Data Networking/Fall 2015/DKNR
Objective of the Project
[edit | edit source]To design and implement a robust, secure, dynamic and intelligent network that supports Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Web Server, Firewall and Backup system in the Linux Operating System.
Project Team
[edit | edit source]- Deepika Venugopalsamy Ranganathan
- Kavya Ramaraju
- Neha Inampudi
- Rashmi Reddy
Elements of the Network
[edit | edit source]The main elements in the network are:
- Dynamic Host Configuration Protocol (DHCP)
- Domain Name System (DNS)
- Webserver and Firewall
- Backup
Dynamic Host Configuration Protocol (DHCP)
[edit | edit source]The Dynamic Host Configuration Protocol allows a host on a network to receive configuration parameters including an IP address at boot time for communication. It can provide a complete set of TCP/IP configuration parameters and allows the dynamic assignment of IP addresses for a fixed lease. DHCP offers the following advantages as a network administrator:
- An IP address can be assigned to a client for only as long as the client remains connected to the network.
- It allows a limited pool of IP addresses to be shared among a number of clients that do not require permanent IP addresses.
- Addresses become automatically available again at the expiration of a period of time, without requiring you to take any action.
Behavior of the protocol
[edit | edit source]DHCP is an application layer protocol that uses the services of UDP to dynamically allocate IP addresses to the hosts. The port number is 67.
Signalling
[edit | edit source]- When a client enters the network, it broadcasts a DHCPdiscover message to all the DHCP servers.
- The DHCP server on receiving the discover message, unicasts an offer message to the client.
- The client accepts the offer and responds with a request message for the IP address.
- The server responds back with an acknowledgement message.
Steps to configure DHCP server
[edit | edit source]IPV4:
Step 1: Update all packages
sudo apt-get update sudo apt-get install isc-dhcp-server sudo apt-get install radvd
Step 2: Configure DHCP
sudo nano /etc/dhcp/dhcpd.conf
Step 3: Modify the interfaces file
sudo nano -w etc/network/interfaces
Step 4: Modify the interfaces file
sudo nano –w /etc/default/isc-dhcp-server
Similar to the IPv4 configuration, the IPv6 configuration is done as given below
IPV6:
Step 1:
sudo nano /etc/dhcp/dhcpd6.conf
Step 2:
nano -w etc/network/interfaces
Step 3:
sudo nano -w etc/dhcp/radvd.conf
Step 4:
sudo nano -w /etc/sysctl.conf
Client:
sudo nano -w etc/network/interfaces
After configuring and saving the dhcp file we need to start the dhcp server using below commands.
Testing
[edit | edit source]DHCP is tested successfully by checking if the DHCP server assigns IP address to the connected client in the communication network from a given range of IP addresses. Output takes a IP range for IPV4 as 192.168.1.168 which is from the range 192.168.1.110 to 192.168.1.200 given in dhcp.conf file and similarly with IPV6 is assigned as 2003:db8:0:2:a12b:8f4c:b6d9:8863/64 from given range in dhcpd6.conf file.
Domain Name System (DNS)
[edit | edit source]The Domain Name System (DNS) is a service of the internet that translates hostnames into the corresponding IP addresses. DNS serves as the phonebook for the internet. It is a distributed database that is implemented in a hierarchy of DNS servers. It is an application layer protocol that allows the hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53.
Behavior of the protocol
[edit | edit source]When a host requests for a particular URL, the browser extracts the hostname from the URL and passes it to the client side of DNS application. The DNS client sends a query containing the hostname to the DNS server. The client will eventually receive a reply that contains the IP address for the hostname requested. Thus, the hostname to IP address mapping is done by DNS.
DNS Server
[edit | edit source]The DNS servers are in distributed database that have hierarchical servers starting from the Root DNS server, Top-Level Domain servers (TLDs) and Authoritative servers. The records of the authoritative servers are uploaded into DNS by registrars who are certified by Internet Cooperation for Assigned Names and Numbers (ICANN).
Signalling
[edit | edit source]1. The client will first contact the local DNS server with the DNS query containing the hostname.
2. The local DNS server forwards the query to the root DNS server. The root DNS server sends a reply to the local DNS with a list of the possible TLD servers.
3. The local DNS server sends its query message to one of the TLD servers.
4. The TLD server responds back with the IP address of the authoritative name server to the local DNS server.
5. The local DNS server then sends its query to the authoritative DNS server which responds back with the IP address for the queried hostname.
Configuration of DNS
[edit | edit source]The configuration of DNS can be done by using various software, namely:
- BIND
- POSADIS
- POWER DNS
For configuring the DNS server we use BIND (Berkley Internet Name Domain) version 9 as it provides a robust architecture and it is used by a large variety of name server on the internet. BIND also supports important features like DNS security and multiprocessor support.
Steps to configure DNS
[edit | edit source]Step 1: Update the repositories
sudo apt-get update
Step 2: Install bind9
sudo apt-get install bind9
Step 3: Assign a static IP address
sudo gedit /etc/network/interfaces
Step 4: Edit the hosts file
sudo gedit /etc/hosts
Step 5: Edit the hostname file
sudo gedit /etc/hostname
Step 6: Manage name server information
sudo gedit /etc/resolvconf/resolv.conf.d/head
Step 7: Define forward and reverse lookup zones
sudo gedit /etc/bind/named.conf.local
Step 8: Caching nameserver
sudo gedit /etc/bind/named.conf.options
Step 9: Edit the forward lookup file
sudo gedit /etc/bind/db.dknr.com
Step 10: Edit the reverse lookup file
sudo gedit /etc/bind/db.192
Once the master is done, the slave is configured in a different virtual machine and different forward and reverse lookup zones are defined.
Testing
[edit | edit source]We basically use nslookup command to test DNS. Try nslookup <hostname> from all PCs in the network and it should show the translated IP. Also test reverse lookup. Apart from nslookup we can also use dig, host commands to test DNS.
Webserver, Firewall and Backup
[edit | edit source]Webserver
[edit | edit source]Server is used to store the data and retrieve the information when required. When a client requests for an IP address, the webserver fetches the information and displays the corresponding HTML page. Since requests can occur at anytime, the server is made to be always on where the client communicates at any time.
Behavior of the protocol
[edit | edit source]The HTTP protocol is used to access the web content by the client. HTTP is an application layer protocol which is implemented at port 80 using the services of reliable TCP (RFC 2616). Before requesting for the web page, a three way handshake TCP connection is initiated by the client with the web server. After the connection is established the web page is requested by the client. The server then fetches the HTML page and replies to the client using TCP. A persistent or non persistent TCP connection may be established between the client and the server.
Configuration of webserver
[edit | edit source]The webserver can be configured using one of the following:
- Apache2 HTTP server
- NGINX
- Windows webserver
In the given scenario, since a small number of websites are required to be hosted for a small network, Apache 2 will be configured and implemented as speed is not a major concern. The Apache web server is the most well known method for serving web content on the web. It represents more than half of every single dynamic site on the web and is greatly capable and adaptable. The fundamental unit that portrays an individual site or area is known as a virtual host.
Signalling
[edit | edit source]The client initiates a TCP connection with the web server IP provider. The connection involves a 3 way handshake mechanism. First, the clients sends a SYN message requesting TCP connection to the browser at port 80. The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information. The client responds with the ACK message and also sends a request for the HTML page.
Steps to configure webserver
[edit | edit source]Step 1: Install Apache2 on the server.
sudo apt-get update sudo apt-get install apache2
Step 2: Creating the directory structure
sudo mkdir -p /var/www/dknr.com/public_html
Step 3: To grant permissions
sudo chown -r $USER:$USER /var/www/dknr.com/public_html
Step 4: To modify permissions
sudo chmod -R 755/var/www
Step 5: Creating demo page on virtual host. The page is created to test the virtual host configuration.
nano /var/www/dknr.com/public_html/index.html
Step 6: Creating new virtual host files
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/dknr.com.conf
Further steps in opening new file with root privileges:
sudo nano /etc/apache2/sites-available/dknr.com.conf
The file looks like below:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
We will be customizing few of the commands and add few directories so that this virtual hosts section matches any request that are made on port 80(default HTTP port)
- ServerAdmin is changed to admin@dknr.com
- ‘ServerName dknr.com’ is added as it establishes the base domain that matches for the virtual host definition
- ‘ServerAlias www.dknr.com’ is added which defines the name that are to be matched if they had the same base name.
- DocumentRoot is being changed to /var/www/dknr.com/public_html (We are changing the location of the document root for this domain)
Finally the virtual host file after modification should be:
<VirtualHost *:80> ServerAdmin admin@dknr.com ServerName dknr.com ServerAlias www.dknr.com DocumentRoot /var/www/dknr.com/public_html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Step 7: Enabling the new virtual host file
sudo a2ensite dknr.com.conf
After executing the command restart Apache for the changes made to take effect:
sudo service apache2 restart.
Step 8: Setting up local hosts file
sudo nano /etc/hosts
The details we should be adding are the public IP address and the domain of VPS server. Thus the file looks like
127.0.0.1 localhost 127.0.1.1 ubuntu 192.168.1.10 dknr.com 192.168.1.10 www.dknr.com
This directs the requests for dknr.com on the system and sends it to the server at 192.169.1.10. Save and close the file.
Testing
[edit | edit source]- Before configuration of web page opening the browser by typing localhost or 127.0.0.1 or IP address of the web server in the address bar displays the default web page of apache server.
- After configuration, to test the results go to the web browser and type IP address of the webserver or type local host, configured webpage is displayed
- If the HTML page is created in a different directory and localhost is entered in the address bar of web browser the webpage says “FORBIDDEN |Cannot view the contents of the page”
- If the HTML page is created at different directory and if the path is defined in /var/apache2/sites-enabled/000-default.conf, configured web page is displayed.
Firewall
[edit | edit source]A firewall is a framework utilized for keeping unapproved access to or from a system. It could either be an equipment or a product. Firewall gives security to any system (private system) from different systems or unintended client. The usefulness of the firewall is to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.
Configuring commands on any Linux terminal machine (web server/DNS server/DHCP server) and set of standards are connected with the goal that it will drop certain packets and permit the rest.
Packages used
[edit | edit source]IP tables are used to modify the set of rules to restrict or allow the packets.
Steps to configure firewall
[edit | edit source]Step 1: Install or update iptables package
sudo apt-get install iptables
Step 2: Enable telnet
sudo apt-get install telnetd
Step 3: Enable ssh login
sudo apt-get install openssh-server
Step 4: Policy Chain Default Behavior
iptables -L |grep policy
Step 5: Change the behavior of the chain
iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
Step 6: Allowing and blocking specific connections
iptables -A INPUT -s 192.168.1.110 -j DROP
Step 7: Allowing and blocking SSH connections
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -j DROP
Step 8: Connection States
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 192.168.1.110 -m state --state ESTABLISHED -j ACCEPT
Step 9: Block ICMP
sudo iptables -A INPUT -s 192.168.1.110 -p icmp --icmp-type echo-request -j DROP
Step 10: Block FTP
sudo iptables -A INPUT -p tcp --destination-port 21 -j DROP
Step 11: Block Telnet
sudo iptables -A INPUT -p tcp -s 192.168.1.110 --dport telnet -j DROP
Saving the configuration of IP tables
[edit | edit source]To save all the changes we made in the configuration.
sudo /sbin/iptables-save
Testing
[edit | edit source]To list all the rules configured in the firewall
sudo iptables -L
- After configuring the firewall rules restart the server.
- Before configuration client in the network should be able to ping, telnet and access the web page from webserver.
- After configuring the firewall no client will be able to ping and telnet the webserver and client with IP address 192.168.1.110 is not able to access web page.
Backup
[edit | edit source]Backup is the process of saving data in another location which can be recovered from in case of any data loss. In case the web server loses the data or in case of extra load on web server we can use this backup data to retrieve information. We sync the data with another server which keeps track of information in the directory. Hence it uses dynamic updating by copying files which are modified. Thus we use Remote Sync (RSync) in ubuntu. In this project a backup of webserver in made in the DNS Server and backup is scheduled every 1 hour which implies that the data of web server is copied to backup location every hour. In case of any failure a copy of data is saved at the destined location.
Steps to configure backup
[edit | edit source]Since we are taking back up in DNS server we run apache on both the machines which will make it run like a web server in another linux machine. After installing apache server in both machines we follow these steps for setting up backup.
Step 1: Installing Apache in backup server
sudo apt-get install apache2
Step 2: Install Rsync in both the webserver and backup server
sudo- apt-get install rsync
Step 3: Backup within another directory
sudo rsync -avz --progress /var/www/ /path of backup directory/
Step 4: Install the SSH Rsync (In webserver and backup server)
sudo apt-get install ssh rsync
Step 5: To put backup in another server (Executed in backup server)
sudo rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/path of backup directory/
Step 6: Schedule backup every 5 minutes
sudo crontab -e 60 00 *** rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/ /path of backup directory/
Testing
[edit | edit source]After executing commands in the backup server and the copy of web server, file was successfully transferred to the path mentioned in the backup server. When a change was made to the file and after execution of the scheduling command in the backup server, noted that the new file was transferred to the specified backup location.
Algorithm
[edit | edit source]1. Client attempts to join the network : dknr
- If the client is valid
- Successfully connect to dknr
- Else
- Restart connection or contact network administrator for troubleshooting
2. Client needs to acquire IP address from the DHCP server
- Check if wlan interface is set to static or to automatic (DHCP)
- If static
- Change to automatic (DHCP)
- Else (DHCP discover)
- Contact DHCP server to get the IP address, gateway IP address, DHCP server details, DNS server details.
- If DHCP allocation is successful
- Server replies with an IP address to be allocated
- Else
- DHCP server replies with a request failed response
- Then
- Restart the connection or contact the network administrator for troubleshooting
3. After DHCP request is successful, the client attempts to connect to the network and access www.dknr.com via web browser
4. If DNS request was successfully resolved, the client requests the web page from the web server
- Client sends HTTP request to server
- If HTTP request is successful
- Webpage is displayed
- Else
- Webpage is not loaded
Add-ons Implemented (Additional Features)
[edit | edit source]VPN Configuration
[edit | edit source]VPN is a service that broadens the private system over an open system i.e. it approves us to get to a private system from outside. A client from outside can get to the private system with same needs as are given to a root client in a private system. The VPN is setup when the remote customer when it enters the SSID and the secret word of the entrance system. Along these lines, we can say that VPN is accessed with a secured association.
Steps to configure VPN
[edit | edit source]Step 1: Install package to configure VPN
sudo apt-get install pptpd
Step 2: Edit the files
sudo nano /etc/pptpd.conf localip 192.168.1.11 (IP address of VPN server) remoteip 192.168.1.15 192.168.1.30
Step 3: Edit the /etc/ppp/pptpd-options file
sudo nano /etc/ppp/pptpd-options ms-dns 192.168.1.254
Step 4: Create userid and password
sudo nano /etc/ppp/chap-secrets user pptpd password *
Step 5: Restart the pptpd server
sudo /etc/init.d/pptpd restart
Mail Server
[edit | edit source]A mail server is a program, also by expansion of the PC on which it runs, which is responsible for receiving, sorting and distribution of message from one PC onto the next electronics mail. It is against the mail customer ( mail client operators ) present on the machine rather than the end client.
The default mail transfer agent in ubuntu is Postfix and the framework on linux is called mailer daemon.
Steps to configure Mail Server
[edit | edit source]Step 1: Install postfix
sudo apt-get install postfix
Step 2: Configuring postfix
sudo dpkg-reconfigure postfix
Step 3: Configuration of mailbox format for Maildir
sudo postconf -e ‘home_mailbox = Maildir/’ sudo postconf -e ‘mailbox_command =’
Step 4: Configure Postfix for SMTP AUTH using SASL
sudo postconf -e ‘smtpd_sasl_local_domain =’ sudo postconf -e ‘smtpd_sasl_auth_enable = yes’ sudo postconf -e ‘smtpd_sasl_security_options = noanonymous’ sudo postconf -e ‘broken_sasl_auth_clients = yes’ sudo postconf -e ‘smtpd_recepient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination’ sudo postconf -e ‘inet_interfaces = all’
Certificates are generated which are to be used for TLS encryption or/and certificate authentication.
touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 >smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt #has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -outcacert.pem -days 3650 #hasprompts
sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cakey.pem /etc/ssl/certs/
Step 5: Configuration of Postfix to do TLS encryption for incoming and outgoing mails.
sudo postconf -e ‘smtp_tls_security_level = may’
Step 6: Restart postfix daemon
sudo /etc/init.d/postfix restart
Network File System(NFS)
[edit | edit source]NFS allows one to share a directory that is located on one of the devices in a network to other devices in the same network much like accessing a local storage. A server is a device on which directory is located and clients are devices connecting to this server, Client should mount the shared directory to make it a part of their own directory.
Steps to configure NFS Server
[edit | edit source]Step 1: Update repository
sudo apt-get update
Step 2: Install NSF package
sudo apt-get install nfs-kernel-server
Step 3: Create directory to share
sudo mkdir/shome
Step 4: Configuring /etc/exports for NFS
sudo nano /etc/exports /shome 192.168.1.0/24 (rw,sync,no_root_squash)
Step 5: Start the service
sudo /etc/init.d/nfs-kernel-server start
Step 6: Check the status of the NFS share status
sudo exportfs -u
Step 7: Restart the server
sudo service nfs-kernel-server restart
Steps to configure NFS Client
[edit | edit source]Step 1: Install NFS for client and its dependencies
sudo apt-get update sudo apt-get install nfs-common rpcbind
Step 2: Create a directory
sudo mkdir/rhome
Step 3: Mounting the remote share /shome on local directory /rhome
sudo mount 192.168.10.42:/shome/rhome 192.168.1.42:/shome/rhome nfs rw,sync,hard, int 0 0 #(adding to permanent mount in /etc/fstab file)
Step 4: Checking the mounted share directory using mount command
mount
Future Improvements
[edit | edit source]- Adding additional rules in Firewall to improve security for protection from malicious attacks.
- Increase the number of DNS servers for purposes of backup, load distribution and decentralization.
- IPv6 and IPv4 should be supported simultaneously
- Extend the server abilities to oblige numerous more uses utilizing in the meantime.
- Integrating so as to include security for mail server classification, respectability and more confirmation choices by utilizing strategies, for example, RSA, DES, MD5, including authentications and so forth.
References
[edit | edit source]Websites Referred:
1. https://help.ubuntu.com/community/Postfix
2. https://help.ubuntu.com/community/isc-dhcp-server
4. http://net.tutsplus.com/tutorials/other/the-linux-firewall
5. https://help.ubuntu.com/lts/serverguide/dns-configuration.html
6. https://help.ubuntu.com/lts/serverguide/httpd.html
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross