Data Networking/Fall 2016/AAN
Linux Project : Buiding Infrastructure Network Solution for a Start-Up Company
editIn this webpage we describe our Linux project based on implementations of concepts such as DNS,DHCP,Web Server, Firewalls and Backup.
The Team
edit1) Abhishek Senapati
2) Amit Kumar
3) Naveen Yanamaddi
But Why Linux
editMany organizations and businesses worldwide are converting their core computer operating system to Linux as opposed to other operating systems. We are also seeing a shift from commercial software to free software (also referred to as open-source software). Linux LICENSE | CUSTOMIZATION | Linux SOURCE CODE | Linux SUPPORT/COMMUNITY
What is the Story
editWe have built a robust, secure and effective solution for a startup company in Boston. This simple yet dynamic solution consists of DNS Server, DHCP Server, WEB Server/Firewall/Backup and a client server. So when a computer comes in this network, it gets its IP address allocated by the DHCP Server, domain name resolved to IP by the DNS and Webpages served by the Web Server. It has additional security parameters like the firewall and ARP poisoning. Redundancy by taking timely backups.
About The Servers
edit1) Domain Name System (DNS)
DNS or Domain name service is the means by which domain names which humans understand get translated into IP addresses that computers understand. The Domain Name System is a distributed system. It does not reside on any one computer. There is a hierarchy to the organization of the servers, however which allows local servers to broaden their search for an answer to a DNS lookup request. These lookup requests are called "queries".
DNS uses port no.53.
2) Dynamic Host Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on IP networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. With DHCP, computers request IP addresses and networking parameters automatically from a DHCP server, reducing the need for a network administrator or a user to configure these settings manually.
HTTP uses port no.80.
3) Web Server
A Web server is a system that delivers content or services to end users over the Internet. A Web server consists of a physical server, server operating system (OS) and software used to facilitate HTTP communication. The primary function of a web server is to store, process and deliver web pages to clients
4) Backup Web Server
A backup server is a type of server that enables the backup of data, files, applications and/or databases on a specialized in-house or remote server. It combines hardware and software technologies that provide backup storage and retrieval services to connected computers, servers or related devices.
5) Firewall
A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet) and a trusted zone (e.g., a private or corporate network). The firewall acts as the demarcation point or “traffic cop” in the network, as all communication should flow through it and it is where traffic is granted or rejected access.
Project requirements
edit- Linux Based OS (We have used Ubuntu 14.04.1)
- Bind9 server to configure DNS.
- Isc-dhcp-server and radvd to configure DHCP.
- Apache2 to configure our web server.
- RSync package for web backup server.
- SSH package.
Configuration Steps
editDHCP Server For IPv4
edit1. Install DHCP Server
sudo apt-get install isc-dhcp- server
2. Set the static Ip address of the DHCP server
sudo vim /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.10.100
netmask 255.255.255.0
broadcast 192.168.10.255
dns-domain-nameserver 192.168.10.150 192.168.10.155
iface eth0 inet6 static
address 2607:f1d0:2001:000a:0000:0000:0000:0010
netmask 64
gateway 2607:f1d0:2001:000a:0000:0000:0000:0001
3. Configure the DHCP server
sudo vim /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200
subnet 192.168.10.0 netmask 255.255.255.0{
range 192.168.10.10 192.168.4.90;
option routers 192.168.10.1;}
option domain-name-servers 192.168.10.150 192.168.10.155;
option domain-name “linuxproject.com”
host dns {
hardware ethernet 80:00:27:26:b3:52;
fixed-address 192.168.10.150;
}
host dnssecondary {
hardware ethernet 80:00:27:4c:93:d1;
fixed-address 192.168.10.155;
}
host webserver {
hardware ethernet 80:00:27:9E:f8:da;
fixed-address 192.168.10.160;
}
4. Restart the DHCP Server
sudo service isc-dhcp-server restart
For IPv6
edit1. Install the radvd to configure the parameters
sudo apt-get install radvd
2. Modify the file /etc/radvd.conf
sudo vi /etc/radvd.conf
interface eth0 {
AdvSendAdvert on;
AdvManagedFlag on;
prefix 2607:f1d0:2001:000a::/64 {
AdvOnLind on;
AdvAutonomous on; };
};
3. Modify the file /etc/sysctl.conf
sudo vi /etc/sysctl.conf net.ipv6.conf.all.forwarding=1
4. Restart the radvd
sudo /etc/init.d/radvd restart
DNS server
edit- For IPv4
1. Install Bind9
sudo apt-get install bind9
2. Configure static IP address getting from DHCP server for the DNS server
sudo nano /etc/network/interfaces
auto eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp
5. Configure zones in the named.conf.local file
sudo vi /etc/bind/named.conf.local
// For Reverse Zone
zone "10.168.192.in-addr.arpa"
{
type master;
file "/etc/bind/db.192";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155; };
allow-query {any;};
};
IPV6 Reverse Zone
zone "a.0.0.0.1.0.0.2.0.d.1.f.0.7.6.2.ip6.arpa"
{
type master;
file "/etc/bind/db.ipv6";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155;};
};
//Forward Zone
zone "www.linuxproject.com"
{
type master;
file "/etc/bind/for.www.linuxproject.com";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155; };
allow-query {any;};
};
// Configure the forward lookup table
Sudo vim /etc/bind/for.www.linuxproject.com
$TTL 604800
@ IN SOA www.linuxproject.com. root.linuxproject.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS www.linuxproject.com.
@ IN A 192.168.10.150
@ IN AAAA 2670:f1d0:2001:a:a00:27ff:fe26:b352
@ IN A 192.168.10.155
@ IN A 192.168.10.160
www IN A 192.168.10.160
192.168.10.160 IN PTR www.linuxproject.com
www.linuxproject.com. IN NS ns.linuxproject.com.
// Configure the reverse lookup table for ipv4 and ipv6 addresses
sudo vim /etc/bind/db.192
$TTL 604800
@ IN SOA www.linuxproject.com. root.linuxproject.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS www.linuxproject.com.
www.linuxproject.com. IN A 192.168.10.160
160 IN PTR www.linuxproject.com.
150 IN PTR www.linuxproject.com.
155 IN PTR www.linuxproject.com.
//IPV6
sudo vim /etc/bind/db.ipv6
$TTL 604800
@ IN SOA www.linuxproject.com. root.linuxproject.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS www.linuxproject.com.
2.5.3.b.6.2.e.f.f.f.7.2.0.0.a.0 IN PTR www.linuxproject.com.
//Restart the Bind9 server
sudo /etc/init.d/bind9 restart
DNS slave configurations
edit//forward zone
sudo vim /etc/bind/name.conf.local
zone "www.linuxproject.com"
{
type slave;
file "/etc/bind/for.www.linuxproject.com";
masters {
192.168.10.150; };
};
//Reverse Zone
sudo vim /etc/bind/db.192
zone "10.168.192.in-addr.arpa"
{
type slave;
file "/etc/bind/db.192";
masters {
192.168.10.150; };
};
zone "a.0.0.0.1.0.0.2.0.d.1.f.0.7.6.2.ip6.arpa"
{
type slave;
file "/etc/bind/db.ipv6";
masters {
192.168.10.150; };
};
// Restart the Bind9 server
sudo /etc/init.d/bind9 restart
Web server
edit
// Install Apache webserver
sudo apt-get install apache2
// Creating directory file
sudo mkdir /var/www/linuxproject.com/
sudo chmod 755 /var/www/
sudo chmod $USER: $ USER /var/www/ linuxproject.com/
sudo nano /var/www/ linuxproject.com//sample.html
// Configuring Apache 2- apache 2.conf
sudo vim /etc/apache2/apache2.conf
< Directory /var/www/linuxproject.com/>
Options indexes followsymlinks
Allow override none
Require all granted
< /Directory>
// Configuring Apache2-dir.conf Because we haven’t used index.html as default we need to add our sample.html to the list of accessible directory indices.
sudo nano /etc/apache2/mods-available/dir.conf
Appending our html file i.e sample .html to the list of indices
<If module mod_dir.c>
Directory index index.html index.cgi index.p1 index.php index.xhtml index.htm sample.html
</IfModule>
// Configuring Apache 2 -000-default.conf
sudo vim /etc/apache2/sites-available/000-default.conf
serverAdmin webserver@linuxproject.com
serverName linuxproject.com
DocumentRoot /var/www/linuxproject.com
// Now we Map IP address to domain name
sudo vim /etc/hosts
192.168.10.160 -- linuxproject.com
Restart Apache 2
sudo service Apache2 restart
Firewall
edit1. Active ufw firewall
“sudo ufw enable” “sudo ufw default deny”
2. Start the service using the command
sudo service iptables-persistent start
3. Enable the SSH service
“sudo ufw allow ssh”
4. Open the port
“sudo ufw allow 80” “sudo ufw allow 22” “sudo ufw allow 1723”
5. Enter a rule
“Sudo ufw allow proto tcp from 192.168.10.19 to any port 22"
6. See the firewall status
sudo ufw status
Backup Server
edit1. Install SSH
sudo apt-get install ssh
2. Generating RSA keys
ssh-keygen –t rsa
3. Use ssh to create a directory on backup server
ssh naveen@192.168.10.19 mkdir –p .ssh
4. Append web servers key to the back up server
cat /home/.ssh/id_rsa.pub | ssh naveen@192.168.10.19 ‘cat >> .ssh/authorized_keys’
5. We are making the file compressed for back up
sudo tar –cvpz webserver.tar.gz /var/www/linuxproject.com/sample.html
6. Use cron tab to schedule backup every 5 minute
sudo crontab –e
*/5**** sudo tar –cvpzf /home/naveen/webserver.tar.gz /var/www/linuxproject.com/sample.html
*/5**** sudo scp /home/naveen/webserver.tar.gz naveen@192.168.10.19:/home/naveen/
ADD ONs
editNFS
editNetwork File Systems is used for sharing files with other computers on the network. It is a file distribution system protocol.
Initially, repositories should be updated
sudo apt-get update
Next, install nfs server package
sudo apt-get install nfs-kernel-server
Then, make a directory which is to be shared with other devices
sudo mkdir /ProjectTobeShared
/etc/exports is the main config file for NFS and add the following command to the file
/ProjectTobeShared 192.168.10.19(rw,sync,no_root_squash)
Now, start the service
sudo /etc/init.d/nfs-kernel-server start
Check the NFS share status by following commands
sudo exportfs -u
NFS CLIENT Install NFS client and dependencies
sudo apt-get install nfs-common rpcbind
Create a directory /rhome
sudo mkdir /destinationDir
Mount the remote share /shome on local directory /rhome
sudo mount 192.168.10.150:/ProjectTobeshared /destinationDir
And the following line in /etc/fstab file for permanent mount
192.168.10;150:/ProjectTobeshared /destinationDir nfs rw,sync,hard,intr 0 0
The two files text1 and text2 are created in NFS Server’s /shome directory. Two files text3 and text4 are created in NFS Client. As, they are mounted it is shown in both folders.
VPN
editConfiguration- Left PC (web server machine)
editSudo apt-get install ipsec-tools strongswan-starter
Sudo vim /etc/ipsec.conf
conn webserver-to-client
authby=secret
auto=route
keyexchange=ike
left=192.168.10.160
right=192.168.10.19
type=transport
esp=aes128gcm16!
Sudo vim /etc/ipsec.secrets
192.168.10.160 192.168.10.19 : PSK "Your password here!"
sudo ipsec restart
ipsec statusall
Configuration- Right PC (client machine)
editSudo apt-get install ipsec-tools strongswan-starter
Sudo vim /etc/ipsec.conf
conn webserver-to-client
authby=secret
auto=route
keyexchange=ike
left=192.168.10.19
right=192.168.10.160
type=transport
esp=aes128gcm16!
Sudo vim /etc/ipsec.secrets
192.168.10.160 192.168.10.19 : PSK "Your password here!"
sudo ipsec restart
ipsec statusall
ARP POISONING
editAddress Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
Implemented ARP Poisoning in our project using Python Programming with Scapy Module.
Python .py script has been attached in the project report submitted
Testing
editDHCP
edit1. DHCP tested by checking the leased IP address with following command. It shows the leases on the DHCP server and the IP addresses that have been leased to the clients.
sudo tail /var/lib/dhcp/*.leases
2. For more log information, the output of the DHCP can be verified by using the following command.
sudo tail –f/var/log/syslog
DNS Server 1. Test master DNS server (Forward Lookup)
editAbhisheks-MacBook-Pro:~ AbhishekSenapati$ nslookup www.linuxproject.com
Server: 192.168.10.150
Address: 192.168.10.150#53
Name: www.linuxproject.com
Address: 192.168.10.150
Name: www.linuxproject.com
Address: 192.168.10.155
Name: www.linuxproject.com
Address: 192.168.10.160
Reverse Lookup
Abhisheks-MacBook-Pro:~ AbhishekSenapati$ nslookup 192.168.10.160
Server: 192.168.10.150
Address: 192.168.10.150#53
160.10.168.192.in-addr.arpa name = www.linuxproject.com.
2. Test slave DNS server
Turn off the master DNS server and use the same method with master DNS server
IPV6
editen0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 3c:15:c2:e7:a6:00
inet6 fe80::491:b82:2af:4027%en0 prefixlen 64 secured scopeid 0x4
inet 192.168.10.18 netmask 0xffffff00 broadcast 192.168.10.255
inet6 2607:f1d0:2001:a:1433:b99d:8b65:de45 prefixlen 64 autoconf secured
inet6 2607:f1d0:2001:a:44ff:b330:5600:53bd prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Firewall
editInserted the rules to block the access by default and allow only one client.
Test case scenario, allows only one client and not the other to access the webpage
VPN
editOn the webserver do the following and leave it running:
ping -s 4048 192.168.10.19
On the client run the following:
watch ipsec statusall
If you notice the the number of packets and the number of bytes should be increasing with the ping being run, this shows things are running the way they should be.
Future Improvements
edit1. Implement defending mechanisms to prevent attacks like ARP Poisoning, MITM (Man in the middle Attack).
2. Improve DNS Zone Security with Zone owner keys.
3. DHCP Superscope implementation, to provide the flexibility of allocating multiple addresses to the subnets.
References
editWebsites:
edithttps://help.ubuntu.com/community/BIND9ServerHowto
https://help.ubuntu.com/community/isc-dhcp-server
https://help.ubuntu.com/community/rsync
https://help.ubuntu.com/community
http://bt3gl.github.io/black-hat-python-infinite-possibilities-with-the-scapy-module.html
Books:
edit1) Computer Networking- A Top-Down Approach (Fifth Edition)- By James F. Kurose & Keith W. Ross