Data Networking/Fall 2015/Shrutik Patel
Group Members edit
1) Mugdha Gulati
2) Shrutik Patel
3) Dharak Savalia
4) Raj Kukadia
Motivation edit
Linux is an operating system i.e. a software that is used by the network engineers to control a network device to perform the desired function. The Linux operating systems transmit the control information to the processor. We had great opportunity to learn configuration of DNS server, DHCP server, Web server, Firewall, NIS, NFS, VPN and Backup server.
Understanding the Protocols edit
Domain Name System edit
DNS translates IP address to humanly devised names and vice versa. DNS distributes the responsibility of assigning domain names and mapping those names to IP addresses. It has a distributed database implemented in a hierarchy of different levels of name servers.
Protocol:
It is an application layer protocol which uses the services of UDP (Transport layer Protocol) at port number 53 (RFC 1035). A client will request for mapping of a host with a DNS request packet and the DNS server will fetch the associated record, encapsulates it in a reply packet and sends it via UDP.
Dynamic Host Configuration Protocol edit
The Dynamic Host Configuration (DHCP) is a client/server protocol based on TCP/IP network that automatically provides an Internet Protocol (IP) host with its IP address and other configuration information such as the subnet mask and default gateway (i.e. address of first-hop router). This TCP/IP standard reduces the complexity and administrative overhead of managing network client IPv4 / IPv6 addresses and other configuration parameters. A network administration can configure DHCP so that a given device/host receives the same IP address each time it connects to the server or a device/host can be assigned with different IP address each time it connects to the server. Since it has the ability to automate the network-related aspects of connecting a host into a network, it is also known as plug-and-play protocol.
The DHCP server stores the configuration information in a database that includes:
1. Valid TCP/IP configuration parameters for all clients on the network.
2. Valid IP address pool for assignment to clients, as well as excluded addresses.
3. Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.
4. The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.
A DHCP-enabled client, upon accepting a lease offer, receives:
1.A valid IP address for the subnet to which it is connecting.
2. Requested DHCP options, which are additional parameters that a DHCP server is configured to assign to clients. Some examples of DHCP options are Router (default gateway), DNS Servers and DNS Domain Name.
Web Server & Firewall edit
Web servers are one of the many servers that exist in the data center of any organization. It communicates with multiple browsers like Internet Explorer, Google Chrome, Firefox etcetera. It can run on multiple operating systems like Linux and Microsoft. Web servers are configured to host a particular website written on HTML. They have daemons running in their backend. Daemons are nothing but a software, for example, for a web server, HTTP is the daemon which uses port 80 and HTTPS uses port 443. Apache is the most popular web server and we have used its version 2.0.
A firewall follows a specific set of rules i.e. protocols to block or allow incoming and the outgoing traffic from the web server. A firewall forms a barrier between the trusted internal network and the external network i.e. the Internet. IP tables are used to block certain IP address to perform specific operations such as ICMP, Telnet, SSH and FTP. All the traffic that is not mentioned in the IP tables are blocked by the firewall.
Backup Server edit
Backup is used to store the data from a server to another sever so that in case of data loss it can be easily recovered. Secure Shell (SSH) protocol is used which uses RSA encryption and shares the public key to the remote host who should be able to access the local host. Secure Copy (SCP) is used to securely copy the backup file from the local host to the remote host.
The Address Resolution Protocol (ARP) and Scappy edit
Scapy is a tool that can be used for packet manipulation and is written in python. Scapy provide indirect access to libpcap. It allows to packet capture, manipulation and network discovery. Scapy can be used in many ways we will concentrate on ARP Poisoning using Scapy.
ARP Protocol is protocol used by devices to find or map IP address to corresponding MAC address. There are two types of ARP Packets ARP request and ARP reply. To poison a particular host it is best to use arp request from attacker MAC since some of latest ARP reply wont work and will be consider as gratuitous.
IPSec VPN edit
VPN protocol is used to develop a secured tunnel between two hosts. The data traversing through the tunnel is encrypted using AES 128 bit encryption. It is used for security purposes and to avoid eavesdropping and attacks from hackers. There are two types of VPN namely network to network and IPsec transport VPN. Here transport VPN is used since it is used within a network.
Network File System edit
Network File System(NFS)
NFS allow is implement so that the Files and Folder can be shared over network in control way. This has many advantage as common folder and files or projects people working on can shared and hence saves local memory. Many of removable drives which are not necessary or are required sometimes can be shared like CDROM, USB Thumb drives can be shared on network.
Steps for installation of NFS there are two parts one Server part (whose drives are shared), and other client part who can access the drives exported by Server machines.
Signaling edit
Domain Name System edit
DNS Query working:
DNS queries can be resolved in multiple ways. DNS server can use its cache to answer a query or contact other DNS servers on behalf of the client to resolve the name fully. When the DNS server receives a query, it first checks to see if it can answer it authoritatively, based on the resource record information contained in a locally configured zone on the server. If the queried name matches a corresponding resource record in the local zone information, the server answers authoritatively, using this information to resolve the queried name.
We have used BIND( Berkely Internet Name Domain) version 9 for because it can be used on majority of name serving machines on the internet and provide a robust architecture. Also we decided to use BIND because of its some important features like DNS security, DNS protocol enhancements and Multiprocessor support.
Dynamic Host Configuration Protocol edit
1. DHCP server Discover: The client sends the DHCP discover to the 255.255.255.255 with the source IP of 0.0.0.0 to port 67.
2. DHCP Offer: The server responds to the Discover message with DHCP offer which is sent on a broadcast IP address of 255.255.255.255 with the offered IP address to the client.
3. DHCP request: The client chooses from one or more DHCP offers and responds with the DHCP request.
4. DHCP ACK: The server confirms the IP chosen by the client with DHCP ACK message.
Web Server edit
1. After the package is installed, the Apache 2 web server is started.
2. The web page of the server is changed and restarted.
3. The server is in active mode and listening for HTTP requests in port 80.
Firewall edit
1. The IP tables are configured in the web server.
2. The HTTP response and HTTP request from the web server are accepted, forwarded or rejected based on the IP tables.
Network File System edit
1. NFS server is created and the directory to be shared is declared.
2. An NFS connection is established with the client using exports file by giving specific permissions to the client.
3. The client is mounted with the server system and the data is shared between the two systems.
Configuration edit
DNS edit
Here in this project, we used private network, we configured static private ip address for the DNS server, by editing /etc/network/interfaces file and setting iface eth0 inet static.For installing of DNS server have used BIND9 , which is actually Berkely Internet Name Domain version 9.The reason for choosing this BIND9 is that it was used in most of name serving machines on the internet and also it provides robust architecture on which DNS server of an organization. Other possible configurations available for DNS are Posadis and Power DNS.
Here in this project, We configured Master and Slave DNS with IPv6 support.
Steps to configure Master DNS server:
Step 1: To configure static ip address, one have to configure in “/etc/network/interfaces” file with IP address and other details.
Command:
auto eth0
iface eth0 inet static
address 192.168.11.5
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.11.255
gateway 192.168.11.1
iface eth0 inet6 static
address 2001:db8:0:1::124
netmask 64
gateway 2001:db8:0:1::1
Step 2: Edit the nameserver and domain name details in the below path
Command:
cat /etc/resolvconf/resolv.conf.d/head
nameserver 192.168.11.5
search rajkukadia.com
Step 3: Edit “named.conf.local” file for specifying forward and reverse zones.
Command:
cat /etc/bind/named.conf.local
#Forward zone
zone "rajkukadia.com" {
allow-transfer {192.168.11.6;};
also-notify {192.168.11.6 ;};
file "/etc/bind/db.rajkukadia.com";
type master; };
Command:
#Reverse Zone
zone "11.168.192.in-addr.arpa" {
allow-transfer {192.168.11.6;};
allow-transfer {192.168.11.6 ;};
type master;
file "/etc/bind/db.192"; };
Command:
#Reverse Zone for V6
zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"
{
type master;
allow-transfer {192.168.10.6;};
file "/etc/bind/db.2001";
also-notify { 192.168.11.6; };
};
Step 4: Edit the named.conf.options file for ISP DNS IP, in the forwarders column, as below
Command:
cat /etc/bind/named.conf.options
forwarders {
# ISP DNS IP’s
192.168.11.6;
192.168.11.5;
8.8.8.8;
8.8.4.4;
};
Step 5: Create forward zone and Reverse zone db files in the path “/etc/bind” location.
Command:
For Forward Zone, Create db.rajkukadia.com file by referring to contents of /etc/bind/db.local file
cat /etc/bind/db.rajkukadia.com
;
; BIND data file for rajkukadia.com
;
$TTL 604800
@ IN SOA ubuntu.rajkukadia.com. root.rajkukadia.com. (
7 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ubuntu.rajkukadia.com.
@ IN A 192.168.11.7
@ IN AAAA 2001:db8:0:1::125
ubuntu IN A 192.168.11.5
IN AAAA 2001:db8:0:1::124
ubuntu1 IN A 192.168.11.6
IN AAAA 2001:db8:0:1::128
www IN CNAME rajkukadia.com.
stu1 IN A 192.168.11.9
IN AAAA 2001:db8:0:1::126
stu2 IN A 192.168.11.10
IN AAAA 2001:db8:0:1::127
For reverse zone:
cat /etc/bind/db.192
;
; BIND reverse data file for local loopback interface
$TTL 604800
@ IN SOA ubuntu.bdrn.com. root.bdrn.com. (
7 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ubuntu.
5 IN PTR ubuntu.rajkukadia.com.
6 IN PTR ubuntu1.rajkukadia.com.
7 IN PTR rajkukadia.com.
9 IN PTR stu1.rajkukadia.com.
10 IN PTR stu2.rajkukadia.com.
1 IN PTR gw.rajkukadia.com.
Step 6: Restart system and bind9 software to have the changes reflected:
Command:
sudo init 6
sudo service bind9 restart
Steps to Configure Slave DNS Server:
Step 1: To configure static IP address of Slave DNS, edit “/etc/network/interfaces” file
Command:
cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.11.6
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.1.255
gateway 192.168.11.1
Step 2: Configure nameserver and domain name details in “resolv.conf” file
Command:
cat /etc/resolvconf/resolv.conf.d/head
nameserver 192.168.11.6
search rajkukadia.com
Step 3: Edit named.conf.local file for configuring forward zone and reverse zone details
Command:
cat /etc/bind/named.conf.local </ br>
# Forward zone
zone "rajkukadia.com" {
type slave;
masters {192.168.11.5;};
file "/etc/bind/db.rajkukadia.com"; };
# Reverse Zone
zone "11.168.192.in-addr.arpa" {
type slave;
masters {192.168.11.5;};
file "/etc/bind/db.192"; };
Step 5: Edit the named.conf.options file for forwarders details
Command:
cat /etc/bind/named.conf.options
forwarders {
192.168.11.5;
192.168.11.6;
8.8.8.8;
8.8.4.4;
};
Step 6: Restart system and bind9 software to have the changes reflected:
Command:
sudo init 6
sudo service bind9 restart
DHCP edit
Steps for Configuring DHCP server
Step1: Install the DHCP Server
Command:
sudo apt-get install isc-dhcp-server
Step2: Install the router advertisement daemon (radvd ) for IPv6
Command:
sudo apt-get install radvd
Step3: Set the static IP address of the DHCP server
Command:
sudo nano /etc/network/interfaces
auto lo iface lo inet loopback
auto eth0 iface eth0 inet static address 192.168.11.4 netmask 255.255.255.0 gateway 192.168.11.1 network 192.168.11.0 broadcast 192.168.11.255 dns-nameserver 192.168.11.5 192.168.11.6 dns-domain-search rajkukadia.com iface eth0 inet6 static address 2001:db8:0:1::120 netmask 64 gateway 2001:db8:0:1::1
Step4: Configure the IPv6 and IPv4 forwarding
Command:
sudo nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Step5: Make eth0 as the default interface
Command:
sudo nano /etc/default/isc-dhcp-server
INTERFACES="eth0"
Step6: Configure the dhcpd.config file.Open the dhcpd.config file using the following command for IPv4 :
Command:
sudo nano /etc/dhcp/dhcpd.conf
Create configuration file dhcpd.conf:
subnet 192.168.11.0 netmask 255.255.255.0 {
range 192.168.11.20 192.168.11.40;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.11.255;
option routers 192.168.11.1;
option domain-name "rajkukadia.com";
option domain-name-servers 192.168.11.5;
option domain-name-servers 192.168.11.6;
default-lease-time 600;
max-lease-time 7200; }
Step7: Edit the resolv.conf file
Command:
sudo nano /etc/resolv.conf
nameserver 192.168.11.5
nameserver 192.168.11.6
Step8: Configure the DHCP server for IPv6
Command:
sudo nano /etc/dhcp/dhcpd6.conf
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet6 2001:db8:0:1::/64 {
range6 2001:db8:0:1::20 2001:db8:0:1::40;
range6 2001:db8:0:1::/64 temporary;
}
Step9: Create /etc/radvd.conf and configure as follows
Command:
sudo nano /etc/radvd.conf
interface eth0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:0db8:1:1::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
Step10: Reboot the System
Command:
sudo init 6
Step11: Restart the DHCP server
Command:
sudo service isc-dhcp-server restart
Step12: Restart the DHCPv6 server with the following command
Command:
sudo service isc-dhcp-server6 restart
Webserver edit
Step 1: Get updates and install Apache2 Webserver
Command:
sudo apt-get update
sudo apt-get install apache2
Step 2: Make a new directory in /var/www/
Command:
sudo mkdir -p /var/www/websitename.com/public_html
Step 3: • Provide permissons to access the file and the folder
Command:
sudo chown -R $USER:$USER /var/www/websitename.com/public_html
sudo chmod -R 755 /var/www
Step 4: Edit the HTML file
Command:
sudo nano /var/www/websitename.com/public_html/index.html
Step 5: Copy content from 000-default-conf to websitename.com.conf i.e. virtual hosts in the configuration file
Command:
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/websitename.com.conf
Step 6: Edit websitename.com.conf
Command:
ServerAdmin admin@websitename.com
ServerName websitename.com
ServerAlias www.websitename.com
ServerRoot /var/www/websitename.com/public_html
Step 7: Enable the virtual hosts
Command:
sudo a2ensite websitename.com.conf
Step 8: Restart the Apache web server
Command:
sudo service apache2 restart
Step 9: Add your IP address and domain name to the hosts file
Command:
192.168.11.7 websitename.com
Search http://websitename.com from your browser
Firewall edit
Firewall allows the system administrator to accept, forward or drop the packets using ip tables.
1. Enable it by below command:
1. sudo ufw enable
2. Add the rules below rules allow only below allow only http trafic
sudo ufw allow 80
3. add rules for ssh
sudo ufw allow 22
4. reject icmpt
1. sudo iptables -A INPUT -p icmp -j REJECT
The Address Resolution Protocol (ARP) and Scappy edit
Step 1: After executing the code by sudo python poison.py on Terminal on attacker machines the Victim can be arp table can seen by arp -a.
Now all traffic for Webserver will flow from your machine now you have NAT IP the attacker machine to accept the IP other than his ip.
Enter in root mode , first flush iptable
Command:
iptables -t nat –flush
iptables –zero
iptables -A FORWARD --in-interface ens33 -j ACCEPT
iptables -t nat --append POSTROUTING --out-interface ens33 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination attacket’s ip
Step 2: After attack has been finished if we want to restore the original condition than send ARP request with original dst mac and its ip.
IPSec VPN edit
Step 1: Install the following package used to configure VPN
Command:
sudo apt-get install ipsec-tools strongswan-starter
Step 2:Open and Edit the following file
Command:
sudo nano /etc/ipsec.conf
Step 3: Add the following
Command:
conn webserver-to-nfs authby=secret auto=route keyexchange=ike left=192.168.11.7 right=192.168.11.13 type=transport esp=aes128gcm16!
Step 4: Create the file which will have the pre shared keys
Command:
sudo nano /etc/ipsec.secrets
Step 5: Add the following
Command:
192.168.11.13 192.168.11.7 : PSK “ your keys”
Step 6: Restart IPSec
Command:
ipsec restart
Step 7: To check the status use statusall
Command:
ipsec statusall
Host 2
Step 1: Install the following
Command:
sudo apt-get install ipsec-tools strongswan-starter
Step 2: Open andeEdit the following file
Command:
sudo nano /etc/ipsec.conf
Step 3: Add the following
Command:
conn webserver-to-nfs
authby=secret
auto=route
keyexchange=ike
left=192.168.11.13
right=192.168.11.7
type=transport
esp=aes128gcm16!
Step 4: Create the file which will have the pre shared keys
Command:
sudo nano /etc/ipsec.secrets
Step 5: Add the following
Command:
192.168.11.13 192.168.11.7 : PSK “ your keys”
Step 6: Restart IPSec
Command:
ipsec restart
Step 7: To check the status use statusall
Command:
ipsec statusall
Testing:
Step 1: Use this on any one host:
Command:
Ping -s 4048 192.168.11.13
Step 1: Watch status from other host
Command:
watch ipsec statusall
Network File System edit
Configure the NFS Server
Step 1: Install NFS Server on server machine by below command:
Command:
sudo apt install nfs-kernel-server
Step 2: Configure the exports by editing the /etc/exports
Command:
sudo nano /etc/exports
Step 3: Add directories you want to export or want to share on network in the above files /ubuntu*(ro,sync,no_root_squash) * is the username it include IP address you want to allow to share
Command:
/home/dharak 192.168.11.0/24 (rw,sync,no_root_squash)
Step 4: start the NFS Server
Command:
sudo systemctl start nfs-kernel-server.service
Configure the NFS Client
Step 1: install nfs common on the client machine
Command:
sudo apt install nfs-common
Step 2: Mount the exported folders in an client machine in an empty directory
Command:
sudo mount 192.168.11.13:/home/dharak /home/rajkukaidia/NFS
“/home/dharak” is exported directory and “/home/local/NFS” is local directory which should be empty before mouting
Backup edit
Secure Shell (SSH) protocol is used which uses RSA encryption and shares the public key to the remote host who should be able to access the local host. Secure Copy (SCP) is used to securely copy the backup file from the local host to the remote host.
Step 1: Generate the public and private keys
ssh-keygen -t rsa
Step 2: Make a copy of the public key
cp id_rsa.pub authorized_keys
Step 3: Copy authorized key to the remote host
ssh-copy-id dharak@192.168.11.13
Step 4: Create a backup file
tar -zcvf /path for backup/ Backupfile.tgz /path for file to backup/
Step 5: Copy the backup file to remote host
scp /path of the backup file/ dharak@192.168.11.13 :/path of the destination folder/
Step 6: • Open crontab and add following
* * * * * chmod 777 cron.sh
* * * * * /path/cron.sh
Test Plan edit
VPN Test edit
1) Connect to the VPN server and once connected a point to point tunnel session is established which can be retrieved in the interface list.
ifconfig - Retrieves the detected network interface and its information
ppp0 Link encap:Point-to-Point Protocol - Shows that the device is connected to a private network.
DNS Test edit
The following commands are used for DNS testing:
1) Dig
Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.
2) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and information that is requested for a particular host or domain.
3) Ping
Ping is used for checking the network layer status of the server.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.
DHCP Test edit
DHCP allocates the IP address for the device entering the network.IP address can be verified using ifconfig/ipconfig in the client machine.
sudo dhclient –r - It will release the current IP address in the client
cat /var/lib/dhcp/dhcpd.leases - It will display the lease provided by the DHCP server.
Webserver Test edit
1. The web browser is opened in the client machine.
2. Type the URL address www.bdrn.com.
3. A successfull page is displayed at the client machine.
Firewall Test edit
1. When an HTTP request is sent from the client machine, the request is received at the web browser.
2. The web server is configured to block the connections from the ip address 192.168.1.30.
3. When a client with IP address 192.168.1.30 sends a packet to the web server, the packet is blocked by the firewall and the access is restricted.
NFS Test edit
After a connection is established between the server and the client using NFS server.
The changes made in the server is reflected in the client machine.
Future Improvements edit
1. Improved Firewall security features.
2. Behaviour of the servers located in a public network environment.
3. Implementation of AAA servers for authorization, authentication and accounting.
4. Simulating real-time network traffic and validating network performance.
References edit
Websites Referred:
1. http://www.howtogeek.com/135533/how-to-use-rsync-to-backup-your-data-on-linux/
2. https://help.ubuntu.com/lts/serverguide/NTP.html
3. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-ubuntu-14-04
4. https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts
5. http://www.krizna.com/ubuntu/configure-dns-server-ubuntu-14-04/
6. http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
7. https://help.ubuntu.com/community/isc-dhcp-server
8. http://koo.fi/blog/2013/03/20/linux-ipv6-router-radvd-dhcpv6/
9. https://help.ubuntu.com/community/SettingUpNISHowTo
10. https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-postfix-on-ubuntu-14-04
11. https://technet.microsoft.com/en-us/library/dd145320(v=ws.10).aspx
12. https://www.youtube.com/
13. Linux NFS faq3
14. Ubuntu Wiki NFS
15. http://nfs.sourceforge.net/
16. https://help.ubuntu.com/community/NFSv4