Data Networking/Fall 2015/Neeharika
Project Objective
editTo design a robust and secured network consisting of DNS Server, DHCP Server, Web server and Firewall as key network elements for a corporate organization.
Team members
edit- Sukumar Sekuri
- Neeharika Chandra Naidu
- Ravi Chandra Sekhar Bojja
- Keerthi Reddy Vade
Network Elements
edit- DNS
- DHCP
- WEB SERVER & FIREWALL
Description of Services
editDomain Name Server
editDNS is a name service protocol for Internet addresses that resolves domain or host names into numeric IP addresses. Maintaining a central list of domain name or IP address correspondences would be impractical, so the domain names and the corresponding IP addresses are distributed in a hierarchy throughout the Internet making Domain Name System a hierarchical database. When a client requests for a domain name or a website, the browser will send a query request to the DNS server located in close geographic proximity to the client’s access provider and this server returns back the IP address to the client. Now, client will be able to access the contents on the website. Some of the DNS servers are BIND, Posadis and Power DNS. Out of the three, BIND is used as it is the most flexible software. The latest version BIND9 with caching is used as the DNS server in this project. Caching is advantageous because the response received for every new DNS query is cached in the server. So, the time taken to access and display a cached page will be comparatively very less than fetching a page that is not cached in the DNS server. As a result, the waiting time of the user reduces and a lot of bandwidth will be saved. The extra bandwidth becomes available for other operations like displaying many more web pages.
Dynamic Host Configuration Protocol
editDHCP is a client-server protocol which automatically provides an Internet Protocol host with an IP address. Without DHCP, every time a device moves from one subnet to another should be configured manually. Similarly, when a device is removed from a network, its IP address should be manually reclaimed. With DHCP, this process is automated and much simpler than manual procedure. DHCP server creates a pool of IP addresses and assigns the addresses to devices from this pool. While assigning the address, DHCP leases the address to the client when it enters a network. If the client doesn’t renew the lease time before it expires, the address will be returned back to the pool automatically for reallocation.
DHCP allocates IP addresses to the clients in three different ways:
- Static Allocation: DHCP does static allocation of IP addresses based on a preconfigured mapping to each device’s MAC address. And, the addresses assigned to the devices will remain unchanged until changed by the network administrator.
- Dynamic Allocation: Network administrator allocates a pool of IP addresses for DHCP and the server will assign IP addresses to the clients from this reserved pool. Both IPv4 and IPv6 addresses are assigned by DHCP in this project.
- Automatic Allocation: This is similar to Dynamic allocation but here the server assigns the same IP address which the client had previously when it got connected to the network.
Webserver & Firewall
editWeb server’s primary job is to deliver web pages as per the client’s request. And this communication between server and the client is done through HTTP. The available web servers are Windows web server or Linux (Apache) web server. In this project, we are using an Apache Web Server because Linux is an open source system and it provides free license for configuring the web server. Whereas for using Windows web server, license needs to be purchased for hosting websites. In this project, we also created backup for the web server in case of the server failure. All the files from the web server are zipped and sent to the backup server. Backup server updates itself by copying only those files which were modified. Additionally, firewall is implemented to provide security to the incoming and outgoing information from the network. All the traffic except the one’s entered into the IP routes will be blocked by the firewall and cannot access the network.
Algorithm & Flowchart
editAlgorithm
edit- Client attempts to join the network “neeharika”
- Client sends a request to DHCP server for attaining an IP address.
- If the request is successful, an IP will be assigned to the client. Otherwise, client needs to re connect to the network.
- Once the client gets an IP address, it can now try to connect to ‘neeharika.net’ website via web browser.If the domain name is valid, web server will send request to DNS for the domain’s IP address.
- DNS server will reply with an IP address otherwise it will display an error saying “server not found”
- Once DNS server responds, client will send HTTP request to the server.
Web page will be displayed, if the request is successful Otherwise, an error will be displayed.
Flow Chart
editConfiguration-Services
editDNS Master
edit1. DHCP assigns an IP address to Master DNS server(192.168.1.9)
2. Update the package list
sudo apt-get update
3. Then, install bind9 server
sudo apt-get install bind9
4. Now, a forward zone file should be created
sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net
5. Then, edit the file /etc/bind.neeharika.net as below
6. Now, create a reverse zone file in the similar way of a forward zone file for
For IPv4 sudo cp /etc/bind/db.127 /etc/bind/db.192 For IPv6 sudo cp /etc/bind/db.127 /etc/bind/db.193
7. Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below
8. Now, add forward and reverse zones in /etc/bind/named.conf.local file
9. Change nameserver in /etc/resolv.conf file
10. Then restart the DNS server
sudo service bind9 restart
DNS Slave
edit1. DHCP assigns an IP address to Slave DNS server(192.168.1.10)
2. Update the package list
sudo apt-get update
3. Then, install bind9 server
sudo apt-get install bind9
4. Now, a forward zone file should be created
sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net
5. Then, edit the file /etc/bind.neeharika.net as below
6. Now, create a reverse zone file in the similar way of a forward zone file for
For IPv4 sudo cp /etc/bind/db.127 /etc/bind/db.192 For IPv6 sudo cp /etc/bind/db.127 /etc/bind/db.193
7. Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below
8. Now, add forward and reverse zones in /etc/bind/named.conf.local file
9. Change nameserver in /etc/resolv.conf file
10. Then restart the DNS server
sudo service bind9 restart
Testing
editTesting can be done by using ‘nslookup’ command as follows:
- nslookup for forward zone
- nslookup for reverse zone
- nslookup for forward zone to get IPv6 address
DHCP
editISC-DHCP Server is used in configuring DHCP Server. It is an open source software, which runs freely on any linux machine and it matches with the performance environment. The following commands are used to implement the DHCP server on Ubuntu Linux machine.
1. To update the package
sudo apt-get update
2. Install ISC-DHCP Server
sudo apt-get install isc-dhcp-server
3. Go to cd /etc/dhcp and make necessary changes in the dhcp configuration file
sudo nano /etc/dhcp/dhcpd.conf
4. The following changes are made in the dhcpd.conf file for IPv4 address
- The subnet mask, netmask, gateway router, pool address range for subnet, domain name server address, broadcast address, default-lease time and max lease time are set as per the network used in the project
- Also, the static IP address are assigned to web server, DNS server and mail server dynamically. Since we doesn’t want DHCP to assign dynamic address to these server everytime we connect to the network.
5. In order to assign IPv6 addresses the following configurations are made in dhcpd6.conf. The command for that is
sudo nano /etc/dhcp/dhcpd6.conf
6. The following changes are made in dhcpd6.conf The subnet and pool of IPv6 addresses are assigned here along with default and max lease time. 7. Now, restart the DHCP server using the following command.
sudo /etc/init.d/isc-dhcp-server restart sudo /etc/init.d/isc-dhcp6-server restart
Testing
edit1. We can check the leased IP address by using the following command. It shows the leases on the DHCP server and the IP addresses that have been leased to the clients.
sudo tail /var/lib/dhcp/*.leases
2. Also, the output of the DHCP can be verified by using the following command.
sudo tail –f/var/log/syslog
Apache Web Server
edit1. Installing Apache 2
sudo apt-get update sudo apt-get install apache 2
In order to check apache 2 is successfully installed go web browser and type
http://localhost
2. Creating directory file
sudo mkdir /var/www/neeharika.net/ sudo chmod 755 /var/www/ sudo chmod $USER: $ USER /var/www/neeharika.net/ sudo nano /var/www/neeharika.net/sample.html
3. Configuring Apache 2- apache 2.conf
sudo nano /etc/apache2/apache2.conf
We need to modify the following things
< Directory /var/www/neeharika.net/> Options indexes followsymlinks Allow override none Require all granted < /Directory>
4. Configuring Apache2-dir.conf Because we haven’t used index.html as default we need to add our sample.html to the list of accessible directory indices.
sudo nano /etc/apache2/mods-available/dir.conf
Appending our html file i.e sample .html to the list of indices
<If module mod_dir.c> Directory index index.html index.cgi index.p1 index.php index.xhtml index.htm sample.html </IfModule>
5. Configuring Apache 2-000-default.conf
server Admin webserver@localhost server name neeharika.net DocumentRoot /var/www/neeharika.net
6. Now we Map IP address to domain name
sudo nano /etc/hosts Given web servers IP address -- Neeharika.net
7. Restart Apache 2
sudo service Apache2 restart
8. Verification
http://localhost
Firewall
editConfiguring IP Tables We will add these access listing lines to filter the incoming connections to our web server.
sudo iptables –A INPUT –i lo –j ACCEPT sudo iptables –A INPUT –m conntrack –ctstate RELATED,ESTABLISHED –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 2049 –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 80 –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p icmp –m icmp –icmp-type 0 –j ACCEPT
Backup
edit1. Go to the web server and generate the pair of keys
sudo ssh-keygen –t rsa
2. use ssh to create a directory on backup server
ssh raviclient@192.168.1.33 mkdir –p .ssh
3. Append web servers key to the back up server
cat /home/.ssh/id_rsa.pub | ssh raviclient@192.168.1.33 ‘cat >> .ssh/authorized_keys’
4. we are making the file compressed for back up
sudo tar –cvpzf ravibackup.tar.gz /var/www/neeharika.net/sample.html
5. use cron tab to schedule backup every minute
sudo crontab –e ***** sudo tar –cvpzf /home/raviserver/ravibackup.tar.gz /var/www/neeharika.net/sample.html ***** sudo scp /home/raviserver/ravibackup.tar.gz raviclient@192.168.1.33:/home/raviclient/
ADD-ONS
editMail Server
editMail server is a software which allows us to view email from anywhere in the world from any computer using web browser. The mail server we used here is squirrel mail. It is one of the simple, fast and most popular webmail package. We use mail transfer agent, mail delivery agent and web server to send and receive emails via web browser. Postfix acts as mail transfer agent, Dovecot acts as a mail delivery agent and the dovecot uses imap and pop3 protocol servers to send and receive emails.
Configuration
editThe configuration of mail server is like a continuation of DNS server. Forward and Reverse DNS records are used along with some mail exchange records which are required for sending and receiving mails. These records are discussed in detail in the Domain name server section. The following commands are used after creating the DNS records
1. Go to sites-available in apache2 file. The command for this is:
cd /etc/apache2/sites-available
2. Create a mail file with the same configuration as default-ssl. The command for that is
cp default-ssl mail.conf
3. Now edit mail.conf file as shown below
4. Enable mail.conf file by using the following command
a2ensite mail
5. Edit /etc/squirrelmail/apache.conf file as shown below
6. Edit /etc/dovecot/dovecot.conf file as shown below
7. Now enter the commands
killall named killall apache2 killall dovecot
8. Now restart everything by entering the following commands
invoke-rc.d bind9 restart invoke-rc.d apache2 restart invoke-rc.d postfix restart invoke-rc.d dovecot restart
9. Now we can create different users by just using “adduser” command.
Testing
editNow, we can open the web browser and type “mail.neeharika.net”. The squirrel mail login page pops up. There we can give username and password to login to send and receive mails from different users in the same domain.
FTP
editFile transfer protocol is a network protocol used to transfer files from one computer to another computer over TCP based network like Internet. It is built on server-client architecture and it uses two separate connections (for data and control) between client and the server.
Configuration
edit1. FTP package should be installed and updated
sudo apt-get install vsftpd
2. Make the following changes to the file /etc/vsftpd.conf. Uncomment the commands by removing ‘#’ sign.
sudo nano /etc/vsftpd.conf write_enable=yes anonymous=yes
3. Now, restart vsftp
sudo restart vsftp
4. Then, create files
cd /srv/ftp sudo touch text1 text2 sudo chmod 777 text1 text2
Testing
editType the following command and then enter username and password to log in. Once the verification is done, user or client can also make changes to the file
ftp 192.168.1.16
NFS
editNetwork File Systems is used for sharing files with other computers on the network. It is a file distribution system protocol.
NFS server
edit1. Initially, repositories should be updated
sudo apt-get update
2. Next, install nfs server package
sudo apt-get install nfs-kernel-server
3. Then, make a directory which is to be shared with other devices
sudo mkdir /shome sudo mkdir /home
4. /etc/exports is the main config file for NFS and add the following command to the file
/shome 192.168.1.0/24(rw,sync,no_root_squash) /home 192.168.1.0/24(rw,sync,no_root_squash)
5. Now, start the service
sudo /etc/init.d/nfs-kernel-server start
6. Check the NFS share status by following commands
sudo exportfs -u
NFS Client
edit1. Install NFS client and dependencies
sudo apt-get install nfs-common rpcbind
2. Create a directory /rhome
sudo mkdir /rhome
3. Mount the remote share /shome on local directory /rhome
sudo mount 192.168.1.16:/shome /rhome
4. And the following line in /etc/fstab file for permanent mount
192.168.1.16:/shome /rhome nfs rw,sync,hard,intr 0 0
Testing
editNFS Server
editThe two files text1 and text2 are created in NFS Server’s /shome directory. Two files text3 and text4 are created in NFS Client. As, they are mounted it is shown in both folders.
NFS Client
editVPN
editTo provide an access to remote client to the private network through the tunnel VPN is configured.
Configuration
edit1. Install the “pptpd” package
sudo apt-get install pptpd
2. Edit file /etc/pptpd.conf as follows
sudo nano /etc/pptpd.conf localip <IP of VPN server> remoteip <Range of IPs of VPN clients>
3. Edit /etc/ppp/pptpd/options file.
sudo nano /etc/ppp/pptpd.options ms-dns 192.168.1.9 ms-dns 192.168.1.10
4. Set ‘user-id’ and ‘password’ for users
sudo nano /etc/ppp/chap-secrets sukumar pptp sukumar * Note- * indicates access for all users (ip’s) in the same network.
Testing
edit1. Test the working of VPN by checking the interfaces.
ifconfig
NTP
editNTP stands for Network Time Protocol. NTP Server assigns the date and time for the users connected to the server.
Configuration
edit1. Install the “ntp” package
sudo apt-get install ntp
2. Edit the servers
sudo nano /etc/ntp.conf
3. Restart the NTP server using command
/etc/init.d/ntp restart
4. Use the command to check the servers
ntpq -p
Testing
editNote: The implementation is tested considering Windows as client.
NIS
editNetwork Information Service protocol is a client-server model for distributing configuration data of the system such as user names and passwords between computers on the network. NIS was originally called as Yellow Pages (YP).
NIS Server
edit1. Install portmap, NIS and update portmap
sudo apt-get install portmap sudo update-rc.d rpcbind defaults 10 sudo apt-get install nis
2. Edit the file /ect/defaults/nis as follows
NISServer = master NISClient = false
3. Edit the file /etc/ypserv.securenets by adding the IP address range to whom access to NIS server will be given and comment out 0.0.0.0 line for restricting access to everyone and edit /var/yp/Makefile by giving permission to all hosts to use NIS
255.255.255.0 192.168.1.0 #0.0.0.0.0 0.0.0.0
4. Restart NIS and portmap
sudo service portmap restart sudo service nis restart
5. Build NIS database
sudo /usr/lib/yp/ypinit -m
6. Add users to NIS database
sudo useradd –d /home/user1 –m user1 sudo useradd –d /home/user2 –m user2
7. Create passwords for these accounts
sudo passwd username
8. All user accounts can be seen by typing cat ‘/etc/passwd’
9. To enter the changes into database, type
cd /var/yp sudo make
NIS Client
edit1. Install portmap, NIS and update portmap
sudo apt-get install portmap sudo update-rc.d rpcbind defaults 10 sudo apt-get install nis
2. Edit /etc/hosts file to add the NIS server IP address and domain name
3. Then, edit /etc/yp.conf for adding domain and server name
4. Edit /etc/nsswitch.conf file to provide NIS as backup for searching the password information when /etc/passwd fails
passwd: nis compat group: nis compat shadow: nis compat
5. To modify the permissions on the /home folder so that users will be allowed to read, write and execute the files, type the following command
sudo chmod 777 home
6. Then reboot the client machine
sudo reboot
Testing
editUse command ‘ypcat passwd’ to test NIS.
Future Improvements
edit- DHCP Superscope-DHCP Superscope implementation gives flexibility for DHCP servers to all allocate multiple addresses to the subnets. This allows the company to expand the network with a smooth transition without affecting the existing setup. The Superscope DHCP is more flexible and the configuration of this is done by simply adding the next subnet level in dhcp configuration file
- Security-The overall security of the network can be improved by installing IPS and IDS for monitoring and to access the behavior of the traffic flow of all the servers
Conclusion
editA robust, intelligent and secured network is designed for a corporate organisation consisting of DNS Server, DHCP Server, Webserver & Firewall as key network elements
References
edit- http://www.servermom.org/how-to-add-new-site-into-your-apache-basedubuntu-server/272/
- http://askubuntu.com/questions/389399/setup-localhost-site-in-apache
- https://www.youtube.com/watch?v=XKfhOQWrUVw
Books
edit- Kurose,Ross “Computer Networking – A Top Down Approach”, 6th edition, Pearson Education, Inc
- The DHCP Handbook - Ralph Droms | Ted Lemon
- DNS and BIND - Cricket Liu | Paul Albitz (OReilly)