 192.168.100.2
4. Set ‘user-id’ and ‘password’
vi /etc/ppp/chap-secrets user1 pptpd redhat *
Network Information Service (NIS)
editThis is a client-server protocol which is used to exchange system configuration data between users on a computer network. NIS contains a central directory of user & group information along with other useful data. Configuration Step 1. Assign 192.168.100.2 to NIS server and 192.168.100.120 to NIS client.
Step 2. Yum install yp* -y Step 3. Edit /etc/sysconfig/network file to set your NIS domain name. This will take effect when you reboot your machine. NETWORKING =yes HOSTNAME=server.example.com NISDOMAIN=nisdomain Step 4. To set NIS domain name without rebooting the machine run the command given below # domainname nisdomain Step 5. Start portmap and ypserv service by using the following commands: # service rpcbind start # service ypserv start Step 6. Generate the NIS maps (database) by running ypinit as shown below #/usr/lib/ypinit –m Step 7. Now start NIS password update daemon using the following command. # service yppasswdd restart Step 8. Create user name user1 and user2 by using adduser command Step 9. Now go to /var/yp directory. Run make command it update your password and group information which is accessed by NIS client # cd /var/yp # make
Configuring NFS Server
Step 1. Mount home directory in /etc/exports file /nfs_partition *(rw,sync) Step 2. Run exportfs –a to commit the job Step 3. Now start nfs service #service nfs restart
Client Side Configuration
Step 1. Use authconfig command to configure NIS client Step 2. Test your NIS client log into the client machine as root. Test the client-server connection by typing #ypcat passwd
NIS Server running ypcat passwd command:
Mail Server
editMail server is responsible for receiving, sending and distributing e-mail messages from your computer to others. In Linux we call it ‘mail daemon’. Configuration 1. Install postfix 2. Edit /etc/postfix/main.cf file 3. Define myhostname, myorigin, my domainname 4. #service postfix restart 5. Send mail from student user to root user Testing
Check mail for root user in /var/spool/mail/root or type mail
Network Time Protocol (NTP)
editNTP Server: Edit /etc/ntp.conf
Ntpclient
Secured Socket layer (SSL)
editSecure your Apache server using ssl Install opensssl
sudo apt-get install openssl
Edit /etc/httpd/conf/ssl.conf
Create self-signed certificate Query server.example.com with “https” secured http using SSL
Working with an example (Integration)
editWe have used all Linux machines to implement various components like DNS, DHCP, WEB SERVER. We have used 192.168.100.0/24 network with 192.168.100.1 as our default gateway and 192.168.100.255 as broadcast address. First, all devices will be connected to the network via router. Then DHCP will allocate IP addresses to clients. Web Server will have 192.168.100.2 DNS will have 192.168.100.3 Now, client will open his browser and try to access the web page. DNS Master Server static IP allocation 192.168.100.3 DNS Master Server static IP allocation 192.168.100.4 Forward and Reverse zone lookup for DNS
DHCP static configuration and DHCP IP address checking on terminal
Checking the website example.com on browser
Future Improvements
edit- Should support IPv6 and IPv4 simultaneously (IP tunneling).
- More DNS servers for backup, load distribution and decentralization.
- Adding security for mail server by integrating confidentiality, integrity and more authentication options by using methods such as RSA, DES, MD5, including certificates etc.
- Adding more security in Firewall for prevention against serious external attacks.
- Expand the server capabilities to accommodate many more uses using at the same time.
References
edit- Computer Networking A TopDown Approach by KUROSE and ROSS
- http://ubuntuforums.org/showthread.php?t=2220457
- https://help.ubuntu.com/community/isc-dhcp-server
- http://mixeduperic.com/ubuntu/seven-easy-steps-to-setting-up-an-interal-dns-server-on-ubuntu.html
- http://www.thegeekstuff.com/2011/07/rsync-over-ssh-without-password/
- https://ihnc.wordpress.com/2010/06/18/step-by-step-nis-server-client-configuration-on-redhat-enterprise-linux/
- https://www.sixxs.net/faq/dns/?faq=revers
- https://www.sslshopper.com/apache-server-ssl-installation-instructions.html