Data Networking/Spring 2017/RADAR

LINUX PROJECT

edit

THE TEAM

edit

1. RISHABH AGARWAL
2. ARIF JAN ASHRAF JAN
3. DIVYA SHARMA
4. ABHISHEK RAO JANARDHAN RAO

MOTIVATION

edit

This project helps us build a deeper understanding of the basic networking fundamentals with the practical implementation of a Dynamic Host Configuration Protocol (DHCP) Server, Domain Name System (DNS) Server, Web Server, Firewall and Backup Server.
The main purpose of this project is to create a complete network environment in which the servers and clients will be able to dynamically get IP addresses from the DHCP server created, after which with the help of the DNS server created, the users in the created network would be able to successfully fetch and ping www.radar.com which is the webserver hosted by us.
Configuration of components such as backup server, firewall, Network File System(NFS) and IPSec VPN tunnels to create a very complex, intricate, robust and secure inter-networking system which can be implemented and used by organizations and companies.


BEHAVIOR OF THE PROTOCOL

edit

Dynamic Host Configuration Protocol

edit

Dynamic Host Configuration Protocol (DHCP) is an internet protocol that allows the server to assign IP addresses to the systems(client) in the network it’s a part of, also it can be configured to assign IP addresses from a selected range of IP’s provided by the person that constructed and configured the server. The DHCP server can lease IP addresses to the cliest which are enabled to get IP’s assigned by the DHCP server. The IP addresses which are no longer used by the clients are returned back to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.

DHCP assigns IP’s in the following manner.

  1. Automatic allocation: DHCP assigns IP address to a client when it gets the IP request packet.
  2. Dynamic allocation:DHCP assigns IP addresses to clients for a particular time limit(or till the client is no longer using it) which is basically leasing of the IP’s. When the lease period is completed, the client will request an extension on the lease or request for a new IP to be assigned.
  3. Manual allocation:Another not so commonly used method of allocation is manual allocation in which the client is assigned the same IP address using the MAC address of the system as a label or tag.

Domain Name System

edit

DNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.

Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.

DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.

RECORD TYPE EXAMPLE NAME MAPPED DATA DESCRIPTION
NS radar.com Ns1.radar.com
Ns2.radar.com
This record indicates the host/user about the authoritative servers and also provides with information about the Master and Slave servers of the zone.
A Ns1.radar.com
Ns2.radar.com
192.168.27.8
192.168.27.10
This is the most basic type of DNS Record which indicates the 32 bit IPv4 address of the domain, i.e. mapping the FQDN to an IP address.
CNAME radar.com a.radar.com This record maps to the canonical name (CNAME) details for the alias that is mentioned in the FQDN.
AAAA 192.168.27.8
192.168.27.10
www.radar.com EThis record is used for the mapping of mail exchange server information to a specific domain name.
PTR 192.168.27.8 ns1.radar.com This is an interesting record type where the user actually has the IP address of the domain from which he can map it to a CNAME, these mappings are stored in this record type.


Webserver & Firewall

edit

A webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

STEPS AND COMMANDS

edit

Dynamic Host configuration Protocol (DHCP) Server

edit

Step 1. Install DHCP Server
Command:

                       sudo apt-get install isc-dhcp-server

Step 2. Install radvd package
Command:

                        apt-get install radvd

Step 3. Set the static IP address of the DHCP server
Command:

                        sudo nano /etc/network/interfaces

IPv4 Configuration

                         auto lo
                         iface lo inet loopback
                         auto ens33
                         iface ens33 inet static
                         address 192.168.27.2
                         netmask 255.255.255.0
                         gateway 192.168.27.1
                         network 192.168.27.0
                         broadcast 192.168.27.255
                         dns-domain-nameserver 192.168.27.8
                         dns-domain-search radar.com

IPv6 Configuration

                         iface ens33 inet6 static
                         address 2001:720:40b:666::2
                         netmask 64
                         gateway 2001:720:40b:666::1


Step 4. Configure the IPv6 and IPv4 forwarding
Command:

                         nano /etc/sysctl.conf
                         net.ipv4.conf.default.rp_filter=1
                         net.ipv4.ip_forward=1
                         net.ipv6.conf.all.forwarding=1


Step 5. Make ens33 as the default interface
Command:

                         nano /etc/default/isc-dhcp-server
                         INTERFACES="ens33"

Step 6. Configure the DHCP server for ipv4
Command:

                         nano /etc/dhcp/dhcpd.conf
                         subnet 192.168.27.0 netmask 255.255.255.0 {
                         range 192.168.27.50 192.168.27.200;
                         option domain-name-servers 192.168.27.8;
                         option domain-name "radar.com";
                         option routers 192.168.27.1;
                         option broadcast-address 192.168.27.255;
                         default-lease-time 600;
                         max-lease-time 7200;
                          }


Step 7. Edit the resolv.conf file
Command:

                         sudo nano /etc/resolv.conf
                         nameserver 192.168.27.8
                         nameserver 192.168.27.10
                         search radar.com


Step 8. Configure the DHCP server for ipv6
Command:

                         nano /etc/dhcp/dhcpd6.conf

                         default-lease-time 600;
                         max-lease-time 7200;
                         log-facility local7;
                         subnet6 2001:720:40b:666::/64{
                         # Range for clients
                         range6 2001:720:40b:666::50 2001:720:40b:666::150;
                         }

Step 9. Configuration of the radvd module
Command:

 nano /etc/radvd.conf


                        interface eth0 {
                        AdvSendAdvert on;
                        MinRtrAdvInterval 3;
                        MaxRtrAdvInterval 10;
                        prefix 2001:720:40b:666::64 {
                        AdvOnLink on;
                        AdvAutonomous on;
                        AdvRouterAddr on;
                        };
                        };

Step 10. Reboot the System
Command:

                        sudo init 6


Step 11. Restart the DHCP server
Command:

                        sudo service network-manager restart

Domain Name System (DNS) Server

edit
DNS Master Server
edit

Step 1: Install Bind9
Command:

                        sudo apt-get install bind9

Step 2: Restart the networking daemon
Command:

                        sudo /etc/init.d/networking restart

Step 3: Add a DNS zone to BIND9
Command:

                         edit /etc/bind/named.conf.local
                         // Forward zone
                          zone "radar.com" {
                          type master;
                          file "/etc/bind/db.radar.com";
                          allow-transfer{192.168.27.10;};
                          also-notify{192.168.27.10;};
                          };
                        // Reverse zone
                         zone "27.168.192.in-addr.arpa" {
                         type master;
                         file "/etc/bind/db.192";
                         allow-transfer{192.168.27.10;};
                         also-notify{192.168.27.10;};
                         };
                         zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" {
                         type master;
                         file "/etc/bind/db.ipv6";
                         allow-transfer{192.168.27.10;};


Step 4: use an existing zone file as a template to create the /etc/bind/db.radar.com file
Command:

                         sudo cp /etc/bind/db.local /etc/bind/db.radar.com
                         /etc/bind/db.radar.com
                         ;
                         ; BIND data file for local loopback interface
                         ;
                         $TTL    604800
                         @       IN      SOA     ns1.radar.com. root.radar.com. (
                             6         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
                        ;
                        radar.com.      IN      NS      ns1.radar.com.
                        radar.com.      IN      NS      ns2.radar.com.
                        ns1             IN      A       192.168.27.8
                        ns2             IN      A       192.168.27.10
                        www.radar.com   IN      AAAA    2001:720:40b:666::124
                        @               IN      A       192.168.27.9
                        www.radar.com.  IN      A       192.168.27.9
                        dhcp.radar.com. IN      A       192.168.27.2

Now restart the BIND9:
Command:

                        sudo service bind9 restart

Step 5: Setup reverse zone
Command:

                  sudo cp /etc/bind/db.127 /etc/bind/db.192
                   ;
                   ; BIND reverse data file for local loopback interface
                   ;
                   $TTL    604800
                   @       IN      SOA     radar.com.  root.radar.com. (
                             5         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
                   ;
                   @       IN      NS      ns1.radar.com.
                   @       IN      NS      ns2.radar.com.
                   8       IN      PTR     ns1.radar.com.
                   10      IN      PTR     ns2.radar.com.
                   9       IN      PTR     www.radar.com.


Command:

                     sudo service bind9 restart

Zone for ipv6

                      /etc/bind/db.ipv6
                      ;
                      ; BIND reverse data file for local loopback interface
                      ;
                      $TTL    604800
                      @       IN      SOA     radar.com.  root.radar.com. (
                             5         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
                      ;
                      @       IN      NS      ns1.radar.com.
                      @       IN      NS      ns2.radar.com.
                      4.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0                 IN      PTR     www.radar.com.


Step 7 : Create Network Interface

Command:

                    /etc/network/interfaces
                    # interfaces(5) file used by ifup(8) and ifdown(8)
                    auto lo
                    iface lo inet loopback
                    auto eth0
                    iface eth0 inet static
                    address 192.168.27.8
                    netmask 255.255.255.0
                    gateway 192.168.27.1
                    network 192.168.27.0
                    broadcast 192.168.27.255
                    dns-nameservers 192.168.27.8
                    auto eth0
                    iface eth0 inet6 static
                    address 2001:720:40b:666::124
                    netmask 64


DNS Slave Server
edit
                    /etc/bind/named.conf.local
                    //include "/etc/bind/zones.rfc1918";
                    zone "radar.com" {
                    type slave;
                    file "/var/chache/bind/db.radar.com";
                    masters { 192.168.27.8; };
                    };
                    zone "27.168.192.in-addr.arpa" {
                    type slave;
                    file "/var/chache/bind/db.192";
                    masters { 192.168.27.8; };
                    };
                     zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" {
                     type slave;
                     file "/var/chache/bind/db.ipv6";
                     masters { 192.168.27.8; };
                     };


Web Server

edit

Download and update package list
Command:

                        sudo apt-get update

Install apache2 for Webserver
Command:

                        sudo apt-get install apache2

Make directories
Command:

                        sudo mkdir -p /var/www/radar.com/public.html
           

Assign owners and permission
Command:

                        sudo chown -R $USER:$USER var/www/radar.com/public.html
                        sudo chmod -R 755 /var/www

Creates webpage. index.html is an HTML document that contains code for the company webpage
Command:

                        sudo nano /var/www/radar.com/public.html/index.html

Make HTML page
Command:

                         cd /etc/apache2/sites-available

Create and copy virtual host file
Command:

   sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/radar.com.conf

Edit virtual host file radar.com.conf
Command:

                         sudo nano /etc/apache2/sites-available/radar.com.conf
                         <VirtualHost *:80>
                         ServerAdmin info@radar.com
                         ServerName radar.com
                         ServerAlias www.radar.com
                         DocumentRoot /var/www/radar.com/public_html
                         ErrorLog ${APACHE_LOG_DIR}/error.log
                         CustomLog ${APACHE_LOG_DIR}/access.log combined
                         </VirtualHost>
                         sudo a2ensite radar.com.conf     ----> enabling site radar.com
                         sudo a2dissite 000-default.conf   ---> site 000-default disabled
                         Restart apache service to take effect
                         sudo service apache2 restart
         

Setup local host file

                         sudo nano /etc/hosts
                         127.0.0.1    localhost
                         127.0.1.1    ubuntu
                         192.168.27.9 radar.com
                           

Firewall

edit

Step 1

Command:

                        : Install UFW package
                        sudo apt-get install ufw

Step 2: Check UFW status
Command:

                          sudo ufw status

Step 3: Set Up Default Policies

Command:

                           sudo ufw default deny incoming
                           sudo ufw default allow outgoing

Step 4: Allow SSH,http,ftp,https Connections

Command:

                           sudo ufw allow from 192.168.27.0/24 to any port 443
                           sudo ufw allow from 192.168.27.0/24 to any port 80
                           sudo ufw allow from 192.168.27.0/24 to any port 21
                           sudo ufw allow from 192.168.27.0/24 to any port 22

Step 5: Disabling ping

Command:

                           sudo nano /etc/ufw/before.rules 

//Comment out this line:

                          -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Step 6: Enable UFW

Command:

                           sudo ufw enable

Backup Server

edit

Step 1: Install open-ssh on the linux server
Command:

                           sudo apt-get install open-ssh

Step 2: Install expect package
Command:

                           sudo apt-get install expect 

Step 3: Create a new file and type the following script to create the backup script file.
Command:

                            #! /bin/bash
                            TIME=$(date=+%b-%d-%I-%M-%S)
                            FILENAME=backup-$TIME.tar.gz
                            SRCDIR=/var/www
                            DESDIR=/home/divya/backup
                            tar -cpzf $DESDIR/$FILENAME $SRCDIR
                            /usr/bin/expect <<EOD
                            spawn scp $DESDIR/$FILENAME divya@192.168.27.3:/home/divya/backup
                            expect "password:"
                            send "****"
                            send "\r"
                              expect "*\r"
                                expect"*\r"
                             EOD


The script zips the file that needs to be backed up and sends the file from the source directory to the destination directory and from the destination directory it gets transferred to the remote backup server. The same procedure is repeated for all webservers.


Step 4 : Crontab is used for scheduling the backup using a cronjob which includes the bash script to dump the file for every 5 mins.

                             Crontab -e

You can edit the frequency of the backup using crontab. The following screenshot shows the backup scheduling of the webserver.


ALGORITHM

edit

1. Create a DHCP server and give IP Address range 192.168.27.50 – 192.168.27.200

2. Create a client, it fetches its IP Address from the DHCP in the range specified

3. Create a webserver and host a HTML page for “radar.com”

4. The client can access the webpage hosted and can ping it

5. The DNS server is created to resolve domain IP Address

6. Backup server is created for backing up and securing the cache created at a scheduled time by the webserver

7. To increase the security, IPSec tunnel is implemented which helps to ping two servers in a private network, on a public network using encryption

8. NFS is created to share files between two hosts


ADD-ONS

edit

Address Resolution Protocol (ARP)

edit

ARP poisoning has been implemented using Scapy. Here an attacker tries to intrude in the client's network. When the client requests the webserver page initially, he'll be able to view the webpage requested, but when the attacker uses the Scapy script he floods the ARP cache of the victim(client) with its own MAC address. Now when the client tries to request the webpage of the webserver instead of the original webpage, the hacked webpage hosted by the attacker is visible.


Network File System (NFS)

edit

Step 1:Configuring the NFS-server
Command:

                           sudo apt-get install nfs-kernel-server 
                           sudo chmod 777 location

Edit the file

                           sudo nano /etc/exports

On the last line append below

                           /home/divya/mnt 192.168.27.0/255.255.255.0(rw,sync,root_squash,subtree_check)

Save and Exit Change the directory

                           cd /home/divya/mnt
                           touch new1
                           sudo nano new1

Create a sample fie named "new1"

Start the server

                           sudo service nfs-kernel-server start

Step 2:Configuring the NFS-client
To Install NFS client: Command

                           sudo apt-get install nfs-common

Make directory in a location

                           sudo mount server 192.168.27.9:/home/divya/mnt /home/mnt
                           sudo mount -a

To verify whether it is mounted

                            df -h


IPSec VPN tunnel

edit

Server 1

                           /etc/ipsec.conf
                           conn server1-to-server2
                           authby=secret
                           auto=route
                           keyexchange=ike
                           left=192.168.27.8
                           right=192.168.27.10
                           type=tunnel
                           esp=aes128gcm16!
                           /etc/ipsec.secerts
                           192.168.27.8    192.168.27.10  : PSK "Password!"

Server 2

                           conn server2-to-server1
                           authby=secret
                           auto=route
                           keyexchange=ike
                           left=192.168.27.10
                           right=192.168.27.8
                           type=tunnel
                           esp=aes128gcm16!


TESTING

edit

1. DHCP Dynamic IP Assigning to client

2. Client pinging to DNS Master

3. Client pinging to DNS Master

4. Client pinging the webserver

5. Checking if the webserver hosts the website

6. NFS testing

7. nslookup to check DNS capability

  • The detailed screenshots are provided in the report


References

edit

https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

https://en.wikipedia.org/wiki/Domain_Name_System

https://www.youtube.com

http://www.thegeekstuff.com/2012/01/arp-cache-poisoning/

http://www.webopedia.com/TERM/B/backup_server.html