Data Networking/Fall 2015/Neha Inampudi
Objective of the Project
editTo design and implement a robust, secure, dynamic and intelligent network that supports Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Web Server, Firewall and Backup system in the Linux Operating System.
Project Team
edit- Deepika Venugopalsamy Ranganathan
- Kavya Ramaraju
- Neha Inampudi
- Rashmi Reddy
Elements of the Network
editThe main elements in the network are:
- Dynamic Host Configuration Protocol (DHCP)
- Domain Name System (DNS)
- Webserver and Firewall
- Backup
Dynamic Host Configuration Protocol (DHCP)
editThe Dynamic Host Configuration Protocol allows a host on a network to receive configuration parameters including an IP address at boot time for communication. It can provide a complete set of TCP/IP configuration parameters and allows the dynamic assignment of IP addresses for a fixed lease. DHCP offers the following advantages as a network administrator:
- An IP address can be assigned to a client for only as long as the client remains connected to the network.
- It allows a limited pool of IP addresses to be shared among a number of clients that do not require permanent IP addresses.
- Addresses become automatically available again at the expiration of a period of time, without requiring you to take any action.
Behavior of the protocol
editDHCP is an application layer protocol that uses the services of UDP to dynamically allocate IP addresses to the hosts. The port number is 67.
Signalling
edit- When a client enters the network, it broadcasts a DHCPdiscover message to all the DHCP servers.
- The DHCP server on receiving the discover message, unicasts an offer message to the client.
- The client accepts the offer and responds with a request message for the IP address.
- The server responds back with an acknowledgement message.
Steps to configure DHCP server
editIPV4:
Step 1: Update all packages
sudo apt-get update sudo apt-get install isc-dhcp-server sudo apt-get install radvd
Step 2: Configure DHCP
sudo nano /etc/dhcp/dhcpd.conf
Step 3: Modify the interfaces file
sudo nano -w etc/network/interfaces
Step 4: Modify the interfaces file
sudo nano –w /etc/default/isc-dhcp-server
Similar to the IPv4 configuration, the IPv6 configuration is done as given below
IPV6:
Step 1:
sudo nano /etc/dhcp/dhcpd6.conf
Step 2:
nano -w etc/network/interfaces
Step 3:
sudo nano -w etc/dhcp/radvd.conf
Step 4:
sudo nano -w /etc/sysctl.conf
Client:
sudo nano -w etc/network/interfaces
After configuring and saving the dhcp file we need to start the dhcp server using below commands.
Testing
editDHCP is tested successfully by checking if the DHCP server assigns IP address to the connected client in the communication network from a given range of IP addresses. Output takes a IP range for IPV4 as 192.168.1.168 which is from the range 192.168.1.110 to 192.168.1.200 given in dhcp.conf file and similarly with IPV6 is assigned as 2003:db8:0:2:a12b:8f4c:b6d9:8863/64 from given range in dhcpd6.conf file.
Domain Name System (DNS)
editThe Domain Name System (DNS) is a service of the internet that translates hostnames into the corresponding IP addresses. DNS serves as the phonebook for the internet. It is a distributed database that is implemented in a hierarchy of DNS servers. It is an application layer protocol that allows the hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53.
Behavior of the protocol
editWhen a host requests for a particular URL, the browser extracts the hostname from the URL and passes it to the client side of DNS application. The DNS client sends a query containing the hostname to the DNS server. The client will eventually receive a reply that contains the IP address for the hostname requested. Thus, the hostname to IP address mapping is done by DNS.
DNS Server
editThe DNS servers are in distributed database that have hierarchical servers starting from the Root DNS server, Top-Level Domain servers (TLDs) and Authoritative servers. The records of the authoritative servers are uploaded into DNS by registrars who are certified by Internet Cooperation for Assigned Names and Numbers (ICANN).
Signalling
edit1. The client will first contact the local DNS server with the DNS query containing the hostname.
2. The local DNS server forwards the query to the root DNS server. The root DNS server sends a reply to the local DNS with a list of the possible TLD servers.
3. The local DNS server sends its query message to one of the TLD servers.
4. The TLD server responds back with the IP address of the authoritative name server to the local DNS server.
5. The local DNS server then sends its query to the authoritative DNS server which responds back with the IP address for the queried hostname.
Configuration of DNS
editThe configuration of DNS can be done by using various software, namely:
- BIND
- POSADIS
- POWER DNS
For configuring the DNS server we use BIND (Berkley Internet Name Domain) version 9 as it provides a robust architecture and it is used by a large variety of name server on the internet. BIND also supports important features like DNS security and multiprocessor support.
Steps to configure DNS
editStep 1: Update the repositories
sudo apt-get update
Step 2: Install bind9
sudo apt-get install bind9
Step 3: Assign a static IP address
sudo gedit /etc/network/interfaces
Step 4: Edit the hosts file
sudo gedit /etc/hosts
Step 5: Edit the hostname file
sudo gedit /etc/hostname
Step 6: Manage name server information
sudo gedit /etc/resolvconf/resolv.conf.d/head
Step 7: Define forward and reverse lookup zones
sudo gedit /etc/bind/named.conf.local
Step 8: Caching nameserver
sudo gedit /etc/bind/named.conf.options
Step 9: Edit the forward lookup file
sudo gedit /etc/bind/db.dknr.com
Step 10: Edit the reverse lookup file
sudo gedit /etc/bind/db.192
Once the master is done, the slave is configured in a different virtual machine and different forward and reverse lookup zones are defined.
Testing
editWe basically use nslookup command to test DNS. Try nslookup <hostname> from all PCs in the network and it should show the translated IP. Also test reverse lookup. Apart from nslookup we can also use dig, host commands to test DNS.
Webserver, Firewall and Backup
editWebserver
editServer is used to store the data and retrieve the information when required. When a client requests for an IP address, the webserver fetches the information and displays the corresponding HTML page. Since requests can occur at anytime, the server is made to be always on where the client communicates at any time.
Behavior of the protocol
editThe HTTP protocol is used to access the web content by the client. HTTP is an application layer protocol which is implemented at port 80 using the services of reliable TCP (RFC 2616). Before requesting for the web page, a three way handshake TCP connection is initiated by the client with the web server. After the connection is established the web page is requested by the client. The server then fetches the HTML page and replies to the client using TCP. A persistent or non persistent TCP connection may be established between the client and the server.
Configuration of webserver
editThe webserver can be configured using one of the following:
- Apache2 HTTP server
- NGINX
- Windows webserver
In the given scenario, since a small number of websites are required to be hosted for a small network, Apache 2 will be configured and implemented as speed is not a major concern. The Apache web server is the most well known method for serving web content on the web. It represents more than half of every single dynamic site on the web and is greatly capable and adaptable. The fundamental unit that portrays an individual site or area is known as a virtual host.
Signalling
editThe client initiates a TCP connection with the web server IP provider. The connection involves a 3 way handshake mechanism. First, the clients sends a SYN message requesting TCP connection to the browser at port 80. The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information. The client responds with the ACK message and also sends a request for the HTML page.
Steps to configure webserver
editStep 1: Install Apache2 on the server.
sudo apt-get update sudo apt-get install apache2
Step 2: Creating the directory structure
sudo mkdir -p /var/www/dknr.com/public_html
Step 3: To grant permissions
sudo chown -r $USER:$USER /var/www/dknr.com/public_html
Step 4: To modify permissions
sudo chmod -R 755/var/www
Step 5: Creating demo page on virtual host. The page is created to test the virtual host configuration.
nano /var/www/dknr.com/public_html/index.html
Step 6: Creating new virtual host files
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/dknr.com.conf
Further steps in opening new file with root privileges:
sudo nano /etc/apache2/sites-available/dknr.com.conf
The file looks like below:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
We will be customizing few of the commands and add few directories so that this virtual hosts section matches any request that are made on port 80(default HTTP port)
- ServerAdmin is changed to admin@dknr.com
- ‘ServerName dknr.com’ is added as it establishes the base domain that matches for the virtual host definition
- ‘ServerAlias www.dknr.com’ is added which defines the name that are to be matched if they had the same base name.
- DocumentRoot is being changed to /var/www/dknr.com/public_html (We are changing the location of the document root for this domain)
Finally the virtual host file after modification should be:
<VirtualHost *:80> ServerAdmin admin@dknr.com ServerName dknr.com ServerAlias www.dknr.com DocumentRoot /var/www/dknr.com/public_html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Step 7: Enabling the new virtual host file
sudo a2ensite dknr.com.conf
After executing the command restart Apache for the changes made to take effect:
sudo service apache2 restart.
Step 8: Setting up local hosts file
sudo nano /etc/hosts
The details we should be adding are the public IP address and the domain of VPS server. Thus the file looks like
127.0.0.1 localhost 127.0.1.1 ubuntu 192.168.1.10 dknr.com 192.168.1.10 www.dknr.com
This directs the requests for dknr.com on the system and sends it to the server at 192.169.1.10. Save and close the file.
Testing
edit- Before configuration of web page opening the browser by typing localhost or 127.0.0.1 or IP address of the web server in the address bar displays the default web page of apache server.
- After configuration, to test the results go to the web browser and type IP address of the webserver or type local host, configured webpage is displayed
- If the HTML page is created in a different directory and localhost is entered in the address bar of web browser the webpage says “FORBIDDEN |Cannot view the contents of the page”
- If the HTML page is created at different directory and if the path is defined in /var/apache2/sites-enabled/000-default.conf, configured web page is displayed.
Firewall
editA firewall is a framework utilized for keeping unapproved access to or from a system. It could either be an equipment or a product. Firewall gives security to any system (private system) from different systems or unintended client. The usefulness of the firewall is to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.
Configuring commands on any Linux terminal machine (web server/DNS server/DHCP server) and set of standards are connected with the goal that it will drop certain packets and permit the rest.
Packages used
editIP tables are used to modify the set of rules to restrict or allow the packets.
Steps to configure firewall
editStep 1: Install or update iptables package
sudo apt-get install iptables
Step 2: Enable telnet
sudo apt-get install telnetd
Step 3: Enable ssh login
sudo apt-get install openssh-server
Step 4: Policy Chain Default Behavior
iptables -L |grep policy
Step 5: Change the behavior of the chain
iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
Step 6: Allowing and blocking specific connections
iptables -A INPUT -s 192.168.1.110 -j DROP
Step 7: Allowing and blocking SSH connections
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -j DROP
Step 8: Connection States
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 192.168.1.110 -m state --state ESTABLISHED -j ACCEPT
Step 9: Block ICMP
sudo iptables -A INPUT -s 192.168.1.110 -p icmp --icmp-type echo-request -j DROP
Step 10: Block FTP
sudo iptables -A INPUT -p tcp --destination-port 21 -j DROP
Step 11: Block Telnet
sudo iptables -A INPUT -p tcp -s 192.168.1.110 --dport telnet -j DROP
Saving the configuration of IP tables
editTo save all the changes we made in the configuration.
sudo /sbin/iptables-save
Testing
editTo list all the rules configured in the firewall
sudo iptables -L
- After configuring the firewall rules restart the server.
- Before configuration client in the network should be able to ping, telnet and access the web page from webserver.
- After configuring the firewall no client will be able to ping and telnet the webserver and client with IP address 192.168.1.110 is not able to access web page.
Backup
editBackup is the process of saving data in another location which can be recovered from in case of any data loss. In case the web server loses the data or in case of extra load on web server we can use this backup data to retrieve information. We sync the data with another server which keeps track of information in the directory. Hence it uses dynamic updating by copying files which are modified. Thus we use Remote Sync (RSync) in ubuntu. In this project a backup of webserver in made in the DNS Server and backup is scheduled every 1 hour which implies that the data of web server is copied to backup location every hour. In case of any failure a copy of data is saved at the destined location.
Steps to configure backup
editSince we are taking back up in DNS server we run apache on both the machines which will make it run like a web server in another linux machine. After installing apache server in both machines we follow these steps for setting up backup.
Step 1: Installing Apache in backup server
sudo apt-get install apache2
Step 2: Install Rsync in both the webserver and backup server
sudo- apt-get install rsync
Step 3: Backup within another directory
sudo rsync -avz --progress /var/www/ /path of backup directory/
Step 4: Install the SSH Rsync (In webserver and backup server)
sudo apt-get install ssh rsync
Step 5: To put backup in another server (Executed in backup server)
sudo rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/path of backup directory/
Step 6: Schedule backup every 5 minutes
sudo crontab -e 60 00 *** rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/ /path of backup directory/
Testing
editAfter executing commands in the backup server and the copy of web server, file was successfully transferred to the path mentioned in the backup server. When a change was made to the file and after execution of the scheduling command in the backup server, noted that the new file was transferred to the specified backup location.
Algorithm
edit1. Client attempts to join the network : dknr
- If the client is valid
- Successfully connect to dknr
- Else
- Restart connection or contact network administrator for troubleshooting
2. Client needs to acquire IP address from the DHCP server
- Check if wlan interface is set to static or to automatic (DHCP)
- If static
- Change to automatic (DHCP)
- Else (DHCP discover)
- Contact DHCP server to get the IP address, gateway IP address, DHCP server details, DNS server details.
- If DHCP allocation is successful
- Server replies with an IP address to be allocated
- Else
- DHCP server replies with a request failed response
- Then
- Restart the connection or contact the network administrator for troubleshooting
3. After DHCP request is successful, the client attempts to connect to the network and access www.dknr.com via web browser
4. If DNS request was successfully resolved, the client requests the web page from the web server
- Client sends HTTP request to server
- If HTTP request is successful
- Webpage is displayed
- Else
- Webpage is not loaded
Add-ons Implemented (Additional Features)
editVPN Configuration
editVPN is a service that broadens the private system over an open system i.e. it approves us to get to a private system from outside. A client from outside can get to the private system with same needs as are given to a root client in a private system. The VPN is setup when the remote customer when it enters the SSID and the secret word of the entrance system. Along these lines, we can say that VPN is accessed with a secured association.
Steps to configure VPN
editStep 1: Install package to configure VPN
sudo apt-get install pptpd
Step 2: Edit the files
sudo nano /etc/pptpd.conf localip 192.168.1.11 (IP address of VPN server) remoteip 192.168.1.15 192.168.1.30
Step 3: Edit the /etc/ppp/pptpd-options file
sudo nano /etc/ppp/pptpd-options ms-dns 192.168.1.254
Step 4: Create userid and password
sudo nano /etc/ppp/chap-secrets user pptpd password *
Step 5: Restart the pptpd server
sudo /etc/init.d/pptpd restart
Mail Server
editA mail server is a program, also by expansion of the PC on which it runs, which is responsible for receiving, sorting and distribution of message from one PC onto the next electronics mail. It is against the mail customer ( mail client operators ) present on the machine rather than the end client.
The default mail transfer agent in ubuntu is Postfix and the framework on linux is called mailer daemon.
Steps to configure Mail Server
editStep 1: Install postfix
sudo apt-get install postfix
Step 2: Configuring postfix
sudo dpkg-reconfigure postfix
Step 3: Configuration of mailbox format for Maildir
sudo postconf -e ‘home_mailbox = Maildir/’ sudo postconf -e ‘mailbox_command =’
Step 4: Configure Postfix for SMTP AUTH using SASL
sudo postconf -e ‘smtpd_sasl_local_domain =’ sudo postconf -e ‘smtpd_sasl_auth_enable = yes’ sudo postconf -e ‘smtpd_sasl_security_options = noanonymous’ sudo postconf -e ‘broken_sasl_auth_clients = yes’ sudo postconf -e ‘smtpd_recepient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination’ sudo postconf -e ‘inet_interfaces = all’
Certificates are generated which are to be used for TLS encryption or/and certificate authentication.
touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 >smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt #has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -outcacert.pem -days 3650 #hasprompts
sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cakey.pem /etc/ssl/certs/
Step 5: Configuration of Postfix to do TLS encryption for incoming and outgoing mails.
sudo postconf -e ‘smtp_tls_security_level = may’
Step 6: Restart postfix daemon
sudo /etc/init.d/postfix restart
Network File System(NFS)
editNFS allows one to share a directory that is located on one of the devices in a network to other devices in the same network much like accessing a local storage. A server is a device on which directory is located and clients are devices connecting to this server, Client should mount the shared directory to make it a part of their own directory.
Steps to configure NFS Server
editStep 1: Update repository
sudo apt-get update
Step 2: Install NSF package
sudo apt-get install nfs-kernel-server
Step 3: Create directory to share
sudo mkdir/shome
Step 4: Configuring /etc/exports for NFS
sudo nano /etc/exports /shome 192.168.1.0/24 (rw,sync,no_root_squash)
Step 5: Start the service
sudo /etc/init.d/nfs-kernel-server start
Step 6: Check the status of the NFS share status
sudo exportfs -u
Step 7: Restart the server
sudo service nfs-kernel-server restart
Steps to configure NFS Client
editStep 1: Install NFS for client and its dependencies
sudo apt-get update sudo apt-get install nfs-common rpcbind
Step 2: Create a directory
sudo mkdir/rhome
Step 3: Mounting the remote share /shome on local directory /rhome
sudo mount 192.168.10.42:/shome/rhome 192.168.1.42:/shome/rhome nfs rw,sync,hard, int 0 0 #(adding to permanent mount in /etc/fstab file)
Step 4: Checking the mounted share directory using mount command
mount
Future Improvements
edit- Adding additional rules in Firewall to improve security for protection from malicious attacks.
- Increase the number of DNS servers for purposes of backup, load distribution and decentralization.
- IPv6 and IPv4 should be supported simultaneously
- Extend the server abilities to oblige numerous more uses utilizing in the meantime.
- Integrating so as to include security for mail server classification, respectability and more confirmation choices by utilizing strategies, for example, RSA, DES, MD5, including authentications and so forth.
References
editWebsites Referred:
1. https://help.ubuntu.com/community/Postfix
2. https://help.ubuntu.com/community/isc-dhcp-server
4. http://net.tutsplus.com/tutorials/other/the-linux-firewall
5. https://help.ubuntu.com/lts/serverguide/dns-configuration.html
6. https://help.ubuntu.com/lts/serverguide/httpd.html
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross