Jump to content

Data Networking/Fall 2013/Group8

From Wikiversity

Group Members

[edit | edit source]
  • Hang Chen
  • Jatin Verma
  • Sunan Jiang
  • Phum Auacherdkul

Understanding the Protocol

[edit | edit source]

Client–Server Architecture

[edit | edit source]

The client–server characteristic describes the relationship of cooperating programs in an application. The server component provides a function or service to one or many clients, which initiate requests for such services. The model assigns one of two roles to the computers in a network: Client or server. A server is a computer system that selectively shares its resources; a client is a computer or computer program that initiates contact with a server in order to make use of a resource. Data, CPUs, printers, and data storage devices are some examples of resources.

Dynamic Host Configuration Protocol

[edit | edit source]

Dynamic Host Configuration Protocol (DHCP) is a standardized networking protocol used on IP networks that dynamically configures IP addresses and other information that is needed for Internet communication. DHCP allows computers and other devices to receive an IP address automatically from a central DHCP server, reducing the need for a network administrator or a user from having to configure these settings manually. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. The lease time can vary depending on how long a user is likely to require the Internet connection at a particular location. It's especially useful in education and other environments where users change frequently. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. The protocol also supports static addresses for computers that need a permanent IP address, such as Web servers. DHCP is used for Internet Protocol version 4 (IPv4), as well as IPv6. While both versions serve the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they may be considered separate protocols.[6] IPv6 devices may alternatively use stateless address autoconfiguration. IPv4 hosts may use link-local addressing to achieve limited local connectivity.

DHCP Procedure

[edit | edit source]
  1. DHCP discovery
  2. DHCP offer
  3. DHCP request
  4. DHCP acknowledgement


Domain Name Server

[edit | edit source]

Domain Name System (DNS) translates Internet domain and host names to IP addresses. DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. DNS implements a distributed database to store this name and address information for all public hosts on the Internet. DNS assumes IP addresses do not change (are statically assigned rather than dynamically assigned).

Firewall

[edit | edit source]

A Firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set. Firewalls can be defined in many ways according to your level of understanding. A firewall establishes a barrier between a trusted, secure internal network and other network (e.g., the Internet) that is not assumed to be secure and trusted.

Backup

[edit | edit source]

A Backup, or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. The verb form is to back up in two words, whereas the noun is backup. Backups have two distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion or corruption. Data loss can be a common experience of computer users. The secondary purpose of backups is to recover data from an earlier time, according to a user-defined data retention policy, typically configured within a backup application for how long copies of data are required. Though backups popularly represent a simple form of disaster recovery, and should be part of a disaster recovery plan, by themselves, backups should not alone be considered disaster recovery.

The Requirements

[edit | edit source]

Scope of IP

[edit | edit source]
Network:     192.168.10.0/28       11000000.10101000.00001010.0000 0000 (Class C)
Netmask:     255.255.255.240 = 28  11111111.11111111.11111111.1111 0000
Wildcard:    0.0.0.15              00000000.00000000.00000000.0000 1111
Broadcast:   192.168.10.15         11000000.10101000.00001010.0000 1111
HostMin:     192.168.10.1          11000000.10101000.00001010.0000 0001
HostMax:     192.168.10.14         11000000.10101000.00001010.0000 1110
Hosts/Net:   14                    (Private Internet)

Address pool

[edit | edit source]
Pool range ː   192.168.10.5-192.168.10.14
Reservation ː  192.168.10.2 (Webserver)
               192.168.10.3 (DHCP)
               192.168.10.4 (DNS) 
Lease ː        600 - 7200 sec

" httpː//www.sudotic.com " As IPv4 and IPv6.

Webserver

[edit | edit source]

In our project we use Apache 2.

Apache

[edit | edit source]

Apache web server is the most widely utilized web server in the world and most of the world's websites are served on Apache web servers. Apache development is run by the Apache Software Foundation, which is a community of software developers. Apache is released with an open-source software license. There are releases of Apache that can run on most operating systems including Unix, Linux, Windows and Apple to name a few. Most often Apache is run on Linux web servers. The danscourses.com website is hosted on an Apache webserver, using shared webhosting. Shared webhosting utilizes Apache's ability to host multiple websites on one web server, called virtual hosts.

Firewall

[edit | edit source]

Make your server the most secured one in all possible ways.

Backup server

[edit | edit source]

Our group use Rync (and shell) as a backup tool and crontab for automaticly backup

Rsync

[edit | edit source]

Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.

Cron is a system daemon used to execute desired tasks (in the background) at designated times.

A crontab is a simple text file with a list of commands meant to be run at specified times. It is edited with a command-line utility. These commands (and their run times) are then controlled by the cron daemon, which executes them in the system background. Each user has a crontab file which specifies the actions and times at which they should be executed, these jobs will run regardless of whether the user is actually logged into the system. There is also a root crontab for tasks requiring administrative privileges. This system crontab allows scheduling of systemwide tasks.

Passwordless ssh

[edit | edit source]

Because OpenSSH allows you to run commands on remote systems, showing you the results directly, as well as just logging in to systems it's ideal for automating common tasks with shellscripts and cronjobs. One thing that you probably won't want is to do though is store the remote system's password in the script. Instead you'll want to setup SSH so that you can login securely without having to give a password.

Thankfully this is very straightforward, with the use of public keys.

To enable the remote login you create a pair of keys, one of which you simply append to a file upon the remote system. When this is done you'll then be able to login without being prompted for a password - and this also includes any cronjobs you have setup to run.

If you don't already have a keypair generated you'll first of all need to create one.

The program is useful for packaging a set of files for distribution; for archiving files; and for saving disk space by temporarily compressing unused files or directories.

The zip program puts one or more compressed files into a single zip archive, along with information about the files (name, path, date, time of last modification, protection, and check information to verify file integrity). An entire directory structure can be packed into a zip archive with a single command. Compression ratios of 2:1 to 3:1 are common for text files. zip has one compression method (deflation) and can also store files without compression. zip automatically chooses the better of the two for each file to be compressed.

Steps to perform the setup / installation

[edit | edit source]

Installation

[edit | edit source]

First, we need to configure all the server in the network separately.

Download the "isc-dhcp-server", revise the file which is in the directory: /etc/dhcp/dhcpd.conf.

          Subnet mask: 255.255.255.240
          Network:     192.168.10.0
          Router:      192.168.10.1
          IP range:    192.168.10.5 - 192.168.10.14
          Reserved IP address: 192.168.10.2-------Web server
                               192.168.10.3-------DHCP server
                               192.168.10.4-------DNS server
                       and restart the isc-dhcp-server.

In this configuration for dhcpd, we have already fixed Ipv4 address of the Web server and the DNS server. Each host have two MAC (hardware) addresses for wireless and wired. In this project, we used the MAC address of wired to fixed IPv4 address (RARP).

Finally, the Web server and the DNS server will obtain fixed IPv4 address 192.168.10.2 and 192.168.10.4 and the client will obtain dynamic IPv4 address in the setup range.

Now for IPv6 configuration' Since dhcpd cannot give out both Ipv4 and Ipv6 at the same time and we already have done a working for Ipv4, we need configured DHCPd6 and use a lot of configuration same as dhcpd in dhcpd6 configuration. Firstly, we configured the /etc/dhcp/dhcpd6.conf file

Since we cannot use MAC addresses to fixed Ipv6 address for Web server and DNS server, we must use a client ID of each host to fixed IPv6 address.

Problem is we don’t know client ID of each host. So, we cannot fix IPv6. We can find out by consider process log and look in file that in IPv6 process step by step.

Client ID can find in /var/lib/dhcp/. You will find dhcpclient……….lease file that has client ID inside. Every *.lease file hold same client ID.

Radvd package It is required for the IPv6 stateless auto-configuration. Radvd (Router advertisement daemon). If we want to use DHCPv6 hang out IPv6 addresses, we must have a correct configuration in radvd file. Firstly, we need to install the “radvd” package Then, open the Ipv6 permission in /etc/syscyl.conf file

The problem we faced is radvd.conf and dhcpd6.conf configuration is not suitable for our project. We need to consider every condition in our configuration.

Configure IPv4 DNS server: Installing a DNS server 1. Our domain name is sudotic.com. So first we need to get an Bind 9 package which will be having the configuration directories. install bind9 This will install the package and required directories.

2. Create a file for forwarding the Domain name which has the same format as the file db.local:

 Ps. www is for web server and AAAA is for IPv6 address.

3. Create a file for reversing domain name which has the same format as the file db.12 The last 5 lines begin with the numbers which represent the last digit of IP address in our network. And items in this file should have a reflection in the forwarding file. For example, “6” is the last digit IP address of our web server, and www is also showed in the forwarding file which has the IP address of 192.168.10.6.

4. Then we need to add our forwarding file and reversing file as local zones. The forwarding zone is not confusing, but in the reversing zone, the name of the zone could be regarded as a prefix which is combined with the digit in the reverse file and consist to a whole reversed IP address. And also, we set the entire zone as a primary server, so we add the line “type master” in every zone.

Add configuration for IPv6 in DNS server: As the first picture shows, we can add IPv6 address in the forwarding file using AAAA. And what we should do next is to add a reversing file for IPv6 address.

1. The reversing file for IPv6 has the same format as db.127. The address which reflects the www.sudotic.com should be the reversing address of the last 16 digits in the IPv6 address. In our case, the IPv6 address is 1988:1990:1991:888::2, so the last 16 digits in reversing manner is 2000000000000000 and divide digits by dot. Then save.

2. Then we need to add a zone for IPv6 address. The syntax is the same as IPv4, but the reversing zone name should be the first 16 digits of the IPv6 address in reversing manner. In our case, they are 1988199019910888, and divide these digits by dot. As follow:

Web server

[edit | edit source]

Download the "apache2"

1) Check to see if Apache is running open Firefox and type 127.0.0.1 , it will show the message "It's workǃ".
2) Go to the Apache web directory and look for the index.html file to edit it. 

Backup server

[edit | edit source]

Requirement is automatically backup with zip file every day 12am.

1) What we Need

a) ssh (should be installed by default) and rsync ("sudo apt-get install rsync" if you don't already have it).
b) Users on both machines (the source machine and the destination machine), ideally with the same username. 
    (so: if user "tic" exists on source machine, user "" should also exist on destination machine).
c) ssh and rsync installed on both machines.

2) Passwordless login

a) Generate public and private key in webserver.
b) Copy public key to backup server. In this case, we use DHCP as backup server.
c) Try to login ssh to backup server. It will ask for passphrase for first time. Next time we don't need to put any password.

3) Write script that include command for zip and rsync file.

a) Create script file anywhere.
b) Put zip and rsync command line in it. Also create log file after process is done for checking error. TipsːNeed to Specify all command path for using in crontab.

4) Configure Crontab

a) This part is about to specify time and program to run on specific time.

Firewall

[edit | edit source]
Download “ufw”
[edit | edit source]
  1. Specify what service will allowed by this firewall. In our case, we allowed for HTTP and SSH.
  2. Enable firewall and also you can check status of firewall.
Config Sysctl file
[edit | edit source]
  1. IP Spoofing protection
  2. Ignore ICMP broadcast requests
  3. Disable source packet routing
  4. Ignore send redirects
  5. Block SYN attacks
  6. Ignore ICMP redirects
  7. Ignore Directed pings
Restrict Apache information
[edit | edit source]
  1. Config apache 2 security configuration file
  2. Disable Apache Signature and/or Apache Banner and trace HTTP request
  3. Restart apache

DNS server

[edit | edit source]
  1. First we need to install a Bind DNS server

Putting a DNS server on a network allows for the replacement of IP addresses of individual machines by a name. As a result, it's even possible to associate multiple names to the same machine to update the different available services. For example, www.example.com and pop.example.com, could both point to the primary server where the mail server and the business intranet reside, and the domain could be example.com. It's easy to remember that these two services are running on the same machine whose IP address is 192.168.0.1.

Command ː sudo apt-get install bind9

Configuration

[edit | edit source]

Second, check if the DNS is working.

Third, check if the DHCP is working.

  1. Establish a wlan by the computer which is set up as DHCP server.
  2. Revise the wlan setup, set the ip address to 192.168.10.2 and the subnetmask. Reconnect to this wlan.
  3. Use another computer to connect to this new wlan, type in "ifconfig", see if its ip address is in the ip pool which is defined by DHCP server file.

Fourth: check if Webserver is working check if web server is working. (because we can use ip address to visit the web server without DNS server, so it is easy to check it)

  1. Make sure web server and host are in the same wlan created by the DHCP and are successfully distributed the IP address.
  2. Try to use firefox to connect to the 192,168.10.3 directly. See if it works.

Fifth: check if Firewall is working

Sixth: add on all the requirement in this part, especially DNS. Try to figure out how to deal with IPv6 address.

Testing

[edit | edit source]
•	Checking each machine IP (
o	Create Ad-hoc network and connect with webserver, DNS, and client.
o	Looking ifconfig in each machine that assigned the right specific IPv4 and IPv6 that fixed in DHCP server, in case of DNS and 
webserver. Also client IP is assigned within IP pool. 
•	Check each service that provide by DHCP server can start successfully.
o	$ sudo service radvd restart
o	$ sudo service isc-dhcp-server restart
o	$ sudo service isc-dhcp-server6 restart
o	If it still fail, we should revise *.conf of each service.
1.	Type in nslookup and check if IPv4 is working
Check result that the IPv4 DNS server works well and every domain names reflects to the IP address properly.

Problems we met:
1.      IPv6 is not working after configuration.
Solution: We first follow the syntax as the project paper, ipv6.arpa. But that turns out to be wrong, and we exchange the ipv6 to ip6 to 
make it usable.
2.      The IP address is not coming out properly.
Solution: we need to try the DNS server in our own network, or it will forward the query to our root DNS server.
3.      DNS is not working at all.
Solution: add our nameserver into the resolv.conf. both IPv4 and IPv6 of DNS server address.

Webserver

[edit | edit source]

• To check to see if Apache is running open Firefox and type in the following web address:
http://localhost or, loopback address
We will see the message, "It Works!" This is the Apache homepage, the index.html file and it means the server has installed correctly and is currently running.
If it doesn’t see "It Works!" try starting the server. The commands to start, stop and restart Apache are:
$ sudo /etc/init.d/apache2 start
$ sudo /etc/init.d/apache2 stop
$ sudo /etc/init.d/apache2 restart


Backup

[edit | edit source]

The biggest problem we face in this part is SSH: Permission denied (publickey,password). So we assume that problem is public key.

Generating key for paswordless login

We face a problem here that we have more than one way to copy public key to backup server. So we try every way for testing.

o First way is use scp command to copy public key to backup server and create authorized_keys and then copy content inside of public key to authorized_keys. Sometimes it works and not works.

o Second way is use ssh-copy-id command to create and copy content inside public key at the same time to backup server. This is the best way.

o Also I test to ssh login to backup server for testing passwordless login is working correctly.

Script

Problem here is rsync ssh and cron have condition when it use together.

o First, testing zip file and it work correctly along with –r that means it will include all files and directories in zip file.

o Second, testing rsync. By use rsync to transfer file within same machine. Then try to transfer file to backup machine. Problems happen here that I cannot write file to user in backup machine. So I recreate user in backup machine by appropriate way.

o Third, combine commands in script and run by

$ ./backup.sh

It works correctly by checking timestamp of backup file in backup server.

First time I tried to combine command without specify all path, it works correctly by itself but not with crontab. So I fix it appropriately.

Crontab

Problem here is crontab don’t know where is rsync command. I found out this because of cron.env that doesn’t has path for rsync and ssh.

o First test is specifying time and look for timestamp in backup server. It works only zip command. I can check at timestamp of zip file but not work for rsync because I put the command like

$ rsync –az ssh –e …

I solve this problem by specify full path for rsync and ssh in crontab. Everything is solve by consider error in log file. It’s very useful.

Firewall

[edit | edit source]

• Ping testing : try to ping from client to webserver and try to access website via browser.

• Firewall rules testing : try to telnet, ssh, ftp from client to webserver. Result is denied by webserver. One specific rule is webserver still can ssh to backup server.

Integration

[edit | edit source]
Integrate combination:
1.	Set up a private wireless network by DHCP, assign the IPv4 and IPv6 for itself. Start isc-dhcp-server, isc-dhcp-server6 and radvd,
 then reconnect to that network.
2.	Make Web server, DNS server and client connects to this network. Check if DNS server and Web server gets their fixed address(both
 IPv4 and IPv6) by DHCP.
3.	First visit Web server with its IPv4 address and see if Web server is available to client.
4.	Visit the Web server with its domain name, see if the DNS server works well.
5.	Try to back-up file from Web server to a remote host automatically. Set the time in the crontab, and check if there is a new file
 existing in the target directory.
6.	Due to the block of icmp message, we need to ping Web server's IP address, and confirm that the firewall is working.

Problem we met:
1.	Web server and DNS server is not able to connect to the network.
Solution: isc-dhcp-server didn't run automatically, we need to sudo service isc-dhcp-server start, sudo service isc-dhcp-server6 start and 
sudo service radvd start before we set up the network.
2.	The client cannot get a proper IPv6 address which should be ranged by the DHCP server.
Solution: revise the radvd.conf---turn “AdvAutonomous” off in the DHCP server, restart radvd and reconnect to the network.
3.	The client cannot visit Web server by domain name, while DNS server can.
Solution: This problem is because that hosts other than DNS server don't know the ip address of the DNS server, so we need to enable the 
“option domain-name-servers” and set it as 192.168.10.2 in the dhcpd.conf.
4.	The domain name of our web server has been used in the Internet. If our client host has been to that web page once, it cannot 
visit the right page in our network.
Solution: We tried two solutions. The first one is to fix the DNS server, thus, client won't get to any domain server other than ours, but 
the problem is that this client won't be able to surf the Internet. The second one is to change our domain name. We tried both and decided 
to change our domain name from tic.com to sudotic.com, which is a easier way and causes no confusion.
5.	The backup file cannot be automatically transferred.
Solution: Firstly, we try to transfer file manually and it succeed. But it still cannot be done automatically. So secondly we checked the 
Internet and found the log file where you can get all the error information, and tried to check the problem every time when we failed to 
transfer the file. Then we found that there is something wrong the publickey which is denied by the remote host. Thirdly, we found another 
way to give the publickey to the remote host, using ssh-copy-id -i ~/.ssh/id_rsa.pub usr@backupserverIP

Add-on

[edit | edit source]

NIS-Network Information Service NFS- Network File System VPN-Virtual Private Network

Future improvement

[edit | edit source]

DHCP DNS Webserver/Backup/Firewall -support more languages such as php mysql
-mail server will be provided
-encrypted backup file and provide more option about transfer file
-more efficient script
-improvement in security
-close all the hole

improvement in database is important.
SAMBA CIFs
network printer

Citations

[edit | edit source]

http://ubuntuforums.org/
https://help.ubuntu.com/community/
http://www.ietf.org/
https://en.wikipedia.org