Data Networking/Fall 2015/MeeraSudhakar

Motivation

edit

This project builds a deeper understanding of basic Networking fundamentals through practical implementation. The concepts that are part of the Data Networking class (TELE5330) became clearer through the implementation of this project.

Understanding the Protocol

edit

DHCP: This is a client/server protocol that automatically assigns IP-addresses to hosts in a network. It also provides related configuration information like the subnet mask and default gateway. DHCP supports static as well as dynamic IP addressing. This is a plug and play protocol. IP addresses are assigned automatically within the network, as opposed to being assigned manually by a network admin, which is cumbersome.

DNS: The Domain Name System runs transparently in the background. It converts human readable website names into computer-readable numerical IP-addresses. In this project, a master DNS server is being configured, and a slave DNS server is being configured as well to serve as a backup. These are authoritative DNS servers and provide high performance as they do not resolve recursive requests from clients.

Web Server: The Apache webserver is a popular way of serving web content on the Internet. More than one site can be hosted by a single Virtual Private Server (VPS). If multiple domains are configured on the same server, the visitor is directed to the specific directory for the domain he requested. There will be no indication at all that the server is responsible for other sites as well.

Firewall: A firewall is a network security system. It can be software-based or hardware based. It controls network traffic based on a set of rules. The Uncomplicated Firewall (ufw) is a part of the ubuntu package. It is an interface to the iptables. As part of this project, two clients have joined the network, and the web server has been configured to have a firewall against one of them.

Backup: System backup provides security to the network by retaining compressed versions of the filesystems of various nodes in the network. In the event of system crash, corruption or failure, the filesystem can be restored from the backup that was stored beforehand. Systems backups are taken as frequently as desired.

The Requirements

edit
 
  • Implement a DHCP server that assigns IP addresses to the clients in the network
  • Implement a web server that hosts one or more web page
  • Implement a master DNS server and a slave DNS server
  • Ensure that the clients in the network can access the web pages in the server by getting the name-to-IP address resolved by the DNS server
  • Create backups of the client in the backup server and send them back to the client when required

Steps to perform the setup / installation

edit

DHCP

edit

Configuration

edit

Assign a static IP to the etho interface of the DHCP server.

sudo vi /etc/network/interfaces

The IPv4 address 192.168.64.130 and the IPv6 address fe60::20c:29ff:fe5a:e3d0 have been assigned to the eth0 interface of the DHCP server. Reboot the DHCP server in order for these changes to take effect. Install the isc-DHCP-server on the VM by executing the command

sudo apt-get install isc-dhcp-server

Now, add the subnet, pools, fixed IP-addresses, lease time and excluded IP addresses to /etc/dhcp/dhcpd.conf for the IPv4 addresses:

sudo vi /etc/dhcp/dhcpd.conf
subnet 192.168.64.0 netmask 255.255.255.0 {
 range 192.168.64.20 192.168.64.129;
 range 192.168.64.151 192.168.64.200;
 option routers 192.168.64.254;
 option domain-name-servers 192.168.64.133, 192.168.64.135;
 default-lease-time 600;
 max-lease-time 7200;
 pool {
  max-lease-time 300;
  range 192.168.64.230 192.168.64.253;
  allow unknown-clients;
 }
}
host hostname {
 hardware ethernet 00:0c:29:5a:e3:d0;
 fixed-address 192.168.64.130;
} 
host ns1 {
 hardware ethernet 00:0c:29:19:2e:ba;
 fixed-address 192.168.64.133;
}
host ns2 {
 hardware ethernet 00:0c:29:61:83:8d;
 fixed-address 192.168.64.135;
}
host hostnameWS {
 hardware ethernet 00:0c:29:2f:9f:53;
 fixed-address 192.168.64.134;
}
host BackupServer {
hardware ethernet 00:0c:29:2c:08:38;
 fixed-address 192.168.64.136;
}

Then add the same to /etc/dhcp/dhcpd6.conf for IPv6 addresses:

subnet6 fe60::20c:29ff:fe5a:0/112 {
 range6 fe60::20c:29ff:fe5a:129 fe60::20c:29ff:fe5a:254;
 default-lease-time 600;
 max-lease-time 7200;
 option dhcp6.name-servers fe60::20c:29ff:fe5a:e3d1, fe60::20c:29ff:fe5a:e3d2;
}
host hostname {
 hardware ethernet 00:0c:29:5a:e3:d0;
 fixed-address6 fe60::20c:29ff:fe5a:e3d0;
}
host ns1 {
 hardware ethernet 00:0c:29:19:2e:ba;
 fixed-address6 fe60::20c:29ff:fe5a:e3d1;
}
host ns2 {
 hardware ethernet 00:0c:29:61:83:8d;
 fixed-address6 fe60::20c:29ff:fe5a:e3d2;
}
host hostnameWS {
 hardware ethernet 00:0c:29:2f:9f:53;
 fixed-address6 fe60::20c:29ff:fe5a:e3d3;
}

Restart the dhcp daemon:

sudo /etc/init.d/isc-dhcp-server restart

Manually start the server for v6:

sudo /usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf eth0

On the client, Client_1, edit the file /etc/network/interfaces so that the eth0 interface gets its IP address from the DHCP server.

sudo vi /etc/network/interfaces
iface eth0 inet dhcp
iface eth0 inet6 dhcp

Testing

edit

Check if the client obtained its IP address from the DHCP by executing the following command:

ifconfig

Also, check the logs on the client for DHCP messages:

grep -i dhcp /var/log/syslog

Below is the configuration for IPv4. IPv6 is configured in the same way.

Configuration

edit

Before the configuration, ensure that the hostname is configured properly on the master and slave servers: Master DNS Server:

sudo vi /etc/hosts
192.168.64.133 ns1.examplemeera.com ns1
sudo vi /etc/hostname
ns1

Read the file to modify the system

sudo hostname -F /etc/hostname

Slave DNS Server:

sudo vi /etc/hosts
192.168.64.135 ns2.examplemeera.com ns2
sudo vi /etc/hostname
ns2

Read the file to modify the system

sudo hostname -F /etc/hostname

Install BIND on both the master and slave DNS servers:

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

Master DNS Server Configuration:

sudo vi /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
        recursion no;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
sudo vi sudo nano /etc/bind/named.conf.local
zone "examplemeera.com" {
    type master;
    file "/etc/bind/zones/db.examplemeera.com";
    allow-transfer { 192.168.64.135; };
};
zone "64.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.64";
};

Create the forward zone file:

sudo mkdir /etc/bind/zones

We can use the pre-existing zone file as a template for this:

sudo cp /etc/bind/db.local /etc/bind/zones/db.examplemeera.com
sudo cp /etc/bind/db.127 /etc/bind/zones/db.192.168.64

Edit the zone files:

sudo vi /etc/bind/zones/db.examplemeera.com
@	IN	SOA	ns1.examplemeera.com. admin.examplemeera.com. (
		       20151127  	; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
; Name servers
examplemeera.com.    IN      NS      ns1.examplemeera.com.
examplemeera.com.    IN      NS      ns2.examplemeera.com.

; A records for name servers
ns1             IN      A       192.168.64.133
ns2             IN      A       192.168.64.135

; Other A records
@               IN      A       192.168.64.134
www             IN      A       192.168.64.134
sudo vi /etc/bind/zones/db.192.168.64.134
@	IN	SOA	examplemeera.com. admin.examplemeera.com. (
		       20151127		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
; Name servers
        IN      NS      ns1.examplemeera.com.
        IN      NS      ns2.examplemeera.com.

; PTR records
1       IN      PTR      ns1.examplemeera.com.
2       IN      PTR      ns2.examplemeera.com.
3       IN      PTR      www.examplemeera.com.

Now, test the syntax of the modified files by executing the following command:

sudo named-checkconf

Check the individual zones files by executing the following commands:

sudo named-checkzone examplemeera.com /etc/bind/zones/db.examplemeera.com
sudo named-checkzone 134.64.168.192.in-addr.arpa /etc/bind/zones/db.192.168.64.134

If everything is fine, restart the BIND

sudo service bind9 restart

Also, check the log file for messages:

tail -f /var/log/syslog

Slave DNS Server Configuration:

sudo vi /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
        recursion no;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
sudo vi /etc/bind/named.conf.local
zone "examplemeera.com" {
    type slave;
    file "db.examplemeera.com";
    masters { 192.168.64.133; };
};
zone "64.168.192.in-addr.arpa" {
    type slave;
    file "db.192.168.64";
    masters { 192.168.64.133; };
};

Check the syntax of the modified files:

sudo named-checkconf

Restart the BIND service:

sudo service bind9 restart

Check the log files for messages:

tail -f /var/log/syslog

Testing

edit

Execute the following commands on the client. "nslookup" is used to query the DNS to obtain name to IP address mapping or any specific DNS record. "dig" is a networking tool that can query DNS servers for information. It uses the operating system's local Domain Name System resolver library to perform its queries.

nslookup examplemeera.com
dig examplemeera.com

Web Server

edit

Configuration

edit

Install Apache on the server:

sudo apt-get update
sudo apt-get install apache2

Note that the two domains being created are examplemeera.com and testmeera.com. Create directories for these domains under /var/www/

sudo mkdir -p /var/www/examplemeera.com/public_html
sudo mkdir -p /var/www/testmeera.com/public_html

These directories are owned by the root user. Grant permissions to the regular user to access these directories:

sudo chown -R $USER:$USER /var/www/examplemeera.com/public_html
sudo chown -R $USER:$USER /var/www/testmeera.com/public_html

Modify permissions so that read access is permitted to the web directory.

sudo chmod -R 755 /var/www

These permissions are required because the server must be able to serve content and the user must be able to create content within the folders. Next, create pages for each of the virtual hosts:

sudo vi /var/www/examplemeera.com/public_html/index.html

Paste the following content in the file:

<html>
  <head>
    <title>Welcome to Examplemeera.com!</title>
  </head>
  <body>
    <h1>Success!  The examplemeera.com virtual host is working!</h1>
  </body>
</html>

Similarly, create /var/www/testmeera.com/public_html/index.html Next, create virtual host files. These files specify the actual configuration of the virtual hosts and determines how the webserver will respond to various domain requests. The files for this project are being created by copying Apache's default file 000-default.conf.

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/examplemeera.com.conf
sudo vi /etc/apache2/sites-available/examplemeera.com.conf

The file content should be modified as shown below:

<VirtualHost *:80>
    ServerAdmin admin@examplemeera.com
    ServerName examplemeera.com
    ServerAlias www.examplemeera.com
    DocumentRoot /var/www/examplemeera.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Repeat the same for the second domain:

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/testmeera.com.conf
sudo vi /etc/apache2/sites-available/testmeera.com.conf

The file content should be modified as shown below:

<VirtualHost *:80>
    ServerAdmin admin@testmeera.com
    ServerName testmeera.com
    ServerAlias www.testmeera.com
    DocumentRoot /var/www/testmeera.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the new virtual host files:

sudo a2ensite examplemeera.com.conf
sudo a2ensite testmeera.com.conf

Finally, restart Apache to take the changes into effect:

sudo service apache2 restart

Testing

edit

This can be tested locally (if the DNS server has not yet been set up) by modifying the /etc/hosts file on the client

sudo vi /etc/hosts
192.168.64.134 examplemeera.com
192.168.64.134 testmeera.com

Now, open access these domains from a browser on the client. If everything is working fine, the browser should display the content of the created html file.

Firewall

edit

Configuration

edit

Check the status of the firewall on the webserver

sudo ufw status verbose

Add a firewall rule to block the IP of one of the clients in the network, and allow another one

sudo ufw deny from 192.168.64.129
sudo ufw allow from 192.168.64.159

Enable the firewall

sudo ufw enable

Reload the firewall

sudo ufw reload

Check the status of the firewall

sudo ufw status verbose

Check if the iptables have been updated accordingly

sudo iptables -L

Testing

edit

Access the web server from the client that is not blocked (192.168.64.159). Notice that the web server can be accessed. Now, access the web server from the client that is blocked (192.168.64.129). Notice that the web server cannot be accessed. Also, check the file /var/log/apache2/access.log on the web server. Observe the status 404 for the blocked client, and the status 200 for the unblocked client.

Backup

edit

Configuration

edit

Edit the file /etc/crontab on the client to schedule the backup of the filesystem:

sudo vi /etc/crontab
00 1    * * *   root    /home/msudhakar/Projects/Project_3/createSystemBackup.sh >  /home/msudhakar/Projects/Project_3/backup_output_log 2>&1
0  2    * * *   root    find /home/msudhakar/Projects/Project_3/Backup/* -mtime +1 -type f -delete

The backups can sent back to the client via scp:

scp SystemBackup.tgz msudhakar@192.168.64.135

:

Testing

edit

Check the backup server for filesystem backups taken at the time scheduled in the crontab.

ls -lrt /home/msudhakar/Projects/Project_3/Backup

Integrated Testing

edit

The procedure to test the entire system is below:

  1. Ensure that the DHCP server, Master DNS server, Slave DNS server are up and running.
  2. Check the IP address of the client using the command ipconfig. The IP address must be obtained from the range specified in the DHCP server
  3. Execute the command nslookup examplemeera.com on the client. Ensure that the DNS server is accessible by the client.
  4. Check the firewall on the webserver. Notice which client is blocked by the firewall
  5. Access the webserver from both the clients. One client displays the webpage, while it is blocked on the other client
  6. Check system time and modify the crontab accordingly on the client. Ensure that the filesystem is taken and copied to the backup server

Future Prospects

edit

Security and Robustness of the project can be improved by adding features like VPN, NIS, NFS, NTP etc.

References

edit

[1] [2] [3] [4]

  1. https://help.ubuntu.com/community/isc-dhcp-server
  2. https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
  3. https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts
  4. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04