Data Networking/Spring 2017/RADAR
LINUX PROJECT
editTHE TEAM
edit1. RISHABH AGARWAL
2. ARIF JAN ASHRAF JAN
3. DIVYA SHARMA
4. ABHISHEK RAO JANARDHAN RAO
MOTIVATION
editThis project helps us build a deeper understanding of the basic networking fundamentals with the practical implementation of a Dynamic Host Configuration Protocol (DHCP) Server, Domain Name System (DNS) Server, Web Server, Firewall and Backup Server.
The main purpose of this project is to create a complete network environment in which the servers and clients will be able to dynamically get IP addresses from the DHCP server created, after which with the help of the DNS server created, the users in the created network would be able to successfully fetch and ping www.radar.com which is the webserver hosted by us.
Configuration of components such as backup server, firewall, Network File System(NFS) and IPSec VPN tunnels to create a very complex, intricate, robust and secure inter-networking system which can be implemented and used by organizations and companies.
BEHAVIOR OF THE PROTOCOL
editDynamic Host Configuration Protocol
editDynamic Host Configuration Protocol (DHCP) is an internet protocol that allows the server to assign IP addresses to the systems(client) in the network it’s a part of, also it can be configured to assign IP addresses from a selected range of IP’s provided by the person that constructed and configured the server. The DHCP server can lease IP addresses to the cliest which are enabled to get IP’s assigned by the DHCP server. The IP addresses which are no longer used by the clients are returned back to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.
DHCP assigns IP’s in the following manner.
- Automatic allocation: DHCP assigns IP address to a client when it gets the IP request packet.
- Dynamic allocation:DHCP assigns IP addresses to clients for a particular time limit(or till the client is no longer using it) which is basically leasing of the IP’s. When the lease period is completed, the client will request an extension on the lease or request for a new IP to be assigned.
- Manual allocation:Another not so commonly used method of allocation is manual allocation in which the client is assigned the same IP address using the MAC address of the system as a label or tag.
Domain Name System
editDNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.
Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.
DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.
| RECORD TYPE | EXAMPLE NAME | MAPPED DATA | DESCRIPTION |
|---|---|---|---|
| NS | radar.com | Ns1.radar.com Ns2.radar.com |
This record indicates the host/user about the authoritative servers and also provides with information about the Master and Slave servers of the zone. |
| A | Ns1.radar.com Ns2.radar.com |
192.168.27.8 192.168.27.10 |
This is the most basic type of DNS Record which indicates the 32 bit IPv4 address of the domain, i.e. mapping the FQDN to an IP address. |
| CNAME | radar.com | a.radar.com | This record maps to the canonical name (CNAME) details for the alias that is mentioned in the FQDN. |
| AAAA | 192.168.27.8 192.168.27.10 |
www.radar.com | EThis record is used for the mapping of mail exchange server information to a specific domain name. |
| PTR | 192.168.27.8 | ns1.radar.com | This is an interesting record type where the user actually has the IP address of the domain from which he can map it to a CNAME, these mappings are stored in this record type. |
Webserver & Firewall
editA webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.
STEPS AND COMMANDS
editDynamic Host configuration Protocol (DHCP) Server
editStep 1. Install DHCP Server
Command:
sudo apt-get install isc-dhcp-server
Step 2. Install radvd package
Command:
apt-get install radvd
Step 3. Set the static IP address of the DHCP server
Command:
sudo nano /etc/network/interfaces
IPv4 Configuration
auto lo
iface lo inet loopback
auto ens33
iface ens33 inet static
address 192.168.27.2
netmask 255.255.255.0
gateway 192.168.27.1
network 192.168.27.0
broadcast 192.168.27.255
dns-domain-nameserver 192.168.27.8
dns-domain-search radar.com
IPv6 Configuration
iface ens33 inet6 static
address 2001:720:40b:666::2
netmask 64
gateway 2001:720:40b:666::1
Step 4. Configure the IPv6 and IPv4 forwarding
Command:
nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Step 5. Make ens33 as the default interface
Command:
nano /etc/default/isc-dhcp-server
INTERFACES="ens33"
Step 6. Configure the DHCP server for ipv4
Command:
nano /etc/dhcp/dhcpd.conf
subnet 192.168.27.0 netmask 255.255.255.0 {
range 192.168.27.50 192.168.27.200;
option domain-name-servers 192.168.27.8;
option domain-name "radar.com";
option routers 192.168.27.1;
option broadcast-address 192.168.27.255;
default-lease-time 600;
max-lease-time 7200;
}
Step 7. Edit the resolv.conf file
Command:
sudo nano /etc/resolv.conf
nameserver 192.168.27.8
nameserver 192.168.27.10
search radar.com
Step 8. Configure the DHCP server for ipv6
Command:
nano /etc/dhcp/dhcpd6.conf
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet6 2001:720:40b:666::/64{
# Range for clients
range6 2001:720:40b:666::50 2001:720:40b:666::150;
}
Step 9. Configuration of the radvd module
Command:
nano /etc/radvd.conf
interface eth0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:720:40b:666::64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
Step 10. Reboot the System
Command:
sudo init 6
Step 11. Restart the DHCP server
Command:
sudo service network-manager restart
Domain Name System (DNS) Server
editDNS Master Server
editStep 1: Install Bind9
Command:
sudo apt-get install bind9
Step 2: Restart the networking daemon
Command:
sudo /etc/init.d/networking restart
Step 3: Add a DNS zone to BIND9
Command:
edit /etc/bind/named.conf.local
// Forward zone
zone "radar.com" {
type master;
file "/etc/bind/db.radar.com";
allow-transfer{192.168.27.10;};
also-notify{192.168.27.10;};
};
// Reverse zone
zone "27.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer{192.168.27.10;};
also-notify{192.168.27.10;};
};
zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.ipv6";
allow-transfer{192.168.27.10;};
Step 4: use an existing zone file as a template to create the /etc/bind/db.radar.com file
Command:
sudo cp /etc/bind/db.local /etc/bind/db.radar.com
/etc/bind/db.radar.com
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.radar.com. root.radar.com. (
6 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
radar.com. IN NS ns1.radar.com.
radar.com. IN NS ns2.radar.com.
ns1 IN A 192.168.27.8
ns2 IN A 192.168.27.10
www.radar.com IN AAAA 2001:720:40b:666::124
@ IN A 192.168.27.9
www.radar.com. IN A 192.168.27.9
dhcp.radar.com. IN A 192.168.27.2
Now restart the BIND9:
Command:
sudo service bind9 restart
Step 5: Setup reverse zone
Command:
sudo cp /etc/bind/db.127 /etc/bind/db.192
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA radar.com. root.radar.com. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.radar.com.
@ IN NS ns2.radar.com.
8 IN PTR ns1.radar.com.
10 IN PTR ns2.radar.com.
9 IN PTR www.radar.com.
Command:
sudo service bind9 restart
Zone for ipv6
/etc/bind/db.ipv6
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA radar.com. root.radar.com. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.radar.com.
@ IN NS ns2.radar.com.
4.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR www.radar.com.
Step 7 : Create Network Interface
Command:
/etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.27.8
netmask 255.255.255.0
gateway 192.168.27.1
network 192.168.27.0
broadcast 192.168.27.255
dns-nameservers 192.168.27.8
auto eth0
iface eth0 inet6 static
address 2001:720:40b:666::124
netmask 64
DNS Slave Server
edit /etc/bind/named.conf.local
//include "/etc/bind/zones.rfc1918";
zone "radar.com" {
type slave;
file "/var/chache/bind/db.radar.com";
masters { 192.168.27.8; };
};
zone "27.168.192.in-addr.arpa" {
type slave;
file "/var/chache/bind/db.192";
masters { 192.168.27.8; };
};
zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" {
type slave;
file "/var/chache/bind/db.ipv6";
masters { 192.168.27.8; };
};
Web Server
editDownload and update package list
Command:
sudo apt-get update
Install apache2 for Webserver
Command:
sudo apt-get install apache2
Make directories
Command:
sudo mkdir -p /var/www/radar.com/public.html
Assign owners and permission
Command:
sudo chown -R $USER:$USER var/www/radar.com/public.html
sudo chmod -R 755 /var/www
Creates webpage. index.html is an HTML document that contains code for the company webpage
Command:
sudo nano /var/www/radar.com/public.html/index.html
Make HTML page
Command:
cd /etc/apache2/sites-available
Create and copy virtual host file
Command:
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/radar.com.conf
Edit virtual host file radar.com.conf
Command:
sudo nano /etc/apache2/sites-available/radar.com.conf
<VirtualHost *:80>
ServerAdmin info@radar.com
ServerName radar.com
ServerAlias www.radar.com
DocumentRoot /var/www/radar.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sudo a2ensite radar.com.conf ----> enabling site radar.com
sudo a2dissite 000-default.conf ---> site 000-default disabled
Restart apache service to take effect
sudo service apache2 restart
Setup local host file
sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
192.168.27.9 radar.com
Firewall
editStep 1
Command:
: Install UFW package
sudo apt-get install ufw
Step 2: Check UFW status
Command:
sudo ufw status
Step 3: Set Up Default Policies
Command:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Step 4: Allow SSH,http,ftp,https Connections
Command:
sudo ufw allow from 192.168.27.0/24 to any port 443
sudo ufw allow from 192.168.27.0/24 to any port 80
sudo ufw allow from 192.168.27.0/24 to any port 21
sudo ufw allow from 192.168.27.0/24 to any port 22
Step 5: Disabling ping
Command:
sudo nano /etc/ufw/before.rules
//Comment out this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
Step 6: Enable UFW
Command:
sudo ufw enable
Backup Server
editStep 1: Install open-ssh on the linux server
Command:
sudo apt-get install open-ssh
Step 2: Install expect package
Command:
sudo apt-get install expect
Step 3: Create a new file and type the following script to create the backup script file.
Command:
#! /bin/bash
TIME=$(date=+%b-%d-%I-%M-%S)
FILENAME=backup-$TIME.tar.gz
SRCDIR=/var/www
DESDIR=/home/divya/backup
tar -cpzf $DESDIR/$FILENAME $SRCDIR
/usr/bin/expect <<EOD
spawn scp $DESDIR/$FILENAME divya@192.168.27.3:/home/divya/backup
expect "password:"
send "****"
send "\r"
expect "*\r"
expect"*\r"
EOD
The script zips the file that needs to be backed up and sends the file from the source directory to the destination directory and from the destination directory it gets transferred to the remote backup server. The same procedure is repeated for all webservers.
Step 4 : Crontab is used for scheduling the backup using a cronjob which includes the bash script to dump the file for every 5 mins.
Crontab -e
You can edit the frequency of the backup using crontab. The following screenshot shows the backup scheduling of the webserver.
ALGORITHM
edit1. Create a DHCP server and give IP Address range 192.168.27.50 – 192.168.27.200
2. Create a client, it fetches its IP Address from the DHCP in the range specified
3. Create a webserver and host a HTML page for “radar.com”
4. The client can access the webpage hosted and can ping it
5. The DNS server is created to resolve domain IP Address
6. Backup server is created for backing up and securing the cache created at a scheduled time by the webserver
7. To increase the security, IPSec tunnel is implemented which helps to ping two servers in a private network, on a public network using encryption
8. NFS is created to share files between two hosts
ADD-ONS
editAddress Resolution Protocol (ARP)
editARP poisoning has been implemented using Scapy. Here an attacker tries to intrude in the client's network. When the client requests the webserver page initially, he'll be able to view the webpage requested, but when the attacker uses the Scapy script he floods the ARP cache of the victim(client) with its own MAC address. Now when the client tries to request the webpage of the webserver instead of the original webpage, the hacked webpage hosted by the attacker is visible.
Network File System (NFS)
editStep 1:Configuring the NFS-server
Command:
sudo apt-get install nfs-kernel-server
sudo chmod 777 location
Edit the file
sudo nano /etc/exports
On the last line append below
/home/divya/mnt 192.168.27.0/255.255.255.0(rw,sync,root_squash,subtree_check)
Save and Exit Change the directory
cd /home/divya/mnt
touch new1
sudo nano new1
Create a sample fie named "new1"
Start the server
sudo service nfs-kernel-server start
Step 2:Configuring the NFS-client
To Install NFS client:
Command
sudo apt-get install nfs-common
Make directory in a location
sudo mount server 192.168.27.9:/home/divya/mnt /home/mnt
sudo mount -a
To verify whether it is mounted
df -h
IPSec VPN tunnel
editServer 1
/etc/ipsec.conf
conn server1-to-server2
authby=secret
auto=route
keyexchange=ike
left=192.168.27.8
right=192.168.27.10
type=tunnel
esp=aes128gcm16!
/etc/ipsec.secerts
192.168.27.8 192.168.27.10 : PSK "Password!"
Server 2
conn server2-to-server1
authby=secret
auto=route
keyexchange=ike
left=192.168.27.10
right=192.168.27.8
type=tunnel
esp=aes128gcm16!
TESTING
edit1. DHCP Dynamic IP Assigning to client
2. Client pinging to DNS Master
3. Client pinging to DNS Master
4. Client pinging the webserver
5. Checking if the webserver hosts the website
6. NFS testing
7. nslookup to check DNS capability
- The detailed screenshots are provided in the report
References
edithttps://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
https://en.wikipedia.org/wiki/Domain_Name_System