Data Networking/Fall 2016/Ad Hoc Network in Linux

LINUX PROJECT
1. Akshay Tandel
2. Vinay Nambiar
3. Kalpesh Shardul
4. Aditya Kadam

Motivation

edit

Most network operating systems are based on some variation of Linux. Linux influences every aspect of network administration, hence a network engineer should know Linux. The range and scope of networking technologies that use Linux is vast and growing. So for a successful career as a network engineer, knowing Linux is necessary. This project helped us to implement our networking concepts and skills and it gave us idea of Linux's flexibility and usefulness.

Protocols and their behavior

edit

For humans, remembering websites by name is much easier than remembering their IP addresses. DNS is a service that allows us to do so. Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to each other. In this way, DNS mitigates the need to remember IP addresses. It is even possible to associate multiple names to the same device to update the multiple available services. Computers that run DNS are called 'name servers'. The basic task of DNS server is to map the IP address of the query made by the user. It It also caches the query and its response for further use. This reduces time required to load the cached page.

DHCP

edit

DHCP stands for Dynamic Host Configuration Protocol. A DHCP server automatically assigns settings to hosts on network as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user.

Important services provided by DHCP server to DHCP clients are:
1. IP address and netmask
2. IP address of the default-gateway to use
3. IP addresses of the DNS servers to use

The advantage of using DHCP is that changes common to the all hosts on the network, need to be configured only at the DHCP server, and all network hosts will be reconfigured. It is also easier to add new computers into the network, as there is no need to check for the availability of an IP address.

DHCP clients can get configured by DHCP server in following fashions:
1. Manual allocation (MAC address)
2. Dynamic allocation (address pool)
3. Automatic allocation

Webserver

edit

Web server is a computer system dedicated to accept HTTP requests from clients' Web browsers (Applications such as Firefox, chrome, Internet Explorer, Safari etc.), and serving them with HTTP responses along with web pages and objects. We have implemented Apache2. Apache is a popular Web server used on Linux systems.

Firewall

edit

A firewall is a security feature that filters the incoming and outgoing traffic in the network. IP tables is an extremely useful firewall utility built for Linux operating systems. We can manipulate the network traffic using IP tables by configuring chains and rules, connection specific responses.

Backup

edit

The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.

Requirements

edit

Operating system: Ubuntu 14.04
DNS: BIND (Berkley Internet Naming Daemon
DHCP: dhcpd (dynamic host configuration protocol daemon)
Webserver: Apache2

Steps and Commands used:

edit
DNS Master Server
edit

Step 1: Install Bind9
Command:

               sudo apt-get install bind9

Step 2: Restart the networking daemon
Command:

               sudo /etc/init.d/networking restart

Step 3: Add a DNS zone to BIND9
Command:

                edit /etc/bind/named.conf.local
# Forward zone
zone "home.zzz" {
type master;
file "/etc/bind/db.home.zzz";
allow-transfer { 192.168.1.90; };
also-notify { 192.168.1.90; };
};
# Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rdb.home.zzz";

allow-transfer { 192.168.1.90; };

                also-notify { 192.168.1.90; };
};

zone "2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa" {
type master;
notify no;

                file "/etc/bind/2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa";
};

Step 4: use an existing zone file as a template to create the /etc/bind/db.home.zzz file
Command:

               sudo cp /etc/bind/db.local /etc/bind/db.home.zzz

Edit db.linux.abc file as follows:
$TTL 604800 home.zzz. IN SOA ns1.home.zzz. server.home.zzz. (

                       12              ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
               home.zzz. IN NS ns1.home.zzz.
               home.zzz. IN NS ns2.home.zzz.
           ns1.home.zzz. IN A 192.168.1.89
                         IN AAAA 2000:2001:2002:2003::89
           ns2.home.zzz. IN A 192.168.1.90
                         IN AAAA 2000:2001:2002:2003::90
                 example IN A 192.168.1.89
             www.example IN CNAME example.home.zzz.
                 example IN AAAA 2000:2001:2002:2003::89
             bostonbeast IN CNAME example
                 test    IN A 192.168.1.89
                www.test IN CNAME test.home.zzz.
                 test    IN AAAA 2000:2001:2002:2003::89
              bostonbaba IN CNAME test.home.zzz.
                      dn IN A 192.168.1.20
                      dn IN AAAA 2000:2001:2002:2003::20       

Now restart the BIND9:

                    sudo service bind9 restart

Step 5: Setup reverse zone
Command:

                   sudo cp /etc/bind/db.127 /etc/bind/rdb.home.zzz

Now edit the rdb.home.zzz file as follows:

  $TTL    604800
  @       IN      SOA     home.zzz. server.home.zzz. (
                       10              ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  ;
  @       IN      NS      ns1.home.zzz.
  @       IN      NS      ns2.home.zzz.
  89      IN      PTR     ns1.home.zzz.
  90      IN      PTR     ns2.home.zzz.
  89      IN      PTR     example.home.zzz.
  89      IN      PTR     test.home.zzz.
  20      IN      PTR     dn.home.zzz.

Now restart BIND9

                      sudo service bind9 restart

Zone for ipv6

  $ORIGIN 2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa.
  ;
  $TTL    604800
  @       IN      SOA     home.zzz. server.home.zzz. (
                       5               ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  ;
  @       IN      NS      ns1.home.zzz.
  @       IN      NS      ns2.home.zzz.
  9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN      PTR     ns1.home.zzz.
  0.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN      PTR     ns2.home.zzz.
  9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN      PTR     example.home.zzz.
  9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN      PTR     test.home.zzz.
  0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN      PTR     dn.home.zzz.
slave DNS Server
edit

Edit the /etc/bind/named.conf.local:

            # Forward zone
            zone "linux.abc" {
            type slave;
            file "/var/cache/bind/db.linux.abc";
            masters { 192.168.1.10; };
            };
            # Reverse Zone
            zone "1.168.192.in-addr.arpa" {
            type slave;
            file "/var/cache/bind/db.192";
            masters { 192.168.1.10; }; 
            };  

Now restart BIND9

                      sudo service bind9 restart

DHCP

edit

1. Install DHCP Server

   sudo apt-get install isc-dhcp-server

2. Install radvd package

   apt-get install radvd

3. Set the static IP address of the DHCP server

   sudo nano /etc/network/interfaces
   auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet static
   address 192.168.1.91
   netmask 255.255.255.0
   gateway 192.168.1.1
   network 192.168.1.0
   broadcast 192.168.1.255
   dns-domain-nameserver 192.168.1.89
   dns-domain-search home.zzz
   iface eth0 inet6 static
   address 2000:2001:2002:2003::91
   netmask 64
   gateway 2000:2001:2002:2003::1

4. Configure the IPv6 and IPv4 forwarding

    nano /etc/sysctl.conf
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.ip_forward=1
    net.ipv6.conf.all.forwarding=1

5. Make eth0 as the default interface

   nano /etc/default/isc-dhcp-server
   INTERFACES="eth0"


6. Configure the DHCP server for ipv4

    nano /etc/dhcp/dhcpd.conf
  subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.150;
  option domain-name-servers 192.168.1.89,192.168.1.90;
  option domain-name "home.zzz";
  option routers 192.168.1.1;
  option broadcast-address 192.168.1.255;
  default-lease-time 600;
  max-lease-time 7200;
    }

7. Edit the resolv.conf file

    sudo nano /etc/resolv.conf
    nameserver 192.168.1.89

8. Configure the DHCP server for ipv6

    nano /etc/dhcp/dhcpd6.conf
 
    default-lease-time 600;
    max-lease-time 7200;
    log-facility local7;
    subnet6 2000:2001:2002:2003::/64 {
    default-lease-time 600;
    max-lease-time 7200;
    log-facility local7;
    subnet6 2001:db8:0:1::/64 {
    # Range for clients
    range6 2000:2001:2002:2003::100 2000:2001:2002:2003::150;
    # Range for clients requesting a temporary address
    range6 2000:2001:2002:2003::/64 temporary;
 }

9. Configuration of the radvd module

   nano /etc/radvd.conf
  interface eth0 {
  AdvSendAdvert on;
  MinRtrAdvInterval 3;
  MaxRtrAdvInterval 10;
  prefix 2000:2001:2002:2003::/64 {
  AdvOnLink on;
  AdvAutonomous on;
  AdvRouterAddr on;
  };
  };

10. Reboot the System

    Sudo init 6

11.

   Sudo service isc-dhcp-server

12. Restart the DHCP server

    Sudo service networking restart

Webserver

edit

1. Install apache2

   install apt-get install apache2

2. Make directories

   sudo mkdir -p /var/www/example.home.zzz/public_html
   sudo mkdir -p /var/www/test.home.zzz/public_html

3. Create Webpages for Each Host: open up an index.html

   nano /var/www/example.home.zzz/public_html/index.html

4. Create a HTML document that indicates the site it is connected to.
Save and close the file when you are finished.
5. Do same procedure for test.home.zzz
6. Create New Virtual Host Files.
Create the First Virtual Host File
Start by copying the file for the first domain:

    sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.zzz.conf

Open the new file in nano editor with root privileges:

    sudo nano /etc/apache2/sites-available/example.com.conf


Virtualhost file should look like this:

   <VirtualHost *:80>
       ServerAdmin admin@example.home.zzz
       ServerName example.home.zzz
       ServerAlias www.example.home.zzz
       DocumentRoot /var/www/example.home.zzz/public_html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
   </VirtualHost>

Save and close the file.

Copy First Virtual Host and Customize for Second Domain

      sudo cp /etc/apache2/sites-available/example.home.zzz.conf /etc/apache2/sites-available/test.home.zzz.conf

Open the new file in nano editor with root privileges:

      sudo nano /etc/apache2/sites-available/test.home.zzz.conf

It should look like this:

      <VirtualHost *:80>
          ServerAdmin admin@test.home.zzz
          ServerName test.home.zzz
          ServerAlias www.test.home.zzz
          DocumentRoot /var/www/test.home.zzz/public_html
          ErrorLog ${APACHE_LOG_DIR}/error.log
          CustomLog ${APACHE_LOG_DIR}/access.log combined
      </VirtualHost>

Save and close the file when you are finished.

7. Enable the New Virtual Host Files

      sudo a2ensite example.home.zzz.conf
      sudo a2ensite test.home.zzz.conf

8. Restart Apache to make these changes take effect:

      sudo service apache2 restart


9. Set Up Local Hosts File (Optional)

      sudo nano /etc/hosts

It should look like this:

      127.0.0.1   localhost
      127.0.1.1   ubuntu
      192.168.1.89 example.home.zzz
      192.168.1.89 test.home.zzz


Save and close the file.

10. Test your Results In web-browser:

      http://example.home.zzz
      http://test.home.zzz

Firewall

edit

1. only 192.168.1.90 IP can telnet to webserver.

     iptables -I INPUT 1 -s 192.168.1.90 -p tcp -m tcp --dport 23 -j ACCEPT

2. The below command will block all telnet access.

     iptables -A INPUT -p tcp -m tcp --dport 23 -i eth0 -j REJECT

3. The below commands will block FTP.

     iptables -A INPUT -p tcp -m tcp --dport 21 -i eth0 -j REJECT
     iptables -A INPUT -p tcp -m tcp --dport 20 -i eth0 -j REJECT

4. To save IP tables use following commands:

     sudo apt-get install iptables-persistent
     sudo invoke-rc.d iptables-persistent save

Backup

edit

Step :
Command:

1. Install ssh server

   sudo apt-get install openssh-server

2. Install ssh client on another VM

   sudo apt-get install openssh-client

3. Generate public and private keys in the client

   sudo ssh-keygen -t rsa

4. Copy the public key to ssh server

   cp .ssh/id_rsa.pub authorized_keys
   ssh-copy-id akshay@192.168.1.90(Backup server)

5. For creating tar file and securely sending to backup server.

   tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com
   scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/

6. For executing automatic backup

   sudo crontab –e
   0 12 * * * /bin/tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com; scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/

Add-ons

edit

ARP cache poisoning

edit

ARP is The Address Resolution Protocol a telecommunication protocol used for resolution of Internet layer addresses into link layer addresses, a critical function in computer networks. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. We have created a Python script using Scapy for poisoning the ARP Cache of a client system.
Step : We have three different systems in our network. 1.Attacker 2.Victim 3.Web Server. Web server acts as a host for viewing the webpage. Victim can see the webpage hosted by the Webserver. Then we executed a Scapy script which floods the ARP Cache of the victim with its own MAC address. Thus, whenever the client send request at port 80 it will see the HACKED webpage hosted by the Attacker.
Command: Python commands

IPsec VPN tunnels

edit

IPSec works at the network layer.We have implemented IPsec to protect data through internet. IPSec provides data security by encrypting and authenticating data, protection against masquerading and manipulation. When two machines want to make a VPN connection between them, they agree on certain settings and parameters. Eg. what type of authentication and encryption will be used within the VPN tunnel. This is generally called VPN negotiation. We have created transport IPsec VPN between two different systems.
Step : Two different independent systems in the Virtual Machine can have encrypted communications. We have used Strongswan for having encrypted communications between them.
Command: 1.apt-get install ipsec-tools strongswan-starter
2.nano /etc/ipsec.conf
3.conn red-to-blue

   authby=secret
   auto=route
   keyexchange=ike
   left=<Left IP>
   right=<Right IP>
   type=transport
   esp=aes128gcm16!

4.nano /etc/ipsec.secrets
5.<Left IP> <Right IP> : PSK "Your password here!"
6.ipsec restart
7.ipsec statusall
The same configuration needs to be done in the other system. Then, we can check the tunnel using ping command from the one side and then checking the ping through tcpdump esp

Network File system allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. The commonly used data can be stored on a single machine and other machines over the network can access it. Home directories are configured on NFS server and are applied over machines on network. Storage devices can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.
Step 1:Configuring the NFS-Host
Command:

            sudo apt-get install nfs-kernel-server 

Create the Share Directory on the Host Server

            sudo mkdir /var/nfs

Configure the NFS Exports on the Host Server

            sudo nano /etc/exports

On the last line

            append ==>
            /home       <IP address of client>(rw,sync,no_root_squash,no_subtree_check)
            /var/nfs    <IP address of client>(rw,sync,no_subtree_check)

create the NFS table that holds the exports of the shares

            sudo exportfs -a

Start NFS service

             sudo service nfs-kernel-server start

Step 2:Configuring the NFS-client
Install a package called nfs-common on NFS client

             sudo apt-get install nfs-common

Create the Mount Points on the Client Server
create each directory, and the necessary parent directories

             sudo mkdir -p /mnt/nfs/home
             sudo mkdir -p /mnt/nfs/var/nfs

Create the mount remote shares on NFS client

              sudo mount 1.2.3.4:/home /mnt/nfs/home
              sudo mount 1.2.3.4:/var/nfs /mnt/nfs/var/nfs

References

edit

Websites Referred:
1. https://help.ubuntu.com/community/BIND9ServerHowto
2. https://help.ubuntu.com/community/Postfix
3. https://help.ubuntu.com/community/isc-dhcp-server
4. http://www.bind9.net
5. http://net.tutsplus.com/tutorials/other/the-linux-firewall
6. https://help.ubuntu.com/community/OpenVPN
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross