Data Networking/Fall 2015/MeeraSudhakar
Motivation
editThis project builds a deeper understanding of basic Networking fundamentals through practical implementation. The concepts that are part of the Data Networking class (TELE5330) became clearer through the implementation of this project.
Understanding the Protocol
editDHCP: This is a client/server protocol that automatically assigns IP-addresses to hosts in a network. It also provides related configuration information like the subnet mask and default gateway. DHCP supports static as well as dynamic IP addressing. This is a plug and play protocol. IP addresses are assigned automatically within the network, as opposed to being assigned manually by a network admin, which is cumbersome.
DNS: The Domain Name System runs transparently in the background. It converts human readable website names into computer-readable numerical IP-addresses. In this project, a master DNS server is being configured, and a slave DNS server is being configured as well to serve as a backup. These are authoritative DNS servers and provide high performance as they do not resolve recursive requests from clients.
Web Server: The Apache webserver is a popular way of serving web content on the Internet. More than one site can be hosted by a single Virtual Private Server (VPS). If multiple domains are configured on the same server, the visitor is directed to the specific directory for the domain he requested. There will be no indication at all that the server is responsible for other sites as well.
Firewall: A firewall is a network security system. It can be software-based or hardware based. It controls network traffic based on a set of rules. The Uncomplicated Firewall (ufw) is a part of the ubuntu package. It is an interface to the iptables. As part of this project, two clients have joined the network, and the web server has been configured to have a firewall against one of them.
Backup: System backup provides security to the network by retaining compressed versions of the filesystems of various nodes in the network. In the event of system crash, corruption or failure, the filesystem can be restored from the backup that was stored beforehand. Systems backups are taken as frequently as desired.
The Requirements
edit- Implement a DHCP server that assigns IP addresses to the clients in the network
- Implement a web server that hosts one or more web page
- Implement a master DNS server and a slave DNS server
- Ensure that the clients in the network can access the web pages in the server by getting the name-to-IP address resolved by the DNS server
- Create backups of the client in the backup server and send them back to the client when required
Steps to perform the setup / installation
editDHCP
editConfiguration
editAssign a static IP to the etho interface of the DHCP server.
sudo vi /etc/network/interfaces
The IPv4 address 192.168.64.130 and the IPv6 address fe60::20c:29ff:fe5a:e3d0 have been assigned to the eth0 interface of the DHCP server. Reboot the DHCP server in order for these changes to take effect. Install the isc-DHCP-server on the VM by executing the command
sudo apt-get install isc-dhcp-server
Now, add the subnet, pools, fixed IP-addresses, lease time and excluded IP addresses to /etc/dhcp/dhcpd.conf for the IPv4 addresses:
sudo vi /etc/dhcp/dhcpd.conf subnet 192.168.64.0 netmask 255.255.255.0 { range 192.168.64.20 192.168.64.129; range 192.168.64.151 192.168.64.200; option routers 192.168.64.254; option domain-name-servers 192.168.64.133, 192.168.64.135; default-lease-time 600; max-lease-time 7200; pool { max-lease-time 300; range 192.168.64.230 192.168.64.253; allow unknown-clients; } } host hostname { hardware ethernet 00:0c:29:5a:e3:d0; fixed-address 192.168.64.130; } host ns1 { hardware ethernet 00:0c:29:19:2e:ba; fixed-address 192.168.64.133; } host ns2 { hardware ethernet 00:0c:29:61:83:8d; fixed-address 192.168.64.135; } host hostnameWS { hardware ethernet 00:0c:29:2f:9f:53; fixed-address 192.168.64.134; } host BackupServer { hardware ethernet 00:0c:29:2c:08:38; fixed-address 192.168.64.136; }
Then add the same to /etc/dhcp/dhcpd6.conf for IPv6 addresses:
subnet6 fe60::20c:29ff:fe5a:0/112 { range6 fe60::20c:29ff:fe5a:129 fe60::20c:29ff:fe5a:254; default-lease-time 600; max-lease-time 7200; option dhcp6.name-servers fe60::20c:29ff:fe5a:e3d1, fe60::20c:29ff:fe5a:e3d2; } host hostname { hardware ethernet 00:0c:29:5a:e3:d0; fixed-address6 fe60::20c:29ff:fe5a:e3d0; } host ns1 { hardware ethernet 00:0c:29:19:2e:ba; fixed-address6 fe60::20c:29ff:fe5a:e3d1; } host ns2 { hardware ethernet 00:0c:29:61:83:8d; fixed-address6 fe60::20c:29ff:fe5a:e3d2; } host hostnameWS { hardware ethernet 00:0c:29:2f:9f:53; fixed-address6 fe60::20c:29ff:fe5a:e3d3; }
Restart the dhcp daemon:
sudo /etc/init.d/isc-dhcp-server restart
Manually start the server for v6:
sudo /usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf eth0
On the client, Client_1, edit the file /etc/network/interfaces so that the eth0 interface gets its IP address from the DHCP server.
sudo vi /etc/network/interfaces iface eth0 inet dhcp iface eth0 inet6 dhcp
Testing
editCheck if the client obtained its IP address from the DHCP by executing the following command:
ifconfig
Also, check the logs on the client for DHCP messages:
grep -i dhcp /var/log/syslog
DNS
editBelow is the configuration for IPv4. IPv6 is configured in the same way.
Configuration
editBefore the configuration, ensure that the hostname is configured properly on the master and slave servers: Master DNS Server:
sudo vi /etc/hosts 192.168.64.133 ns1.examplemeera.com ns1
sudo vi /etc/hostname ns1
Read the file to modify the system
sudo hostname -F /etc/hostname
Slave DNS Server:
sudo vi /etc/hosts 192.168.64.135 ns2.examplemeera.com ns2
sudo vi /etc/hostname ns2
Read the file to modify the system
sudo hostname -F /etc/hostname
Install BIND on both the master and slave DNS servers:
sudo apt-get update sudo apt-get install bind9 bind9utils bind9-doc
Master DNS Server Configuration:
sudo vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; allow-transfer { none; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
sudo vi sudo nano /etc/bind/named.conf.local zone "examplemeera.com" { type master; file "/etc/bind/zones/db.examplemeera.com"; allow-transfer { 192.168.64.135; }; }; zone "64.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.192.168.64"; };
Create the forward zone file:
sudo mkdir /etc/bind/zones
We can use the pre-existing zone file as a template for this:
sudo cp /etc/bind/db.local /etc/bind/zones/db.examplemeera.com sudo cp /etc/bind/db.127 /etc/bind/zones/db.192.168.64
Edit the zone files:
sudo vi /etc/bind/zones/db.examplemeera.com @ IN SOA ns1.examplemeera.com. admin.examplemeera.com. ( 20151127 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; ; Name servers examplemeera.com. IN NS ns1.examplemeera.com. examplemeera.com. IN NS ns2.examplemeera.com. ; A records for name servers ns1 IN A 192.168.64.133 ns2 IN A 192.168.64.135 ; Other A records @ IN A 192.168.64.134 www IN A 192.168.64.134
sudo vi /etc/bind/zones/db.192.168.64.134 @ IN SOA examplemeera.com. admin.examplemeera.com. ( 20151127 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; ; Name servers IN NS ns1.examplemeera.com. IN NS ns2.examplemeera.com. ; PTR records 1 IN PTR ns1.examplemeera.com. 2 IN PTR ns2.examplemeera.com. 3 IN PTR www.examplemeera.com.
Now, test the syntax of the modified files by executing the following command:
sudo named-checkconf
Check the individual zones files by executing the following commands:
sudo named-checkzone examplemeera.com /etc/bind/zones/db.examplemeera.com sudo named-checkzone 134.64.168.192.in-addr.arpa /etc/bind/zones/db.192.168.64.134
If everything is fine, restart the BIND
sudo service bind9 restart
Also, check the log file for messages:
tail -f /var/log/syslog
Slave DNS Server Configuration:
sudo vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; allow-transfer { none; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
sudo vi /etc/bind/named.conf.local zone "examplemeera.com" { type slave; file "db.examplemeera.com"; masters { 192.168.64.133; }; }; zone "64.168.192.in-addr.arpa" { type slave; file "db.192.168.64"; masters { 192.168.64.133; }; };
Check the syntax of the modified files:
sudo named-checkconf
Restart the BIND service:
sudo service bind9 restart
Check the log files for messages:
tail -f /var/log/syslog
Testing
editExecute the following commands on the client. "nslookup" is used to query the DNS to obtain name to IP address mapping or any specific DNS record. "dig" is a networking tool that can query DNS servers for information. It uses the operating system's local Domain Name System resolver library to perform its queries.
nslookup examplemeera.com dig examplemeera.com
Web Server
editConfiguration
editInstall Apache on the server:
sudo apt-get update sudo apt-get install apache2
Note that the two domains being created are examplemeera.com and testmeera.com. Create directories for these domains under /var/www/
sudo mkdir -p /var/www/examplemeera.com/public_html sudo mkdir -p /var/www/testmeera.com/public_html
These directories are owned by the root user. Grant permissions to the regular user to access these directories:
sudo chown -R $USER:$USER /var/www/examplemeera.com/public_html sudo chown -R $USER:$USER /var/www/testmeera.com/public_html
Modify permissions so that read access is permitted to the web directory.
sudo chmod -R 755 /var/www
These permissions are required because the server must be able to serve content and the user must be able to create content within the folders. Next, create pages for each of the virtual hosts:
sudo vi /var/www/examplemeera.com/public_html/index.html
Paste the following content in the file:
<html> <head> <title>Welcome to Examplemeera.com!</title> </head> <body> <h1>Success! The examplemeera.com virtual host is working!</h1> </body> </html>
Similarly, create /var/www/testmeera.com/public_html/index.html Next, create virtual host files. These files specify the actual configuration of the virtual hosts and determines how the webserver will respond to various domain requests. The files for this project are being created by copying Apache's default file 000-default.conf.
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/examplemeera.com.conf sudo vi /etc/apache2/sites-available/examplemeera.com.conf
The file content should be modified as shown below:
<VirtualHost *:80> ServerAdmin admin@examplemeera.com ServerName examplemeera.com ServerAlias www.examplemeera.com DocumentRoot /var/www/examplemeera.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Repeat the same for the second domain:
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/testmeera.com.conf sudo vi /etc/apache2/sites-available/testmeera.com.conf
The file content should be modified as shown below:
<VirtualHost *:80> ServerAdmin admin@testmeera.com ServerName testmeera.com ServerAlias www.testmeera.com DocumentRoot /var/www/testmeera.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Enable the new virtual host files:
sudo a2ensite examplemeera.com.conf sudo a2ensite testmeera.com.conf
Finally, restart Apache to take the changes into effect:
sudo service apache2 restart
Testing
editThis can be tested locally (if the DNS server has not yet been set up) by modifying the /etc/hosts file on the client
sudo vi /etc/hosts 192.168.64.134 examplemeera.com 192.168.64.134 testmeera.com
Now, open access these domains from a browser on the client. If everything is working fine, the browser should display the content of the created html file.
Firewall
editConfiguration
editCheck the status of the firewall on the webserver
sudo ufw status verbose
Add a firewall rule to block the IP of one of the clients in the network, and allow another one
sudo ufw deny from 192.168.64.129 sudo ufw allow from 192.168.64.159
Enable the firewall
sudo ufw enable
Reload the firewall
sudo ufw reload
Check the status of the firewall
sudo ufw status verbose
Check if the iptables have been updated accordingly
sudo iptables -L
Testing
editAccess the web server from the client that is not blocked (192.168.64.159). Notice that the web server can be accessed. Now, access the web server from the client that is blocked (192.168.64.129). Notice that the web server cannot be accessed. Also, check the file /var/log/apache2/access.log on the web server. Observe the status 404 for the blocked client, and the status 200 for the unblocked client.
Backup
editConfiguration
editEdit the file /etc/crontab on the client to schedule the backup of the filesystem:
sudo vi /etc/crontab 00 1 * * * root /home/msudhakar/Projects/Project_3/createSystemBackup.sh > /home/msudhakar/Projects/Project_3/backup_output_log 2>&1 0 2 * * * root find /home/msudhakar/Projects/Project_3/Backup/* -mtime +1 -type f -delete
The backups can sent back to the client via scp:
scp SystemBackup.tgz msudhakar@192.168.64.135
:
Testing
editCheck the backup server for filesystem backups taken at the time scheduled in the crontab.
ls -lrt /home/msudhakar/Projects/Project_3/Backup
Integrated Testing
editThe procedure to test the entire system is below:
- Ensure that the DHCP server, Master DNS server, Slave DNS server are up and running.
- Check the IP address of the client using the command ipconfig. The IP address must be obtained from the range specified in the DHCP server
- Execute the command nslookup examplemeera.com on the client. Ensure that the DNS server is accessible by the client.
- Check the firewall on the webserver. Notice which client is blocked by the firewall
- Access the webserver from both the clients. One client displays the webpage, while it is blocked on the other client
- Check system time and modify the crontab accordingly on the client. Ensure that the filesystem is taken and copied to the backup server
Future Prospects
editSecurity and Robustness of the project can be improved by adding features like VPN, NIS, NFS, NTP etc.
References
edit- ↑ https://help.ubuntu.com/community/isc-dhcp-server
- ↑ https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
- ↑ https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts
- ↑ https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04