Data Networking/Fall 2016/SAPS
Team Members
edit1. Akshay Mahajan
2. Praveen Prakash
3. Sagar Raikar
4. Siddesh Shenoy
Objective
editTo create a secure, reliable and dynamic network that can support multiple hosts.
Behaviour of Protocols
editDomain Name System
editDNS(Domain name system) server also called as name server, which implements network services for providing responses to queries against directory services i.e. It translates user supplied host name (web site) to IP addresses and vice versa and which contains a databases of network names and IP address.
DNS process flow:
DNS client running on the user host, request a server page, at first it needs a IP address of that web server which is processed by the DNS Server.
1)First the client sends a query with the given hostname to the DNS server
2)The DNS server receives the query from the client and maps it with the IP address
3)The DNS server sends the IP address to the DNS client operating at the user machine
4)Once the Host user receives the IP address, it can access the web server.
Dynamic Host Configuration Protocol
editDHCP referred to as Dynamic host configuration protocol. It is a client server protocol which assigns host with an IP address through a DHCP server. In general, DHCP automatically assigns IP address to new devices or to devices when moved from one subnet to another. DHCP server has as a pool of IP address and leases an address when it start up in the network and also has TCP/IP configuration parameters for all hosts on the network,that received IP address
Assigning IP addresses to the networking component can be done in the following ways.
Types of DHCP Allocation:
1) Automatic allocation - DHCP server assign permanent IP address to the client.
2) Dynamic allocation -DHCP server assigns IP address to the client only for a limited period of time. Automatic reuse of IP address is allowed.
3) Manual allocation -IP address Assigned by the network administrator and DHCP is used simply to convey the messages to the client.
Webserver & Firewall
editA Web server is a software responsible for accepting HTTP request from the client, which are know as web browser and serving them the HTTP responses
We are using apache 2 webserver to host our website, we are using a firewall for providing security to the website.
Algorithm of web server.
1) Client obtain server IP address from the DNS Server.
2) Client initiate a TCP connection to the server on port 80.
3) Server responds with the SYN-ACK message , thereby opening the port to request information.
4) Client sends an ACK message and request for HTML page.
Backup
editBackup is done to the webserver file to add redundancy to the fle and make it robust .
All the files in the webserver are sent to the backup in a zipped format at a scheduled time
Backup for the webserver data is achieved by using rsync and ssh protocols.
Rsync is used to synchronize files between the webserver and the backup. Therefore whenever changes are made at the webserver the backup gets updated at the scheduled time.
Ssh provides a secure channel to send and receive files by using end to end encryption and decryption. .
Installation Steps
editDNS
editStep 1: Update the package list(
Command:
sudo apt-get update
Step 2: Install Bind9 for DNS server configuration
Command:
sudo apt-get install bind9
Step 3: Make virtual machine interface as static
Command:
sudo nano /etc/network/interfaces
Add
For IPv4 configuraiton
auto eth0
iface eth0 inet static
address 192.168.77.5
netmask 255.255.255.0
broadcast 192.168.77.255
gateway 192.168.77.1
dns-nameservers 192.168.77.5
dns-nameservers 192.168.77.6
For IPv6 configuration
face eth0 inet6 static
address 2001:aaaa:1000:0000:0000:0000:0000:0007
netmask 64
gateway 2001:aaaa:1000:0000:0000:0000:0000:0001
dns-nameservers 2001:aaaa:1000:0000:0000:0000:0000:0007
dns-nameservers 2001:aaaa:1000:0000:0000:0000:0000:0008
Step 4: Configuring the forwarding addresses
Command:
sudo nano /etc/bind/named.conf.options
Add
forwarders {
# Local DNS and Google DNS
192.168.77.5
192.168.77.6
2001:aaaa:1000:0000:0000:0000:0000:0007
2001:aaaa:1000:0000:0000:0000:0000:0008
8.8.8.8;
8.8.4.4;
};
Step 5: Add ZONES TO THE ROOT FILES OF bind9
Command:
sudo nano /etc/bind/named.conf.local
Step 6: Creating DNS forward Zone file
Command:
sudo nano /etc/bind/db.siddesh.lanr
Step 7: Creating DNS reverse zone file
Command:
sudo nano /etc/bind/db.192
Step 8: Adding name server in resolv.conf file
Command:
sudo nano /etc/resolv.conf
Step 9: Adding server addresses in hosts file
Command:
sudo nano /etc/hosts
Step 10: Commands to start/ restart/stop the DNS server
Command:
Start:
sudo /etc/init.d/bind9 start
Restart:
sudo /etc/init.d/bind9 restart
Stop:
sudo /etc/init.d/bind9 stop
Step 11: Configuring named.conf.local file on slave
Command:
sudo nano /etc/bind/named.conf.options
Step 12: Adding server addresses in hosts file for slave
Command:
sudo nano /etc/hosts
DHCP
editStep1: Install ISC-DHCP server for DHCP configuration
Command:
sudo apt-get install isc-dhcp-server
Step2: Configuring static address for IPv4 DHCP
Command:
sudo nano /etc/network/interfaces
Step3: Setting range for IPv4
Command:
sudo nano /etc/dhcp/dhcpd.conf
Step4: Setting up the interface
Command:
sudo nano /etc/default/isc-dhcp-server
Step4: Restart to set the configuration
Command:
sudo service networking restart
sudo service isc-dhcp-server restart
sudo ifdown eth0
sudo ifup eth0
Step5: Setting static IP address for IPv6
Command:
sudo nano /etc/network/interfaces
Step6: Setting range for IPv6 address
Command:
sudo nano /etc/dhcp/dhcpd6.conf
Step7: Creating empty dhcpd6.lease file
Command:
sudo nano/var/lib/dhcp/dhcpd6.leases
Step8: Verifying the configuration
Command:
/usr/sbin/dhcpd -6 –d –cf /etc/dhcp/dhcpd6.conf eth0
Step9: Restarting to set the configuration
Command:
sudo service networking restart
sudo service isc-dhcp-server restart
sudo ifdown eth0
sudo ifup eth0
Webserver
editStep 1: Install Apache2 Webserver
Command:
sudo apt-get install apache2
Step 2: To create a HTML page for the Web server
Command:
sudo chmod 755 /var/www/
Sudo chown -R $ user:$user /var/www/html/
Sudo nano /var/www/html/index.html
Step 3: Restart the web server
Command:
sudo /etc/init.d/apache2 restart
Step 4: To test web server
Command:
http://localhost
Firewall
editStep 1: Install firewall:
Command:
sudo apt-get install ufw
Step 2Enabiling the firewall:
Command:
Ufw enable
Step 3Checking the status
Command:
Ufw status
Step 4To allow and deny or deny specific port.
Command:
ufw deny proto tcp from 192.168.77.13 to any port 80
ufw allow 80
ufw allow 22
Backup
editStep 1: Install rsync on both web server and backup machine
Command:
sudo apt-get install rsync
Step 2: Copy files from webserver to backup machine
Command:
rsync -avzhe ssh @:/var/www
Step 3: Generate a public and a private key for security
Command:
ssh-keygen -trsa
Step 4: Share the private and public key with the backup machine
Command:
ssh-copy-id -l /root/.ssh/id_rsa.pub vm3@192.168.77.135
Step 5: Zipping the .HTML file and sending the file automatically using crontab
Command:
crontab –e
***** sudo tar –cvpzf /home/dnspraveen/finalbackup1234.tar.gz /var/www/html/index.html
***** rsync –azvp --delete –e ssh /home/dnspraveen/finalbackup1234.tar.gz /vm3@192.168.77.135:/home/vm3/finalb/
Add-ons
editVPN configuration
editStep 1: Install Strongswan on both the machines
Command:
sudo apt-get install ipsec-tools strongswan-starter
Step 2: Configure ipsec.conf file in Machine 1
Command:
sudo nano /etc/ipsec.conf
1. authby=secret
this specifies authentication by accepting values secret
2. auto=route
this specifies that automatically at startup "route" is lodaded into the between left and right ip addresses and connection is established
3. keyexchange=ike
this specifies th the method of keyexchange and which protocol should be used to iniitalise the conection. ike reates to accepting both protocol ikev1 and ikev2
left=192.168.77.5
right=192.168.77.1
these are the end parameters specifing the ip address of the two endpoints for a VPN connection
4. type=transport
this specifies the type of connection to be done. the type "transport" specifies that a transport mode is host-to-host
5. esp=aes128gcm16!
esp aloright is defined and exclimation mark(!) at the end spcifies that responder to accept a specific cipher suite only
Step 3: Configure ipsec.secrets file in Machine 1
Command:
sudo nano /etc/ipsec.secrets
Step 4: Restart IPsec
Command:
ipsec restart
Step 5: Checking IPsec status
Command:
ipsec statusall
This specifies a tunnel is established.
Step 6: Configure ipsec.conf file in Machine 2
Command:
sudo nano /etc/ipsec.conf
Step 7: Configure ipsec.secrets file in Machine 2
Command:
sudo nano /etc/ipsec.secrets
Step 8: Checking IPsec status on Machine 2
Command:
watch ipsec statusall
Step 9: Testing the Tunnel
Command:
ping -s 4048 192.168.7.1
Since we are able to observe ESP packets above going from 192.168.77.5 interface we can conclude that IPsec has been applied and VPN tunnel is established
NFS
editServer Side (192.168.77.135):
Step 1: Install nfs for server:
Command:
sudo apt-get install nfs-kernel-server
Step 2: Create a directory path
Command:
sudo mkdir /export/project
Step 3: Add in details in /etc/exports
Command:
sudo nano /etc/exports
Step 4: Provide the permission
Command:
sudo chown nobody:nogroup /export/project
Step 5: Export the Directory
Command:
sudo exportfs -a
Step 6: Restarting
Command:
sudo /etc/init.d/nfs-kernel-server start
Receiver Side (192.168.77.30):
Step 1: Install nfs for client
Command:
sudo apt-get update
sudo apt-get install nfs-common
Step 2: Create a directory path to access the file from server
Command:
mkdir –p /mnt/nfs/export/project
Step 3: Execute the mount command
Command:
sudo mount 192.168.77.135:/export/project /mnt/nfs/export/project/
Step 4: Verify by using df -h
Command:
df -h
ARP
editScapy is a python script used to get the MAC address of the victim and the gateway it performs ARP spoofing followed by ARP poisoning.
It the allows a malicious attacker to construct a man in the middle attack.
Test Plan
editDNS Test
editDNS can be tested using the following commands
nslookup
nslookup is used to query DNS server.
DHCP Test
editA device entering a network gets an IP address, which is allocated by the DHCP server. IP address can be verified using .
/var/lib/dhcp/dhcpd.leases - This command is used to view the lease provided by the DHCP server to a particular device
=== Webserver Test ===
Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.
Firewall Test
editA client Can try to ping the servers which are blocked. If the response is request timed-out then, the firewall has blocked the client and it is working properly.
The client won't gain access to the webpage because it is forbidden.
Future Improvement
editi. In this project WEB server can be made more secured by implimentng ssh security against DDOS attacks ii. The concept of Dynamic DNS can be implemented. iii. Provision of Multiple and automatic back-up for DNS , DHCP.
Conclusion
editWe have created a secure, reliable and dynamic network which can support multiple hosts, Provides DHCP and DNS functionalities and a back-up server for a secured web server.
References
edita. https://en.wikipedia.org/wiki/Name_server
b. http://mixeduperic.com/ubuntu/seven-easy-steps-to-setting-up-an-interal-dns-server-on-ubuntu.html
c. http://www.thegeekstuff.com/2014/01/install-dns-server/
d. https://help.ubuntu.com/lts/serverguide/web-servers.html
e. https://www.gypthecat.com/ipsec-vpn-host-to-host-on-ubuntu-14-04-with-strongswan
f. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-ubuntu-14-04
g. http://null-byte.wonderhowto.com/how-to/build-man-middle-tool-with-scapy-and-python-0163525/
h. https://www.arppoisoning.com/demonstrating-an-arp-poisoning-attack-2/
i. https://dangertux.wordpress.com/2011/11/24/detecting-arp-poisoning-on-ubuntu-with-wireshark/
j. Refernece:https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
k. https://likegeeks.com/linux-dns-server/