Data Networking/Fall 2016/AAN


Linux Project : Buiding Infrastructure Network Solution for a Start-Up Company

edit

In this webpage we describe our Linux project based on implementations of concepts such as DNS,DHCP,Web Server, Firewalls and Backup.

The Team

edit

1) Abhishek Senapati
2) Amit Kumar
3) Naveen Yanamaddi

But Why Linux

edit

Many organizations and businesses worldwide are converting their core computer operating system to Linux as opposed to other operating systems. We are also seeing a shift from commercial software to free software (also referred to as open-source software). Linux LICENSE | CUSTOMIZATION | Linux SOURCE CODE | Linux SUPPORT/COMMUNITY


What is the Story

edit

We have built a robust, secure and effective solution for a startup company in Boston. This simple yet dynamic solution consists of DNS Server, DHCP Server, WEB Server/Firewall/Backup and a client server. So when a computer comes in this network, it gets its IP address allocated by the DHCP Server, domain name resolved to IP by the DNS and Webpages served by the Web Server. It has additional security parameters like the firewall and ARP poisoning. Redundancy by taking timely backups.


About The Servers

edit

1) Domain Name System (DNS)
DNS or Domain name service is the means by which domain names which humans understand get translated into IP addresses that computers understand. The Domain Name System is a distributed system. It does not reside on any one computer. There is a hierarchy to the organization of the servers, however which allows local servers to broaden their search for an answer to a DNS lookup request. These lookup requests are called "queries". DNS uses port no.53.


2) Dynamic Host Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on IP networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. With DHCP, computers request IP addresses and networking parameters automatically from a DHCP server, reducing the need for a network administrator or a user to configure these settings manually. HTTP uses port no.80.


3) Web Server
A Web server is a system that delivers content or services to end users over the Internet. A Web server consists of a physical server, server operating system (OS) and software used to facilitate HTTP communication. The primary function of a web server is to store, process and deliver web pages to clients


4) Backup Web Server
A backup server is a type of server that enables the backup of data, files, applications and/or databases on a specialized in-house or remote server. It combines hardware and software technologies that provide backup storage and retrieval services to connected computers, servers or related devices.


5) Firewall
A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet) and a trusted zone (e.g., a private or corporate network). The firewall acts as the demarcation point or “traffic cop” in the network, as all communication should flow through it and it is where traffic is granted or rejected access.


Project requirements

edit
  • Linux Based OS (We have used Ubuntu 14.04.1)
  • Bind9 server to configure DNS.
  • Isc-dhcp-server and radvd to configure DHCP.
  • Apache2 to configure our web server.
  • RSync package for web backup server.
  • SSH package.

Configuration Steps

edit

DHCP Server For IPv4

edit

1. Install DHCP Server

    sudo apt-get install isc-dhcp- server

2. Set the static Ip address of the DHCP server

    sudo vim /etc/network/interfaces
auto eth0
                iface eth0 inet static 
                address 192.168.10.100
                netmask 255.255.255.0
                broadcast 192.168.10.255
                dns-domain-nameserver 192.168.10.150 192.168.10.155

	iface eth0 inet6 static
	address 2607:f1d0:2001:000a:0000:0000:0000:0010
	netmask 64
	gateway 2607:f1d0:2001:000a:0000:0000:0000:0001

3. Configure the DHCP server

    sudo vim /etc/dhcp/dhcpd.conf
    default-lease-time 600;
    max-lease-time 7200

    subnet 192.168.10.0 netmask 255.255.255.0{
               range 192.168.10.10 192.168.4.90;
               option routers 192.168.10.1;}
		    option domain-name-servers 192.168.10.150 192.168.10.155;
		    option domain-name “linuxproject.com”

               host dns {
               hardware ethernet 80:00:27:26:b3:52;
               fixed-address 192.168.10.150;
               }
               
               host dnssecondary {
               hardware ethernet 80:00:27:4c:93:d1;
               fixed-address 192.168.10.155;
               }
               host webserver {
               hardware ethernet 80:00:27:9E:f8:da;
               fixed-address 192.168.10.160;
               }

4. Restart the DHCP Server

    sudo service isc-dhcp-server restart 

For IPv6

edit

1. Install the radvd to configure the parameters

    sudo apt-get install radvd 

2. Modify the file /etc/radvd.conf

    sudo vi /etc/radvd.conf               
interface eth0 {
               AdvSendAdvert on;
               AdvManagedFlag on;
               prefix 2607:f1d0:2001:000a::/64 {
               AdvOnLind on;
               AdvAutonomous on; };
               };

3. Modify the file /etc/sysctl.conf

    sudo vi /etc/sysctl.conf
               net.ipv6.conf.all.forwarding=1

4. Restart the radvd

    sudo /etc/init.d/radvd restart

DNS server

edit
  • For IPv4

1. Install Bind9

    sudo apt-get install bind9

2. Configure static IP address getting from DHCP server for the DNS server

    sudo nano /etc/network/interfaces
            auto eth0
            iface eth0 inet dhcp
            iface eth0 inet6 dhcp

5. Configure zones in the named.conf.local file

    sudo vi /etc/bind/named.conf.local

// For Reverse Zone

zone "10.168.192.in-addr.arpa"
{
type master;
file "/etc/bind/db.192";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155; };
allow-query {any;};
};

IPV6 Reverse Zone

zone "a.0.0.0.1.0.0.2.0.d.1.f.0.7.6.2.ip6.arpa"
{
type master;
file "/etc/bind/db.ipv6";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155;};
};
//Forward Zone

zone "www.linuxproject.com"
{
type master;
file "/etc/bind/for.www.linuxproject.com";
allow-transfer {
192.168.10.155; };
also-notify {
192.168.10.155; };
allow-query {any;};
};

// Configure the forward lookup table  

Sudo vim /etc/bind/for.www.linuxproject.com
$TTL	604800
@	IN	SOA	www.linuxproject.com. root.linuxproject.com. (
			      3		; Serial
			604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			604800 )	; Negative Cache TTL
;
@	IN	NS	www.linuxproject.com.
@	IN	A	192.168.10.150
@	IN	AAAA	2670:f1d0:2001:a:a00:27ff:fe26:b352
@	IN	A	192.168.10.155
@	IN	A	192.168.10.160
www     IN 	A	192.168.10.160
192.168.10.160 IN PTR   www.linuxproject.com
www.linuxproject.com.	IN	NS	ns.linuxproject.com.

// Configure the reverse lookup table for ipv4 and ipv6 addresses     

    sudo vim  /etc/bind/db.192
$TTL	604800
@	IN	SOA	www.linuxproject.com. root.linuxproject.com. (
			      2		; Serial
			604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			604800 )	; Negative Cache TTL
;
@	IN	NS	www.linuxproject.com.
www.linuxproject.com.	IN	A	192.168.10.160
160	IN	PTR	www.linuxproject.com.
150     IN	PTR	www.linuxproject.com.
155	IN	PTR	www.linuxproject.com.

//IPV6

sudo vim /etc/bind/db.ipv6
$TTL	604800
@	IN	SOA	www.linuxproject.com. root.linuxproject.com. (
			      1		; Serial
			604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			604800 )	; Negative Cache TTL
;
@	IN	NS	www.linuxproject.com.
2.5.3.b.6.2.e.f.f.f.7.2.0.0.a.0 	IN	PTR	www.linuxproject.com.

//Restart the Bind9 server

sudo /etc/init.d/bind9 restart

DNS slave configurations

edit

//forward zone

sudo vim /etc/bind/name.conf.local
zone "www.linuxproject.com"
{
type slave;
file "/etc/bind/for.www.linuxproject.com";
masters {
192.168.10.150; };
};

//Reverse Zone

sudo vim /etc/bind/db.192
zone "10.168.192.in-addr.arpa"
{
type slave;
file "/etc/bind/db.192";
masters {
192.168.10.150; };
};

zone "a.0.0.0.1.0.0.2.0.d.1.f.0.7.6.2.ip6.arpa"
{
type slave;
file "/etc/bind/db.ipv6";
masters {
192.168.10.150; };
};

// Restart the Bind9 server

    sudo /etc/init.d/bind9 restart

Web server

edit

// Install Apache webserver

sudo apt-get install apache2

// Creating directory file

sudo mkdir /var/www/linuxproject.com/
sudo chmod 755 /var/www/
sudo chmod $USER: $ USER /var/www/ linuxproject.com/
sudo nano /var/www/ linuxproject.com//sample.html

// Configuring Apache 2- apache 2.conf

sudo vim /etc/apache2/apache2.conf
< Directory /var/www/linuxproject.com/>
               Options indexes followsymlinks
               Allow override none
               Require all granted
< /Directory>

// Configuring Apache2-dir.conf Because we haven’t used index.html as default we need to add our sample.html to the list of accessible directory indices.

sudo nano /etc/apache2/mods-available/dir.conf
Appending our html file i.e sample .html to the list of indices
       <If module mod_dir.c>
       Directory index index.html index.cgi index.p1 index.php index.xhtml index.htm sample.html
       </IfModule>

// Configuring Apache 2  -000-default.conf

sudo vim /etc/apache2/sites-available/000-default.conf
       serverAdmin webserver@linuxproject.com
       serverName linuxproject.com
       DocumentRoot /var/www/linuxproject.com

// Now we Map IP address to domain name

sudo vim /etc/hosts
       
192.168.10.160 --    linuxproject.com
Restart Apache 2
       sudo service Apache2 restart

Firewall

edit

1. Active ufw firewall

   “sudo ufw enable” 
   “sudo ufw default deny”

2. Start the service using the command

    sudo service iptables-persistent start

3. Enable the SSH service

    “sudo ufw allow ssh”

4. Open the port

    “sudo ufw allow 80”
    “sudo ufw allow 22”
    “sudo ufw allow 1723”

5. Enter a rule

    “Sudo ufw allow proto tcp from 192.168.10.19 to any port 22"

6. See the firewall status

    sudo ufw status

Backup Server

edit

1. Install SSH

    sudo apt-get install ssh

2. Generating RSA keys

    ssh-keygen –t rsa

3. Use ssh to create a directory on backup server

    ssh naveen@192.168.10.19 mkdir –p .ssh

4. Append web servers key to the back up server

    cat /home/.ssh/id_rsa.pub | ssh naveen@192.168.10.19 ‘cat >> .ssh/authorized_keys’

5. We are making the file compressed for back up

    sudo tar –cvpz webserver.tar.gz  /var/www/linuxproject.com/sample.html


6. Use cron tab to schedule backup every 5 minute

    sudo crontab –e
     */5**** sudo tar –cvpzf /home/naveen/webserver.tar.gz /var/www/linuxproject.com/sample.html        
     */5**** sudo scp /home/naveen/webserver.tar.gz naveen@192.168.10.19:/home/naveen/

ADD ONs

edit

NFS    

edit

Network File Systems is used for sharing files with other computers on the network. It is a file distribution system protocol.

Initially, repositories should be updated    

  sudo apt-get update

Next, install nfs server package

sudo apt-get install nfs-kernel-server

Then, make a directory which is to be shared with other devices    

sudo mkdir /ProjectTobeShared

/etc/exports is the main config file for NFS and add the following command to the file

/ProjectTobeShared 192.168.10.19(rw,sync,no_root_squash)

Now, start the service

sudo /etc/init.d/nfs-kernel-server start

Check the NFS share status by following commands    

sudo exportfs -u

NFS CLIENT Install NFS client and dependencies        

sudo apt-get install nfs-common rpcbind

Create a directory /rhome    

sudo mkdir /destinationDir

Mount the remote share /shome on local directory /rhome    

sudo mount 192.168.10.150:/ProjectTobeshared /destinationDir

And the following line in /etc/fstab file for permanent mount

192.168.10;150:/ProjectTobeshared /destinationDir nfs rw,sync,hard,intr 0 0

The two files text1 and text2 are created in NFS Server’s /shome directory. Two files text3 and text4 are created in NFS Client. As, they are mounted it is shown in both folders.

Configuration- Left PC (web server machine)

edit
Sudo apt-get install ipsec-tools strongswan-starter
Sudo vim /etc/ipsec.conf
conn webserver-to-client
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.10.160
    right=192.168.10.19
    type=transport
    esp=aes128gcm16!
Sudo vim /etc/ipsec.secrets
192.168.10.160 192.168.10.19 : PSK "Your password here!"
sudo ipsec restart
ipsec statusall

Configuration- Right PC (client machine)

edit
Sudo apt-get install ipsec-tools strongswan-starter
Sudo vim /etc/ipsec.conf
conn webserver-to-client
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.10.19
    right=192.168.10.160
    type=transport
    esp=aes128gcm16!
Sudo vim /etc/ipsec.secrets
	192.168.10.160 192.168.10.19 : PSK "Your password here!"
sudo ipsec restart
ipsec statusall


ARP POISONING

edit

Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).

Implemented ARP Poisoning in our project using Python Programming with Scapy Module.
Python .py script has been attached in the project report submitted

Testing

edit

DHCP

edit

1. DHCP tested by checking the leased IP address with following command. It shows the leases on the DHCP server and the IP addresses that have been leased to the clients.

       sudo tail /var/lib/dhcp/*.leases 

2. For more log information, the output of the DHCP can be verified by using the following command.

       sudo tail –f/var/log/syslog

DNS Server 1. Test master DNS server (Forward Lookup)

edit
Abhisheks-MacBook-Pro:~ AbhishekSenapati$ nslookup www.linuxproject.com
Server:		192.168.10.150
Address:	192.168.10.150#53

Name:	www.linuxproject.com
Address: 192.168.10.150
Name:	www.linuxproject.com
Address: 192.168.10.155
Name:	www.linuxproject.com
Address: 192.168.10.160

Reverse Lookup

Abhisheks-MacBook-Pro:~ AbhishekSenapati$ nslookup 192.168.10.160
Server:		192.168.10.150
Address:	192.168.10.150#53

160.10.168.192.in-addr.arpa	name = www.linuxproject.com.

2. Test slave DNS server

    Turn off the master DNS server and use the same method with master DNS server

IPV6

edit
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 3c:15:c2:e7:a6:00 
	inet6 fe80::491:b82:2af:4027%en0 prefixlen 64 secured scopeid 0x4 
	inet 192.168.10.18 netmask 0xffffff00 broadcast 192.168.10.255
	inet6 2607:f1d0:2001:a:1433:b99d:8b65:de45 prefixlen 64 autoconf secured 
	inet6 2607:f1d0:2001:a:44ff:b330:5600:53bd prefixlen 64 autoconf temporary 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

Firewall

edit
Inserted the rules to block the access by default and allow only one client.
Test case scenario, allows only one client and not the other to access the webpage
On the webserver do the following and leave it running:
ping -s 4048 192.168.10.19
On the client run the following:
watch ipsec statusall

If you notice the the number of packets and the number of bytes should be increasing with the ping being run, this shows things are running the way they should be.

Future Improvements

edit

1. Implement defending mechanisms to prevent attacks like ARP Poisoning, MITM (Man in the middle Attack).

2. Improve DNS Zone Security with Zone owner keys.

3. DHCP Superscope implementation, to provide the flexibility of allocating multiple addresses to the subnets.

References

edit

Websites:

edit

http://www.bind9.net

https://help.ubuntu.com/community/BIND9ServerHowto

https://help.ubuntu.com/community/isc-dhcp-server

https://help.ubuntu.com/community/rsync

https://help.ubuntu.com/community

https://www.techopedia.com/

http://bt3gl.github.io/black-hat-python-infinite-possibilities-with-the-scapy-module.html


Books:

edit

1) Computer Networking- A Top-Down Approach (Fifth Edition)- By James F. Kurose & Keith W. Ross