Data Networking/Fall 2015/Neha Inampudi

To design and implement a robust, secure, dynamic and intelligent network that supports Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Web Server, Firewall and Backup system in the Linux Operating System.

• Deepika Venugopalsamy Ranganathan

• Kavya Ramaraju

• Neha Inampudi

• Rashmi Reddy

The main elements in the network are:

• Dynamic Host Configuration Protocol (DHCP)

• Domain Name System (DNS)

• Webserver and Firewall

• Backup

The Dynamic Host Configuration Protocol allows a host on a network to receive configuration parameters including an IP address at boot time for communication. It can provide a complete set of TCP/IP configuration parameters and allows the dynamic assignment of IP addresses for a fixed lease. DHCP offers the following advantages as a network administrator:

• An IP address can be assigned to a client for only as long as the client remains connected to the network.
• It allows a limited pool of IP addresses to be shared among a number of clients that do not require permanent IP addresses.
• Addresses become automatically available again at the expiration of a period of time, without requiring you to take any action.

Behavior of the protocol edit

DHCP is an application layer protocol that uses the services of UDP to dynamically allocate IP addresses to the hosts. The port number is 67.

Signalling edit

1. When a client enters the network, it broadcasts a DHCPdiscover message to all the DHCP servers.
2. The DHCP server on receiving the discover message, unicasts an offer message to the client.
3. The client accepts the offer and responds with a request message for the IP address.
4. The server responds back with an acknowledgement message.

Steps to configure DHCP server edit

IPV4:

Step 1: Update all packages

sudo apt-get update
sudo apt-get install isc-dhcp-server
sudo apt-get install radvd

Step 2: Configure DHCP

sudo  nano /etc/dhcp/dhcpd.conf

Step 3: Modify the interfaces file

sudo nano -w etc/network/interfaces

Step 4: Modify the interfaces file

sudo nano –w /etc/default/isc-dhcp-server

Similar to the IPv4 configuration, the IPv6 configuration is done as given below

IPV6:

Step 1:

sudo nano /etc/dhcp/dhcpd6.conf

Step 2:

nano -w etc/network/interfaces

Step 3:

sudo nano -w etc/dhcp/radvd.conf

Step 4:

sudo nano -w /etc/sysctl.conf

Client:

sudo nano -w etc/network/interfaces

After configuring and saving the dhcp file we need to start the dhcp server using below commands.

Testing edit

DHCP is tested successfully by checking if the DHCP server assigns IP address to the connected client in the communication network from a given range of IP addresses. Output takes a IP range for IPV4 as 192.168.1.168 which is from the range 192.168.1.110 to 192.168.1.200 given in dhcp.conf file and similarly with IPV6 is assigned as 2003:db8:0:2:a12b:8f4c:b6d9:8863/64 from given range in dhcpd6.conf file.

The Domain Name System (DNS) is a service of the internet that translates hostnames into the corresponding IP addresses. DNS serves as the phonebook for the internet. It is a distributed database that is implemented in a hierarchy of DNS servers. It is an application layer protocol that allows the hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53.

Behavior of the protocol edit

When a host requests for a particular URL, the browser extracts the hostname from the URL and passes it to the client side of DNS application. The DNS client sends a query containing the hostname to the DNS server. The client will eventually receive a reply that contains the IP address for the hostname requested. Thus, the hostname to IP address mapping is done by DNS.

DNS Server edit

The DNS servers are in distributed database that have hierarchical servers starting from the Root DNS server, Top-Level Domain servers (TLDs) and Authoritative servers. The records of the authoritative servers are uploaded into DNS by registrars who are certified by Internet Cooperation for Assigned Names and Numbers (ICANN).

Signalling edit

1. The client will first contact the local DNS server with the DNS query containing the hostname.

2. The local DNS server forwards the query to the root DNS server. The root DNS server sends a reply to the local DNS with a list of the possible TLD servers.

3. The local DNS server sends its query message to one of the TLD servers.

4. The TLD server responds back with the IP address of the authoritative name server to the local DNS server.

5. The local DNS server then sends its query to the authoritative DNS server which responds back with the IP address for the queried hostname.

Configuration of DNS edit

The configuration of DNS can be done by using various software, namely:

• BIND

• POSADIS

• POWER DNS

For configuring the DNS server we use BIND (Berkley Internet Name Domain) version 9 as it provides a robust architecture and it is used by a large variety of name server on the internet. BIND also supports important features like DNS security and multiprocessor support.

Steps to configure DNS edit

Step 1: Update the repositories

sudo apt-get update

Step 2: Install bind9

sudo apt-get install bind9

Step 3: Assign a static IP address

sudo gedit /etc/network/interfaces

Step 4: Edit the hosts file

sudo gedit /etc/hosts

Step 5: Edit the hostname file

sudo gedit /etc/hostname

Step 6: Manage name server information

sudo gedit /etc/resolvconf/resolv.conf.d/head

Step 7: Define forward and reverse lookup zones

sudo gedit /etc/bind/named.conf.local

Step 8: Caching nameserver

sudo gedit /etc/bind/named.conf.options

Step 9: Edit the forward lookup file

sudo gedit /etc/bind/db.dknr.com

Step 10: Edit the reverse lookup file

sudo gedit /etc/bind/db.192

Once the master is done, the slave is configured in a different virtual machine and different forward and reverse lookup zones are defined.

Testing edit

We basically use nslookup command to test DNS. Try nslookup <hostname> from all PCs in the network and it should show the translated IP. Also test reverse lookup. Apart from nslookup we can also use dig, host commands to test DNS.

Webserver edit

Server is used to store the data and retrieve the information when required. When a client requests for an IP address, the webserver fetches the information and displays the corresponding HTML page. Since requests can occur at anytime, the server is made to be always on where the client communicates at any time.

Behavior of the protocol edit

The HTTP protocol is used to access the web content by the client. HTTP is an application layer protocol which is implemented at port 80 using the services of reliable TCP (RFC 2616). Before requesting for the web page, a three way handshake TCP connection is initiated by the client with the web server. After the connection is established the web page is requested by the client. The server then fetches the HTML page and replies to the client using TCP. A persistent or non persistent TCP connection may be established between the client and the server.

Configuration of webserver edit

The webserver can be configured using one of the following:

• Apache2 HTTP server
• NGINX
• Windows webserver

In the given scenario, since a small number of websites are required to be hosted for a small network, Apache 2 will be configured and implemented as speed is not a major concern. The Apache web server is the most well known method for serving web content on the web. It represents more than half of every single dynamic site on the web and is greatly capable and adaptable. The fundamental unit that portrays an individual site or area is known as a virtual host.

Signalling edit

The client initiates a TCP connection with the web server IP provider. The connection involves a 3 way handshake mechanism. First, the clients sends a SYN message requesting TCP connection to the browser at port 80. The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information. The client responds with the ACK message and also sends a request for the HTML page.

Steps to configure webserver edit

Step 1: Install Apache2 on the server.

sudo apt-get update
sudo apt-get install apache2

Step 2: Creating the directory structure

sudo mkdir -p /var/www/dknr.com/public_html

Step 3: To grant permissions

sudo chown -r $USER:$USER /var/www/dknr.com/public_html

Step 4: To modify permissions

sudo chmod -R 755/var/www

Step 5: Creating demo page on virtual host. The page is created to test the virtual host configuration.

nano /var/www/dknr.com/public_html/index.html

Step 6: Creating new virtual host files

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/dknr.com.conf

Further steps in opening new file with root privileges:

sudo nano /etc/apache2/sites-available/dknr.com.conf

The file looks like below:

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/html
   ErrorLog %{APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

We will be customizing few of the commands and add few directories so that this virtual hosts section matches any request that are made on port 80(default HTTP port)

• ServerAdmin is changed to admin@dknr.com
• ‘ServerName dknr.com’ is added as it establishes the base domain that matches for the virtual host definition
• ‘ServerAlias www.dknr.com’ is added which defines the name that are to be matched if they had the same base name.
• DocumentRoot is being changed to /var/www/dknr.com/public_html (We are changing the location of the document root for this domain)

Finally the virtual host file after modification should be:

<VirtualHost *:80>
   ServerAdmin admin@dknr.com
   ServerName dknr.com
   ServerAlias www.dknr.com
   DocumentRoot /var/www/dknr.com/public_html
   ErrorLog %{APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Step 7: Enabling the new virtual host file

sudo a2ensite dknr.com.conf

After executing the command restart Apache for the changes made to take effect:

sudo service apache2 restart.

Step 8: Setting up local hosts file

sudo nano /etc/hosts

The details we should be adding are the public IP address and the domain of VPS server. Thus the file looks like

127.0.0.1      localhost
127.0.1.1      ubuntu
192.168.1.10   dknr.com
192.168.1.10   www.dknr.com

This directs the requests for dknr.com on the system and sends it to the server at 192.169.1.10. Save and close the file.

Testing edit

• Before configuration of web page opening the browser by typing localhost or 127.0.0.1 or IP address of the web server in the address bar displays the default web page of apache server.
• After configuration, to test the results go to the web browser and type IP address of the webserver or type local host, configured webpage is displayed
• If the HTML page is created in a different directory and localhost is entered in the address bar of web browser the webpage says “FORBIDDEN |Cannot view the contents of the page”
• If the HTML page is created at different directory and if the path is defined in /var/apache2/sites-enabled/000-default.conf, configured web page is displayed.

Firewall edit

A firewall is a framework utilized for keeping unapproved access to or from a system. It could either be an equipment or a product. Firewall gives security to any system (private system) from different systems or unintended client. The usefulness of the firewall is to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

Configuring commands on any Linux terminal machine (web server/DNS server/DHCP server) and set of standards are connected with the goal that it will drop certain packets and permit the rest.

Packages used edit

IP tables are used to modify the set of rules to restrict or allow the packets.

Steps to configure firewall edit

Step 1: Install or update iptables package

sudo apt-get install iptables

Step 2: Enable telnet

sudo apt-get install telnetd

Step 3: Enable ssh login

sudo apt-get install openssh-server

Step 4: Policy Chain Default Behavior

iptables -L |grep policy

Step 5: Change the behavior of the chain

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

Step 6: Allowing and blocking specific connections

iptables -A INPUT -s 192.168.1.110 -j DROP

Step 7: Allowing and blocking SSH connections

iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -j DROP

Step 8: Connection States

iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 192.168.1.110 -m state --state ESTABLISHED -j ACCEPT

Step 9: Block ICMP

sudo iptables -A INPUT -s 192.168.1.110 -p icmp --icmp-type echo-request -j DROP

Step 10: Block FTP

sudo iptables -A INPUT -p tcp --destination-port 21 -j DROP

Step 11: Block Telnet

sudo iptables -A INPUT -p tcp -s 192.168.1.110 --dport telnet -j DROP

Saving the configuration of IP tables edit

To save all the changes we made in the configuration.

sudo /sbin/iptables-save

Testing edit

To list all the rules configured in the firewall

sudo iptables -L

• After configuring the firewall rules restart the server.
• Before configuration client in the network should be able to ping, telnet and access the web page from webserver.
• After configuring the firewall no client will be able to ping and telnet the webserver and client with IP address 192.168.1.110 is not able to access web page.

Backup edit

Backup is the process of saving data in another location which can be recovered from in case of any data loss. In case the web server loses the data or in case of extra load on web server we can use this backup data to retrieve information. We sync the data with another server which keeps track of information in the directory. Hence it uses dynamic updating by copying files which are modified. Thus we use Remote Sync (RSync) in ubuntu. In this project a backup of webserver in made in the DNS Server and backup is scheduled every 1 hour which implies that the data of web server is copied to backup location every hour. In case of any failure a copy of data is saved at the destined location.

Steps to configure backup edit

Since we are taking back up in DNS server we run apache on both the machines which will make it run like a web server in another linux machine. After installing apache server in both machines we follow these steps for setting up backup.

Step 1: Installing Apache in backup server

sudo apt-get install apache2

Step 2: Install Rsync in both the webserver and backup server

sudo- apt-get install rsync

Step 3: Backup within another directory

sudo rsync -avz --progress /var/www/ /path of backup directory/	

Step 4: Install the SSH Rsync (In webserver and backup server)

sudo apt-get install ssh rsync

Step 5: To put backup in another server (Executed in backup server)

sudo rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/path of backup directory/

Step 6: Schedule backup every 5 minutes

sudo crontab -e 60 00 *** rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/ /path of backup directory/

Testing edit

After executing commands in the backup server and the copy of web server, file was successfully transferred to the path mentioned in the backup server. When a change was made to the file and after execution of the scheduling command in the backup server, noted that the new file was transferred to the specified backup location.

1. Client attempts to join the network : dknr

If the client is valid

Successfully connect to dknr

Else

Restart connection or contact network administrator for troubleshooting

2. Client needs to acquire IP address from the DHCP server

Check if wlan interface is set to static or to automatic (DHCP)

If static

Change to automatic (DHCP)

Else (DHCP discover)

Contact DHCP server to get the IP address, gateway IP address, DHCP server details, DNS server details.

If DHCP allocation is successful

Server replies with an IP address to be allocated

Else

DHCP server replies with a request failed response

Then

Restart the connection or contact the network administrator for troubleshooting

3. After DHCP request is successful, the client attempts to connect to the network and access www.dknr.com via web browser

4. If DNS request was successfully resolved, the client requests the web page from the web server

Client sends HTTP request to server

If HTTP request is successful

Webpage is displayed

Else

Webpage is not loaded

VPN Configuration edit

VPN is a service that broadens the private system over an open system i.e. it approves us to get to a private system from outside. A client from outside can get to the private system with same needs as are given to a root client in a private system. The VPN is setup when the remote customer when it enters the SSID and the secret word of the entrance system. Along these lines, we can say that VPN is accessed with a secured association.

Steps to configure VPN edit

Step 1: Install package to configure VPN

sudo apt-get install pptpd

Step 2: Edit the files

sudo nano /etc/pptpd.conf
localip 192.168.1.11 (IP address of VPN server)
remoteip 192.168.1.15 192.168.1.30

Step 3: Edit the /etc/ppp/pptpd-options file

sudo nano /etc/ppp/pptpd-options
ms-dns 192.168.1.254

Step 4: Create userid and password

sudo nano /etc/ppp/chap-secrets
user pptpd password * 

Step 5: Restart the pptpd server

sudo /etc/init.d/pptpd restart

Mail Server edit

A mail server is a program, also by expansion of the PC on which it runs, which is responsible for receiving, sorting and distribution of message from one PC onto the next electronics mail. It is against the mail customer ( mail client operators ) present on the machine rather than the end client.

The default mail transfer agent in ubuntu is Postfix and the framework on linux is called mailer daemon.

Steps to configure Mail Server edit

Step 1: Install postfix

sudo apt-get install postfix

Step 2: Configuring postfix

sudo dpkg-reconfigure postfix

Step 3: Configuration of mailbox format for Maildir

sudo postconf -e ‘home_mailbox = Maildir/’
sudo postconf -e ‘mailbox_command =’

Step 4: Configure Postfix for SMTP AUTH using SASL

sudo postconf -e ‘smtpd_sasl_local_domain =’
sudo postconf -e ‘smtpd_sasl_auth_enable = yes’
sudo postconf -e ‘smtpd_sasl_security_options = noanonymous’
sudo postconf -e ‘broken_sasl_auth_clients = yes’
sudo postconf -e ‘smtpd_recepient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination’
sudo postconf -e ‘inet_interfaces = all’

Certificates are generated which are to be used for TLS encryption or/and certificate authentication.

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 >smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt #has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -outcacert.pem -days 3650 #hasprompts

sudo mv smtpd.key /etc/ssl/private/ 
sudo mv smtpd.crt /etc/ssl/certs/   
sudo mv cakey.pem /etc/ssl/private/
sudo mv cakey.pem /etc/ssl/certs/

Step 5: Configuration of Postfix to do TLS encryption for incoming and outgoing mails.

sudo postconf -e ‘smtp_tls_security_level = may’

Step 6: Restart postfix daemon

sudo /etc/init.d/postfix restart

Network File System(NFS) edit

NFS allows one to share a directory that is located on one of the devices in a network to other devices in the same network much like accessing a local storage. A server is a device on which directory is located and clients are devices connecting to this server, Client should mount the shared directory to make it a part of their own directory.

Steps to configure NFS Server edit

Step 1: Update repository

sudo apt-get update

Step 2: Install NSF package

sudo apt-get install nfs-kernel-server

Step 3: Create directory to share

sudo mkdir/shome

Step 4: Configuring /etc/exports for NFS

sudo nano /etc/exports
/shome 192.168.1.0/24 (rw,sync,no_root_squash)

Step 5: Start the service

sudo /etc/init.d/nfs-kernel-server start

Step 6: Check the status of the NFS share status

sudo exportfs -u 

Step 7: Restart the server

sudo service nfs-kernel-server restart

Steps to configure NFS Client edit

Step 1: Install NFS for client and its dependencies

sudo apt-get update
sudo apt-get install nfs-common rpcbind

Step 2: Create a directory

sudo mkdir/rhome

Step 3: Mounting the remote share /shome on local directory /rhome

sudo mount 192.168.10.42:/shome/rhome 
192.168.1.42:/shome/rhome nfs rw,sync,hard, int 0 0 #(adding to permanent mount in /etc/fstab file)

Step 4: Checking the mounted share directory using mount command

mount

• Adding additional rules in Firewall to improve security for protection from malicious attacks.

• Increase the number of DNS servers for purposes of backup, load distribution and decentralization.

• IPv6 and IPv4 should be supported simultaneously

• Extend the server abilities to oblige numerous more uses utilizing in the meantime.

• Integrating so as to include security for mail server classification, respectability and more confirmation choices by utilizing strategies, for example, RSA, DES, MD5, including authentications and so forth.

Websites Referred:

1. https://help.ubuntu.com/community/Postfix

2. https://help.ubuntu.com/community/isc-dhcp-server

3. http://www.bind9.net

4. http://net.tutsplus.com/tutorials/other/the-linux-firewall

5. https://help.ubuntu.com/lts/serverguide/dns-configuration.html

6. https://help.ubuntu.com/lts/serverguide/httpd.html

Books Referred:

1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross