Data Networking/Fall 2016/BATA
Group Members
editAashish Anand
Ayush Shah
Bala Prasanth Sankaran
Tarun Sharma
Purpose
editTo design and come up with a solution which fulfills the basic requirements of a company located in Boston and simultaneously understand the concepts of Data Networking.
Protocols (Requirements)
editDynamic Host Configuration Protocol (DHCP)
editDHCP stands for dynamic host control protocol used for dynamically assigning the IP address to the network hosts using from the given pool of IP address. The IP assignment can be assigned for a time interval decided by the lease parameter, post which the lease has to be renewed to hold the same IP address. The DHCP is a 4 step process which involves the below phased for IP allocation.
1) DHCP discover
2) DHCP offer
3) DHCP request
4) DHCP acknowledge
Domain Name Server (DNS)
editThe DNS stands for domain name server and is the first point of contact to resolve the Host names to IP address and vice versa. It maintains separate tables in the database for mapping the Host names to IP and IP to host names and the process is referred to a forward and reverse lookup respectively.
The DNS query is both iterative and recursive in nature, while implies the DNS query start from the user and goes to the local DNS server and then it goes to the root DNS server which passes the request to the TLD server and then it finally goes to the authoritative server for the final DNS resolution and thus the user is able to go the requested URL.
Web Server & Firewall
editA Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers' HTTP clients. The process is an example of the client/server model. The term "Web server" often refers only to the HTTP server software in the machine, which provides the Web site functionality. HTTP is the protocol of the Web, and HTTP server software, such as Microsoft's IIS and the open source Apache server, accepts requests from the user's browser and responds by sending back HTML documents (Web pages) and files. It also executes scripts that reside in the server (CGI scripts, JSPs, ASPs, etc.)
Firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule set.Firewall in our project has the functions of IP filtering, protocol filtering, etc. It is used to limit the particular incoming or outgoing visit. For example, We can block a client with particular IP address from visiting the web server.
Back-up
editThis is a dedicated server used for storing the configuration files coming from each attached server. This helps in restoring the configuration files as a disaster recovery measure.
Add-on(s)
editARP Cache poisoning
editAny node that interacts with the outside network qualifies to be called as the client. The client is always the connection initiator implying that the first hand of communication is made from the client and after the connection is established the client interacts with the server.
The malicious client is the one that has the malicious intentions and look for attacking the network by different means. The attack can be as simple as packed sniffing to as intense of Denial of service attack. In our scenario the malicious client has done the arp poisoning at the target and the web server and thus mapping his own mac address in the arp. As the client intends to redirect the requested web page from the genuine web server to his own web server he also makes changes in the ip-tables to translate the destination IP address to his own IP address. This completes the attack and hence the web server is able to redirect the web request to any desired server.
This attack can be mitigated by using the DHCP Snooping and Dynamic ARP inspection which involves the check of the mapping of authentic ip address with the mac address in the binding table.
Network File System (NFS)
editNFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. Some of the most notable benefits that NFS can provide are:
1. Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network.
2. There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network.
3. Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.
IPsec VPN
editVirtual private network technology is based on the idea of tunneling. VPN tunnelinginvolves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.
For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.
Installation & Configuration
editWe have logged in to the root user with the "sudo su" command and we have configured the entire project as a root user on all systems.
DHCP IP version 4
editInstallation
editCommands:
apt-get update apt-get install isc-dhcp-server
Configurations
editTo configure the ethernet port:
nano /etc/default/isc-dhcp-server
Commands:
INTERFACES="ens33"
To assign a static IP to the DHCP server:
Commands:
nano /etc/network/interfaces
auto lo iface lo inet loopback auto ens33 iface ens33 inet static address 192.168.240.5 netmask 255.255.255.0 gateway 192.168.240.1 broadcast 192.168.240.255 network 192.168.240.0
To configure the DHCP server:
nano /etc/dhcp/dhcpd.conf
Commands:
# A slightly different configuration for an internal subnet.
subnet 192.168.240.0 netmask 255.255.255.0 { range 192.168.240.20 192.168.240.100; option domain-name-servers 192.168.240.2; option subnet-mask 255.255.255.0; option routers 192.168.240.1; option broadcast-address 192.168.240.255; default-lease-time 600; max-lease-time 7200; }
DHCP IP version 6
editFor IPv6 configurations, we use the radvd module for router advertisements and the isc-dhcp-server6 module to configure the DHCP ipv6 server.
DNS
editInstallation
editIn the designing of DNS Server, we need to install bind9 first in our DNS sever
command:
sudo apt-get install bind9
Configuration
editDNS Master server:
Command:
apt-get install bind9
cd /etc/bind/ mkdir zones cd /etc/bind/zones/ for forward zones: nano db.linux.abc for backward zones: nano db.192
Configuration in db.linux.abc:
Configuration:
; ; BIND data file for local loopback interface ; $TTL 604800 @ IN AAAA 2001:aaaa:1000::7 @ IN NS ns.linux.abc. @ IN SOA linux.abc. bala.linux.abc. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN NS ns.linux.abc. IN NS ns1.linux.abc. ns.linux.abc. IN AAAA 2001:aaaa:1000::7 ns.linux.abc. IN A 192.168.240.10 ns1.linux.abc. IN A 192.168.240.8 itworks.linux.abc. IN A 192.168.240.12 ; macbook IN CNAME itworks.linux.abc. www IN A 192.168.240.12 ns IN AAAA 2001:aaaa:1000::7
Configuration in db.192:
; ; BIND reverse data file for local loopback interface ; $TTL 604800 @ IN SOA linux.abc. admin.linux.abc. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS linux.abc. 8 IN PTR ns1.linux.abc. 10 IN PTR ns.linux.abc. 12 IN PTR www.linux.abc. @ IN NS ns.linux.abc. 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.linux.abc.
Command:
nano /etc/bind/named.conf.options:
forwarders { 0.0.0.0; 192.168.240.1; 8.8.8.8; 8.8.4.4; };
Command:
nano /etc/bind/named.conf.local: #Forward zone zone "linux.abc" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.linux.abc"; };
#Reverse zone
Command:
zone "240.168.192.in-addr.arpa" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.192"; };
Command:
- Reverse zone
zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.192"; };
Command:
nano /etc/hosts: 127.0.0.1 localhost #127.0.1.1 ubuntu 192.168.240.2 ubuntu.linux.abc ubuntu 2001:aaaa:1000::7 ubuntu.linux.abc
# The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
nano /etc/resolv.conf: nameserver 192.168.240.2 nameserver 192.168.240.114 nameserver 2001:aaaa:1000::7
DNS Slave:
Command:
nano /etc/bind/named.conf.local zone "linux.abc" { type slave; notify no; file "/var/lib/bind/db.linux.abc"; masters {192.168.240.2 ;}; masterfile-format text; };
zone "240.168.192.in-addr.arpa" { type slave; notify no; file "/var/lib/bind/db.192"; masters {192.168.240.2 ;}; masterfile-format text; };
zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" { type slave; notify no; file "/var/lib/bind/db.ipv6"; masters {192.168.240.2 ;}; masterfile-format text; }; nano /etc/bind/named.conf.options: forwarders { 0.0.0.0; 192.168.240.1; 8.8.8.8; 8.8.4.4; };
Nano /etc/resolv.conf nameserver 192.168.240.114 nameserver 192.168.240.2 nameserver 2001:aaaa:1000::7
nano /etc/hosts 127.0.0.1 localhost 127.0.1.1 ubuntu 192.168.240.2 ubuntu.linux.abc ubuntu 2001:aaaa:1000::7 ns.linux.abc
Give a service bind9 restart after the configurations to immediate the effects. Now we could test if the master and slave are working fine by doing an nslookup for each record we have given. First check both master and slave when both are on, then suspend services for master, slave must be able to independently able to resolve the queries.
Web Server
editInstallation
editwe need to install apache2 on our webserver.
Command:
apt-get install apache2
In CLI:
netstat -a|more
This is used to check if the web server is able to listen on port 80
Restart the web server:
/etc/init.d/apache2 stop /etc/init.d/apache2 start
develop the webpage for the server:
cd /var/www/html nano index.html
Here, we edit the basic webpage with the contents that we want our webpage to display.
Firewall
editFirewall allows the administrator to configure the iptables. Here, we look to block ping requests from other systems to the web server while the web server would be able to ping others. Also, we allow http from port 80 that uses TCP so that the webpage is accessible by other systems.
To install uncomplicated firewall package:
Commands:
apt-get update
apt-get install ufw
After this, we go to the the before.rules file.
Command:
nano /etc/ufw/before.rules
In #OK icmp codes for INPUT:
Give a DROP instead of ACCEPT for icmp echo request.
Disable and enable firewall:
ufw disable
ufw enable
This blocks other users from pinging the web server.
Next, if we would like to allow any application to be accessible by the other systems, we could allow that. For example, if we would like the web server to allow http to be run by other systems:
Command on CLI:
ufw allow 80/tcp
Then restart the ufw process. This will let other systems to access the webpage from their browser. We could follow this process for any application to be allowed or denied specifically.
Back-up
edit1)We create a backup of the web server. We are storing the backup files in the backup server.
2)Our web server has the IP: 192.168.240.112. The IP of our backup server is 192.168.240.111.
The username of the Backup server is p.
3)For key exchange:
We first get the update of packages.
Command:
apt-get update
4)Install SSH on both the webs server and the backup server
Command:
apt-get install ssh
5)Check the status of the service.
Command:
service ssh status
It should be active and running.
5)Now, try to ssh from the web server to the backup server.
Command:
ssh p@192.168.240.111
It will prompt for a password. Give the password and do an ssh login for the first time. Once logged in, exit.
6)Now, we need to exchange keys between the servers to have an ssh login without password prompt.
Command:
ssh-keygen -t rsa
7)A key is generated, give a yes, then blank for a passphrase and then give a blankspace again when it asks for a passphrase repeat. This stores the generated key in files in the root directory. After this, we need to store this key in the backup server.
Command:
ssh-copy-id p@192.168.240.111
8)Give Oks to all prompts. So the key is stored in the backup server. After this step, the keys are exchanged between the two systems. The system will ask us to log in once again to check if login is happening without a password. Try it out and the login should happen automatically now.
Once the ssh happens without a password prompt, we could proceed with the process of backing up the data.
In the web server, create a folder of B in the desktop. Provide full permissions to it. Also create a folder with the name of Backup in the Backup servers. All the backup files should get stored here.
For Backup, I first generate a shell script to zip the file and do an SSH to the Backup server. Then, I schedule a crontab for the process of automating the process of backing up each time.
9)The filename of the script is BackupFinal.sh
Command:
Contents are as such:
Command:
#!/bin/bash #Purpose = Backup of Important Data #Created on 27-11-2016 #Author = Bala Prasanth S #Version 1.0 #START TIME=`date +%b-%d-%I-%M-%S` # This Command will add date in Backup File Name. FILENAME=backup-$TIME.tar.gz # Here I define Backup file name format. SRCDIR=/var/www/html # Location of Important Data Directory (Source of backup). DESDIR=/home/bpsa/Desktop/B # Destination of backup file. tar -cvzf $DESDIR/$FILENAME $SRCDIR rsync -avz /home/bpsa/Desktop/B/backup* -e ssh p@192.168.240.111:/home/p/Desktop/Backup/ mv /home/bpsa/Desktop/B/backup* /home/BACKUP/ #END
10)After this, do a crontab from the root user of Webserver , select option 2.
Command:
10 00 */2 * * /home/bpsa/Desktop/BackupFinal.sh
This command would automate and run the script for backup every 2 days at midnight: 00:10.
11)Thus, Backup is automated in a really efficient manner.
NFS
editFor NFS server:
We first install NFS server package
Command:
apt-get install nfs-kernel-server
We make a directory:
Command:
mkdir aash
To configure NFS server:
Command:
nano /etc/exports
Configurations:
/aash 192.168.240.0/24 (rw,sync,no_root_squash,no_subtree_check)
To check if the appropriate directory is ready to be shared with the NFS clients:
Command:
exportfs -u
Restart the server:
Command:
/etc/init.d/nfs-kernel-server restart
For NFS client:
Make a directory:
Command:
mkdir /ayush
Mounting:
Command:
mount 192.168.240.12:/aash /ayush
To check if the mounting is done:
Command:
df -h
Here we use /home/gxless/Desktop as the default NFS file, and allow client with IP address 192.168.1.30 to share this default file.
Then we install nfs-common in the client’s host.
Installation command:
Sudo apt-get install nfs-common
Then we can transfer the default file to client.
IPSec VPN
editRED Server
1) We install Strongswan.
Command:
apt-get install ipsec-tools strongswan-starter
2) Open the file ipsec.conf
Command:
/etc/ipsec.conf
Configuration:
conn red-to-blue authby=secret auto=route keyexchange=ike left=192.168.240.5 right=192.168.240.12 type=tunnel esp=aes128gcm16!
3) Open the file ipsec.secrets
Command:
/etc/ipsec.secrets
Configuration:
192.168.240.5 192.168.240.12 : PSK "Dab"
4) Restart the ipsec service
Command:
ipsec restart
Blue Server
Everything will be the same except the left and right ip will be reversed.
To check the working of IPSec VPN we will:
One RED server ping
Command:
ping 192.168.240.12
On BLUE server look at tcp
Command:
tcpdump esp
Future Improvements
editBackup -- There are many methods that can be used as backup for our web server. In the future, we could consider more efficient and convenient way to implement backup.
Mail server -- Mail server is often needed for most companies. So in the future, we could add a mail server for this company.
IPv6 -- We could assign IPv4 for our servers and clients in the future.
Challenges
editDNS Server
editDuring the process of configuring the DNS server, I deeply found that computer doesn’t works in human way, we have to use computer language to talk with computer. There is a lot of format requirement for the Ubuntu machine.
Beside, adding the IPv6 address is sort of annoying, since I thought the IPv6 has the same format with IPv4, and it didn’t work.
After going through so many videos on YouTube, we finally configured everything.
DHCP Server
editFirst, the most important things we should pay attention to in configure DHCP server is that the IP address of the interface of the DHCP server and the subnet of your DHCP range should be in consistent. This two things is edit in two different file, so that we may make some mistake when we editing it. If these two are not in consistent, the DHCP server will not able to start. This is a big issue when we doing the DHCP configuration, after we finish everything, the DHCP server always fail. We did know what’s wrong at that time, and we almost try every possible ways even install the Ubuntu system again. Finally, we decided to check all the configurations again and we find this problem.
Second, there are two possible ways to start/restart the DHCP server, the first one is “sudo service isc-dhcp-server start” and the second one is “sudo /etc/init.d/isc-dhcp-server restart”. We use the second one because we found that the first one may “cheat” us. Sometimes, it shows start successfully, but actually it did not. Hence, the most reliable ways to restart/start the DHCP server is to start/restart it under the init.d file.
Third, you should be really careful when you enter the dhcpd.conf file. The format of the command in the file is very strict. You should follow the format or the file will not work. This fault is very obvious because you can actually see where you got wrong in that file by using the second command we mentioned above.
Citations
edit1) https://www.vpn-accounts.com/blog/vpn-tunneling-a-must-for-privacy/
2) http://searchmidmarketsecurity.techtarget.com/definition/IPsec
3) https://technet.microsoft.com/en-us/library/bb531150.aspx.
4) http://searchsecurity.techtarget.com/definition/firewall
5) https://help.ubuntu.com/lts/serverguide/network-file-system.html
6) http://www.mygreatname.com/how-dns-works/e-04-how-dns-works.htm
7) http://www.karlrupp.net/en/computer/nat_tutorial