Data Networking/Fall 2015/Neeharika

To design a robust and secured network consisting of DNS Server, DHCP Server, Web server and Firewall as key network elements for a corporate organization.

• Sukumar Sekuri
• Neeharika Chandra Naidu
• Ravi Chandra Sekhar Bojja
• Keerthi Reddy Vade

• DNS
• DHCP
• WEB SERVER & FIREWALL

Domain Name Server edit

DNS is a name service protocol for Internet addresses that resolves domain or host names into numeric IP addresses. Maintaining a central list of domain name or IP address correspondences would be impractical, so the domain names and the corresponding IP addresses are distributed in a hierarchy throughout the Internet making Domain Name System a hierarchical database. When a client requests for a domain name or a website, the browser will send a query request to the DNS server located in close geographic proximity to the client’s access provider and this server returns back the IP address to the client. Now, client will be able to access the contents on the website. Some of the DNS servers are BIND, Posadis and Power DNS. Out of the three, BIND is used as it is the most flexible software. The latest version BIND9 with caching is used as the DNS server in this project. Caching is advantageous because the response received for every new DNS query is cached in the server. So, the time taken to access and display a cached page will be comparatively very less than fetching a page that is not cached in the DNS server. As a result, the waiting time of the user reduces and a lot of bandwidth will be saved. The extra bandwidth becomes available for other operations like displaying many more web pages.

Dynamic Host Configuration Protocol edit

DHCP is a client-server protocol which automatically provides an Internet Protocol host with an IP address. Without DHCP, every time a device moves from one subnet to another should be configured manually. Similarly, when a device is removed from a network, its IP address should be manually reclaimed. With DHCP, this process is automated and much simpler than manual procedure. DHCP server creates a pool of IP addresses and assigns the addresses to devices from this pool. While assigning the address, DHCP leases the address to the client when it enters a network. If the client doesn’t renew the lease time before it expires, the address will be returned back to the pool automatically for reallocation.

DHCP allocates IP addresses to the clients in three different ways:

• Static Allocation: DHCP does static allocation of IP addresses based on a preconfigured mapping to each device’s MAC address. And, the addresses assigned to the devices will remain unchanged until changed by the network administrator.
• Dynamic Allocation: Network administrator allocates a pool of IP addresses for DHCP and the server will assign IP addresses to the clients from this reserved pool. Both IPv4 and IPv6 addresses are assigned by DHCP in this project.
• Automatic Allocation: This is similar to Dynamic allocation but here the server assigns the same IP address which the client had previously when it got connected to the network.

Webserver & Firewall edit

Web server’s primary job is to deliver web pages as per the client’s request. And this communication between server and the client is done through HTTP. The available web servers are Windows web server or Linux (Apache) web server. In this project, we are using an Apache Web Server because Linux is an open source system and it provides free license for configuring the web server. Whereas for using Windows web server, license needs to be purchased for hosting websites. In this project, we also created backup for the web server in case of the server failure. All the files from the web server are zipped and sent to the backup server. Backup server updates itself by copying only those files which were modified. Additionally, firewall is implemented to provide security to the incoming and outgoing information from the network. All the traffic except the one’s entered into the IP routes will be blocked by the firewall and cannot access the network.

Algorithm edit

1. Client attempts to join the network “neeharika”
2. Client sends a request to DHCP server for attaining an IP address.
3. If the request is successful, an IP will be assigned to the client. Otherwise, client needs to re connect to the network.
4. Once the client gets an IP address, it can now try to connect to ‘neeharika.net’ website via web browser.If the domain name is valid, web server will send request to DNS for the domain’s IP address.
5. DNS server will reply with an IP address otherwise it will display an error saying “server not found”
6. Once DNS server responds, client will send HTTP request to the server.

Web page will be displayed, if the request is successful Otherwise, an error will be displayed.

Flow Chart edit

DNS Master edit

1. DHCP assigns an IP address to Master DNS server(192.168.1.9)

2. Update the package list

       sudo apt-get update

3. Then, install bind9 server

       sudo apt-get install bind9

4. Now, a forward zone file should be created

       sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net

5. Then, edit the file /etc/bind.neeharika.net as below

6. Now, create a reverse zone file in the similar way of a forward zone file for

       For IPv4   sudo cp /etc/bind/db.127 /etc/bind/db.192
       For IPv6   sudo cp /etc/bind/db.127 /etc/bind/db.193

7. Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below

8. Now, add forward and reverse zones in /etc/bind/named.conf.local file

9. Change nameserver in /etc/resolv.conf file

10. Then restart the DNS server

       sudo service bind9 restart

DNS Slave edit

1. DHCP assigns an IP address to Slave DNS server(192.168.1.10)

2. Update the package list

       sudo apt-get update

3. Then, install bind9 server

       sudo apt-get install bind9

4. Now, a forward zone file should be created

       sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net

5. Then, edit the file /etc/bind.neeharika.net as below

6. Now, create a reverse zone file in the similar way of a forward zone file for

       For IPv4   sudo cp /etc/bind/db.127 /etc/bind/db.192
       For IPv6   sudo cp /etc/bind/db.127 /etc/bind/db.193

7. Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below

8. Now, add forward and reverse zones in /etc/bind/named.conf.local file

9. Change nameserver in /etc/resolv.conf file

10. Then restart the DNS server

       sudo service bind9 restart

Testing edit

Testing can be done by using ‘nslookup’ command as follows:

• nslookup for forward zone
• nslookup for reverse zone
• nslookup for forward zone to get IPv6 address

DHCP edit

ISC-DHCP Server is used in configuring DHCP Server. It is an open source software, which runs freely on any linux machine and it matches with the performance environment. The following commands are used to implement the DHCP server on Ubuntu Linux machine.

1. To update the package

       sudo apt-get update

2. Install ISC-DHCP Server

       sudo apt-get install isc-dhcp-server

3. Go to cd /etc/dhcp and make necessary changes in the dhcp configuration file

       sudo nano /etc/dhcp/dhcpd.conf

4. The following changes are made in the dhcpd.conf file for IPv4 address

• The subnet mask, netmask, gateway router, pool address range for subnet, domain name server address, broadcast address, default-lease time and max lease time are set as per the network used in the project
• Also, the static IP address are assigned to web server, DNS server and mail server dynamically. Since we doesn’t want DHCP to assign dynamic address to these server everytime we connect to the network.

5. In order to assign IPv6 addresses the following configurations are made in dhcpd6.conf. The command for that is

       sudo nano /etc/dhcp/dhcpd6.conf

6. The following changes are made in dhcpd6.conf The subnet and pool of IPv6 addresses are assigned here along with default and max lease time. 7. Now, restart the DHCP server using the following command.

       sudo /etc/init.d/isc-dhcp-server restart
       sudo /etc/init.d/isc-dhcp6-server restart

Testing edit

1. We can check the leased IP address by using the following command. It shows the leases on the DHCP server and the IP addresses that have been leased to the clients.

       sudo tail /var/lib/dhcp/*.leases 

2. Also, the output of the DHCP can be verified by using the following command.

       sudo tail –f/var/log/syslog

Apache Web Server edit

1. Installing Apache 2

       sudo apt-get update
       sudo apt-get install apache 2

In order to check apache 2 is successfully installed go web browser and type

       http://localhost

2. Creating directory file

       sudo mkdir /var/www/neeharika.net/
       sudo chmod 755 /var/www/
       sudo chmod $USER: $ USER /var/www/neeharika.net/
       sudo nano /var/www/neeharika.net/sample.html

3. Configuring Apache 2- apache 2.conf

       sudo nano /etc/apache2/apache2.conf

We need to modify the following things

       < Directory /var/www/neeharika.net/>
               Options indexes followsymlinks
                Allow override none
               Require all granted
       < /Directory>

4. Configuring Apache2-dir.conf Because we haven’t used index.html as default we need to add our sample.html to the list of accessible directory indices.

       sudo nano /etc/apache2/mods-available/dir.conf

Appending our html file i.e sample .html to the list of indices

       <If module mod_dir.c>
       Directory index index.html index.cgi index.p1 index.php index.xhtml index.htm sample.html
       </IfModule>

5. Configuring Apache 2-000-default.conf

       server Admin webserver@localhost
       server name neeharika.net
       DocumentRoot /var/www/neeharika.net

6. Now we Map IP address to domain name

       sudo nano /etc/hosts
       Given web servers IP address --    Neeharika.net

7. Restart Apache 2

       sudo service Apache2 restart

8. Verification

       http://localhost

Firewall edit

Configuring IP Tables We will add these access listing lines to filter the incoming connections to our web server.

       sudo iptables –A INPUT –i lo –j ACCEPT
       sudo iptables –A INPUT –m conntrack –ctstate RELATED,ESTABLISHED –j ACCEPT
       sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 2049 –j  ACCEPT
       sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 80 –j  ACCEPT
       sudo iptables –A INPUT –s 192.168.1.0/24 –p icmp –m icmp –icmp-type 0 –j  ACCEPT

Backup edit

1. Go to the web server and generate the pair of keys

       sudo ssh-keygen –t rsa

2. use ssh to create a directory on backup server

       ssh raviclient@192.168.1.33 mkdir –p .ssh

3. Append web servers key to the back up server

       cat /home/.ssh/id_rsa.pub | ssh raviclient@192.168.1.33 ‘cat >> .ssh/authorized_keys’

4. we are making the file compressed for back up

       sudo tar –cvpzf ravibackup.tar.gz  /var/www/neeharika.net/sample.html

5. use cron tab to schedule backup every minute

       sudo crontab –e
       ***** sudo tar –cvpzf /home/raviserver/ravibackup.tar.gz /var/www/neeharika.net/sample.html
       ***** sudo scp /home/raviserver/ravibackup.tar.gz raviclient@192.168.1.33:/home/raviclient/

Mail Server edit

Mail server is a software which allows us to view email from anywhere in the world from any computer using web browser. The mail server we used here is squirrel mail. It is one of the simple, fast and most popular webmail package. We use mail transfer agent, mail delivery agent and web server to send and receive emails via web browser. Postfix acts as mail transfer agent, Dovecot acts as a mail delivery agent and the dovecot uses imap and pop3 protocol servers to send and receive emails.

Configuration edit

The configuration of mail server is like a continuation of DNS server. Forward and Reverse DNS records are used along with some mail exchange records which are required for sending and receiving mails. These records are discussed in detail in the Domain name server section. The following commands are used after creating the DNS records

1. Go to sites-available in apache2 file. The command for this is:

       cd /etc/apache2/sites-available

2. Create a mail file with the same configuration as default-ssl. The command for that is

       cp default-ssl mail.conf

3. Now edit mail.conf file as shown below

4. Enable mail.conf file by using the following command

       a2ensite mail

5. Edit /etc/squirrelmail/apache.conf file as shown below

6. Edit /etc/dovecot/dovecot.conf file as shown below

7. Now enter the commands

       killall named
       killall apache2
       killall dovecot

8. Now restart everything by entering the following commands

       invoke-rc.d bind9 restart
       invoke-rc.d apache2 restart
       invoke-rc.d postfix restart
       invoke-rc.d dovecot restart

9. Now we can create different users by just using “adduser” command.

Testing edit

Now, we can open the web browser and type “mail.neeharika.net”. The squirrel mail login page pops up. There we can give username and password to login to send and receive mails from different users in the same domain.

FTP edit

File transfer protocol is a network protocol used to transfer files from one computer to another computer over TCP based network like Internet. It is built on server-client architecture and it uses two separate connections (for data and control) between client and the server.

Configuration edit

1. FTP package should be installed and updated

       sudo apt-get install vsftpd

2. Make the following changes to the file /etc/vsftpd.conf. Uncomment the commands by removing ‘#’ sign.

       sudo nano /etc/vsftpd.conf
       write_enable=yes
       anonymous=yes

3. Now, restart vsftp

       sudo restart vsftp

4. Then, create files

       cd /srv/ftp sudo touch text1 text2 
       sudo chmod 777 text1 text2

Testing edit

Type the following command and then enter username and password to log in. Once the verification is done, user or client can also make changes to the file

       ftp   192.168.1.16

NFS edit

Network File Systems is used for sharing files with other computers on the network. It is a file distribution system protocol.

NFS server edit

1. Initially, repositories should be updated

       sudo apt-get update

2. Next, install nfs server package

       sudo apt-get install nfs-kernel-server

3. Then, make a directory which is to be shared with other devices

       sudo mkdir /shome
       sudo mkdir /home

4. /etc/exports is the main config file for NFS and add the following command to the file

       /shome 192.168.1.0/24(rw,sync,no_root_squash)
       /home 192.168.1.0/24(rw,sync,no_root_squash)

5. Now, start the service

       sudo /etc/init.d/nfs-kernel-server start

6. Check the NFS share status by following commands

       sudo exportfs -u

NFS Client edit

1. Install NFS client and dependencies

       sudo apt-get install nfs-common rpcbind

2. Create a directory /rhome

       sudo mkdir /rhome

3. Mount the remote share /shome on local directory /rhome

       sudo mount 192.168.1.16:/shome /rhome

4. And the following line in /etc/fstab file for permanent mount

       192.168.1.16:/shome /rhome nfs rw,sync,hard,intr 0 0

Testing edit

NFS Server edit

The two files text1 and text2 are created in NFS Server’s /shome directory. Two files text3 and text4 are created in NFS Client. As, they are mounted it is shown in both folders.

NFS Client edit

VPN edit

To provide an access to remote client to the private network through the tunnel VPN is configured.

Configuration edit

1. Install the “pptpd” package

       sudo apt-get install pptpd

2. Edit file /etc/pptpd.conf as follows

       sudo nano /etc/pptpd.conf 
       localip  <IP of VPN server> 
       remoteip  <Range of IPs of VPN clients>

3. Edit /etc/ppp/pptpd/options file.

       sudo nano /etc/ppp/pptpd.options 
       ms-dns 192.168.1.9
       ms-dns 192.168.1.10

4. Set ‘user-id’ and ‘password’ for users

       sudo nano /etc/ppp/chap-secrets 
       sukumar pptp sukumar *
Note- * indicates access for all users (ip’s) in the same network.

Testing edit

1. Test the working of VPN by checking the interfaces.

  ifconfig

NTP edit

NTP stands for Network Time Protocol. NTP Server assigns the date and time for the users connected to the server.

Configuration edit

1. Install the “ntp” package

       sudo apt-get install ntp

2. Edit the servers

       sudo nano /etc/ntp.conf

3. Restart the NTP server using command

       /etc/init.d/ntp restart

4. Use the command to check the servers

       ntpq  -p

Testing edit

Note: The implementation is tested considering Windows as client.

NIS edit

Network Information Service protocol is a client-server model for distributing configuration data of the system such as user names and passwords between computers on the network. NIS was originally called as Yellow Pages (YP).

NIS Server edit

1. Install portmap, NIS and update portmap

       sudo apt-get install portmap
       sudo update-rc.d rpcbind defaults 10
       sudo apt-get install nis

2. Edit the file /ect/defaults/nis as follows

       NISServer = master
       NISClient = false

3. Edit the file /etc/ypserv.securenets by adding the IP address range to whom access to NIS server will be given and comment out 0.0.0.0 line for restricting access to everyone and edit /var/yp/Makefile by giving permission to all hosts to use NIS

       255.255.255.0 	192.168.1.0
       #0.0.0.0.0      0.0.0.0

4. Restart NIS and portmap

       sudo service portmap restart
       sudo service nis restart

5. Build NIS database

       sudo /usr/lib/yp/ypinit -m

6. Add users to NIS database

       sudo useradd –d /home/user1 –m user1
       sudo useradd –d /home/user2 –m user2

7. Create passwords for these accounts

       sudo  passwd username

8. All user accounts can be seen by typing cat ‘/etc/passwd’

9. To enter the changes into database, type

       cd /var/yp
       sudo make

NIS Client edit

1. Install portmap, NIS and update portmap

       sudo apt-get install portmap
       sudo update-rc.d rpcbind defaults 10
       sudo apt-get install nis

2. Edit /etc/hosts file to add the NIS server IP address and domain name

3. Then, edit /etc/yp.conf for adding domain and server name

4. Edit /etc/nsswitch.conf file to provide NIS as backup for searching the password information when /etc/passwd fails

       passwd:	nis compat
       group: 	nis compat
       shadow:	nis compat

5. To modify the permissions on the /home folder so that users will be allowed to read, write and execute the files, type the following command

       sudo chmod 777 home

6. Then reboot the client machine

       sudo reboot

Testing edit

Use command ‘ypcat passwd’ to test NIS.

• DHCP Superscope-DHCP Superscope implementation gives flexibility for DHCP servers to all allocate multiple addresses to the subnets. This allows the company to expand the network with a smooth transition without affecting the existing setup. The Superscope DHCP is more flexible and the configuration of this is done by simply adding the next subnet level in dhcp configuration file
• Security-The overall security of the network can be improved by installing IPS and IDS for monitoring and to access the behavior of the traffic flow of all the servers

A robust, intelligent and secured network is designed for a corporate organisation consisting of DNS Server, DHCP Server, Webserver & Firewall as key network elements

1. http://www.servermom.org/how-to-add-new-site-into-your-apache-basedubuntu-server/272/
2. http://askubuntu.com/questions/389399/setup-localhost-site-in-apache
3. https://www.youtube.com/watch?v=XKfhOQWrUVw

Books edit

• Kurose,Ross “Computer Networking – A Top Down Approach”, 6th edition, Pearson Education, Inc
• The DHCP Handbook - Ralph Droms | Ted Lemon
• DNS and BIND - Cricket Liu | Paul Albitz (OReilly)