Data Networking/Fall 2015/MJH

To build a robust, secure, dynamic and intelligent network consisting of a DHCP server, DNS server, Web server with firewall and a client for a start-up company.

Manan Mehta

Jagruti Belani

Harsh Chheda

Implemented demo network consists of following elements:

• DHCP (Dynamic Host Configuration Protocol)
• DNS (Domain Name System)
• WEB SERVER, FIREWALL and BACKUP
• Client

DHCP is a client/server protocol which dynamically assigns IP addresses to clients connected to the network along with other network information such as DNS IP address, default gateway etc. It lets network administrator to centrally manage and allocate IP addresses within the network.

It is a client-server protocol; which uses UDP at port 67. The server dynamically assigns IP addresses, subnet mask and gateways to clients from a pool of IP addresses given to it.

Following steps taken place in a DHCP scenario:

1. First, all newly entered host have to locate DHCP server. For that, client sends a discovery request with client id 0.0.0.0 and destination address of 255.255.255.255
2. When DHCP server receives a discovery request from client it sends DHCP offer message with valid subnet IP addresses in response.
3. Newly arrived client will choose one offer from a number of available offers from different DHCP servers and send request to that particular server.
4. That DHCP server will assign the IP address to the client and send an acknowledgement to the client.

Most widely used DHCP servers are

• Windows DHCP server
• ISC-DHCP server

We have used ISC-DHCP as it is open source software; which can be freely run on Linux machine and it’s mostly matches its performance environment. Following commands are used to implement DHCP server on ubuntu Linux machine.

1. Update package list

  sudo apt-get update

2. Install DHCP server

  sudo apt-get install isc-dhcp-server -y

3. Make changes into DHCP configuration file

  sudo nano /etc/dhcp/dhcpd.conf

Following changes are made in DHCP file:

• While inspecting the dhcpd.conf file locate simple subnet configuration
• Here, mention Subnet mask, Gateway router, leasing address range for subnet, broadcast address and Default and Max lease time as per your network need

4. Configure static IP addresses for Web server and DNS server (as we don’t want DHCP to allocate dynamic IP addresses to these everytime)

  sudo nano /etc/dhcp/dhcpd.conf

After doing all changes the DHCP configuration file will look like this.

5. Restart DHCP server to apply the changes.

  sudo service isc-dhcp-server restart

After entering this command in terminal; the server must be in ok/started state, otherwise recheck the dhcpd.conf file.

1. DHCP leasing: - the leases on the DHCP server and the IP addresses that has been leased to the client can be verified by using the following command.

  sudo tail /var/lib/dhcp/dhcpd.leases

2. DHCP LOG: - the log output of DHCP can be verified using this command.

  sudo tail –f /var/log/syslog

The Domain Name System is a hierarchical database, its responsibility is to provide name against each public domain IP address and vice –versa for websites on Internet. It is an overhead application layer protocol. It is defined by RFC 1034 & RFC 1035.

DNS is a client-server type application layer protocol which uses UDP port 53. DNS client requests host mapping with a DNS request packet and the DNS server fetches the corresponding record, encapsulates it in a reply packet and sends it over UDP.

The authoritative name server of a company holds the records for its web servers, mail servers and canonical names of the servers. These records are configured in the DNS server by registrars certified by Internet Corporation for Assigned Names and Numbers (ICANN).

Following steps are performed in DNS request-reply cycle:

1. The client sends a DNS query to the LOCAL DNS.

2. The LOCAL DNS forwards query to the ROOT server and reply will be sent to LOCAL DNS containing NS and A records of corresponding TLD server.

3. The reply will be sent to ROOT DNS server containing NS and A records of corresponding AUTHORATIVE Name Server.

4. The ROOT server will then send a query to the AUTHORITATIVE server & will forward the reply to the LOCAL server.

The DNS Master server is given a static IP address.

The DNS Slave server is given a static IP address.

Some of the DNS software packages available are BIND, Power DNS and Posadis. Among all BIND is widely used and it fulfils all native requirement of DNS functionality like recursive, authoritative, cacheing name-server and it also contains a resolver client library. Whereas, Power DNS contains two different packages namely “PowerDNS Authoritative Server” & “PowerDNS Recursor”. The later package is more vulnerable (resolved as of now but still not recommended by network administrators). Posadis ,an open source DNS package, but it’s not maintained by any community and hence not preferable.

We have used BIND software. The latest version is Bind9.4 which supports a compile-time option for zone strategy in a variety of database formats. Moreover Bind9 also overcomes some serious security issues which were present in Bind 4 and Bind 8. Thus, Bind9 provides a robust architecture for our DNS server. Following steps are used to implement DNS server.

1.Update the package list.

   sudo apt-get update 

2.Install bind9.

  sudo apt-get install bind9

3. Create a forward zone file.

  sudo cp /etc/bind/db.local /etc/bind/zones/db.example.com

4. Open file /etc/bind/zones/db.example.com and edit it. After edition the file will look like below.

5. Create reverse zone file

  sudo cp /etc/bind/db.127 /etc/bind/zones/db.192

6. Open file /etc/bind/zones/db.192 & edit it as below.

7. Open /etc/bind/named.conf.local file & add forward and reverse zones.

8. Change nameserver.

  sudo nano /etc/resolv.conf

9. Restart Bind.

  sudo service bind9 restart

Web server Web server is an Information Technology tool which processes HTTP requests and distributes information in World Wide Web. The primary function of a web server is to store, process and deliver web pages to clients. Web server not necessarily always means to be an Internet server, large organizations have their own web servers which are used for their own Local Area Network to connect various devices within company premises. (e.g. printers, PCs, routers etc.) In any case, a server is an always ON machine & hence it must be kept at proper temperature to avoid breakdown due to overheating. A server is a heart of any network. If a server fails whole network will break down. Hence, organizations normally use a backup server in case of emergency (hot-standby configuration).

Hypertext Transfer Protocol (HTTP) is an Application Layer protocol most widely used in today’s Internet. It is defined in RFC 2616 (HTTP/1.1) which was modified into RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234 & RFC 7235. HTTP/2 is currently under development. Default port for HTTP is 80. In a typical HTTP communication, the client sends a request a page & establishes a TCP connection between itself & server via three-way handshake process. After the connection is establishes, client requests a web page. Server sends requested HTTP page over the TCP connection. The connection is either closed or kept open after the transfer depending upon the type of connection (i.e. persistent or non-persistent).

1. The client obtains server IP address from DNS server. 2. Client initiates TCP connection by sending SYN message on port 80 of the server. 3. Server responds with SYN-ACK message thereby opening the port for the client to request the information. 4. Client completes three-way handshake process by sending ACK message. It also requests for basic HTML page along with this.

We have used Apache2 Web Server. The main reason behind choosing Apache is that it provides more compatibility with add-on modules as well as speed and flexibility in small network like the one we have created. Following commands are used to install Web Server on Linux machine. 1. Install updates

sudo apt-get update

2. Install Web server Apache2

sudo apt-get install apache2

3. Make a directory

sudo mkdir /var/www/html

4. Create and edit html page

sudo nano index.html

5. Configuring 000-default.conf in Apache2. Add website folder in configuration file i.e. apache2 Edit the following file to make the web page accessible

sudo nano /etc/apache2/sites-available/000-default.conf

Add these commands in the file.

ServerAdmin  webmaster@localhost
ServerName example.com
DocumentRoot /var/www/html/

Secure your Apache server using ssl Install opensssl

sudo apt-get install openssl

Edit /etc/httpd/conf/ssl.conf

Create self-signed certificate Query server.example.com with “https” secured http using SSL Testing 1. Open the web browser and type web server IP address in the URL bar. Upon pressing ‘Enter’ you will get the web page of the project. 2. Do the above procedure; but this time type website name i.e. ‘example.com’. If you are getting the same web page that means your web server is working properly.

A firewall is a network security system, either hardware or software based, that controls incoming and outgoing network traffic based on set of rules. We can block certain packets by configuring our firewall to certain rules. Packages used We have used iptables package to modify the set of rules for our Firewall. Configuration IPTABLES: - a set of rules configured on Linux machine terminal. It has some built-in chains. 1. INPUT chain: - for packets coming into the machine 2. OUTPUT chain: - for packets generated inside and going outside of the machine. 3. FORWARD: - for packets routed through the local host Following commands are used to configure Firewall. 1. Rejects ping from any host to the server.

sudo iptables -A INPUT -p icmp -j REJECT

2. Reject telnet request from a particular host to the server.

sudo iptables -A INPUT -p tcp --dport 23 -j REJECT

3. Reject FTP request from any particular host to the server.

sudo iptables -A INPUT -d 192.168.100.63 -p tcp --dport 20 -j DROP 
sudo iptables -A INPUT -d 192.168.100.63 -p tcp --dport 21 -j DROP

4. Accept HTTP request from a particular network

sudo ufw allow from 192.168.100.0 port 80

5. Reject HTTP request from a particular host.

sudo iptables -A INPUT -p tcp -s 192.168.100.63 --dport 80 -j REJECT

6. Enable Firewall by following command

sudo ufw enable

7. After configuring Firewall rules, restart the web server in order to apply Firewall. Testing 1. To list all rules configured in firewall.

	sudo iptables -L

2. To flush/remove the rule from iptable.

To add redundancy to our network and make it robust, we have to implement a backup to our web server. So that if our server fails, whole network will automatically route to the backup server & hence there will be no black out. Configuration backup 1. Generate public and private key

	 ssh-keygen 

2. Share public and private keys with main server

	 ssh-copy-id –i ~/.ssh/id_rsa.pub @192.168.100.120

3. Install ‘Rsync’ in server yum install rsync 4. Schedule cronjob for backup using rsync

• /1 * * * * rsync –avz –e tar –zcvf /var/www/backup.tar.gz /var/www/html
• /2 * * * * rsync –avz –e ssh /var/www/html/index.html root@192.168.100.120:/backup

      5.    service crond restart

Testing

Archive and gzip /var/www/html directory Schedule cronjob on web server.

Backup server: backup.tar.gz  

Algorithm 1. A client tries to connect to the network. 2. Once the client gets connected to the network, he will send an IP address request to DHCP server. 3. If DHCP request is successful, DHCP server will reply with an IP address Else DHCP will reply with ‘request fail.’ In this case, re-connect or contact network administrator for help. 4. Client wants to access the web page. if domain name is correct, a request will be sent to DNS for IP address of the domain. DNS will reply with IP address of the website. else if DNS reply fails An error message will be displayed saying, ‘server not found.’ else if URL entered is wrong An error message will be displayed saying, ‘webpage unavailable.’ Retry 5. Client accessed the web server. Now he sends HTTP request to the server. if the request is successful, Web page will be displayed else Error message like ‘no data received’ will be displayed. Retry sudo iptables –F

It is a file distribution system protocol. NFS allows a client to share its content with other users on the network. In order to access the file, all clients have to mount the shared directory to make it their own directory. Configuration Following commands are used to install and configure NFS server as well as client. 1. #yum install nfs* -y 2. Create nfs partition on nfs server and name it as /nfs_partition 3. Edit /etc/exports file as follows: 4. Give full permission to /nfs_partition and start rpcbind and nfs service Testing Check exported directory as follows:

NFS Client configuration: 1. Mount nfs_partition on client machine.

2. Access the nfs partition of nfs server.

FTP is used to transfer files from one computer to another over TCP connection. It is a client-server based protocol and uses separate connection for control and data signals. Configuration Following commands are used to implement FTP. 1. Update & install FTP package.

yum install vsftpd

2. Open file /etc/vsftpd.conf file & make following changes. Remove ‘#’ sign. vi /etc/vsftpd.conf

 write_enable=yes
 anonymous=yes

3. Restart vsftp.

 Service vsftpd restart

4. Create some files. FTP Server-

Testing Write following command on client to see shared files. Enter ‘username’ and ‘password’ to log in. Once accessed, client can make changes into the file also.

 ftp 192.168.100.2

A virtual private network extends your private network to public network like Internet. It lets the client connect to the private network and behave as if it is connected to a public network, while retaining features of private network such as functionality, security and management policies. Resources are accessed in same way as in a private network. Configuration 1. Install packet ‘pptpd’ yum install pptpd 2. Edit file /etc/pptpd.conf as follows

 vi /etc/pptpd.conf
 localip <VPN server IP>
 localip 192.168.100.2  

remoteip <Range of IPs of VPN clients> remoteip 192.168.100.5-25 3. Edit /etc/ppp/pptpd/options file.

 vi /etc/ppp/pptpd.options
 ms-dns 192.168.100.2

4. Set ‘user-id’ and ‘password’

 vi /etc/ppp/chap-secrets
 user1 pptpd redhat *

This is a client-server protocol which is used to exchange system configuration data between users on a computer network. NIS contains a central directory of user & group information along with other useful data. Configuration Step 1. Assign 192.168.100.2 to NIS server and 192.168.100.120 to NIS client.

Step 2.  Yum install yp* -y
Step 3. Edit /etc/sysconfig/network file to set your NIS domain name. This will take effect when you reboot your machine.
              NETWORKING =yes
              HOSTNAME=server.example.com
              NISDOMAIN=nisdomain
Step 4. To set NIS domain name without rebooting the machine run the command given below
              # domainname  nisdomain
Step 5. Start portmap and ypserv service by using the following commands:
              # service rpcbind start
              # service ypserv start
Step 6. Generate the NIS maps (database) by running ypinit as shown below
              #/usr/lib/ypinit –m
Step 7. Now start NIS  password update daemon using the following command.
              # service yppasswdd restart
Step 8. Create user name user1 and user2 by using adduser command
Step 9. Now go to /var/yp directory. Run make command it update your password and group information which is accessed by NIS client
              # cd /var/yp
              # make

Configuring NFS Server

Step 1. Mount home directory in /etc/exports file
             /nfs_partition   *(rw,sync)
Step 2. Run exportfs –a to commit the job
Step 3. Now start nfs service
            #service nfs restart

Client Side Configuration

Step 1. Use authconfig command to configure NIS client
Step 2. Test your NIS client log into the client machine as root. Test the client-server connection by typing
              #ypcat passwd

NIS Server running ypcat passwd command:

Mail server is responsible for receiving, sending and distributing e-mail messages from your computer to others. In Linux we call it ‘mail daemon’. Configuration 1. Install postfix 2. Edit /etc/postfix/main.cf file 3. Define myhostname, myorigin, my domainname 4. #service postfix restart 5. Send mail from student user to root user Testing

Check mail for root user in /var/spool/mail/root or type mail

NTP Server: Edit /etc/ntp.conf

Ntpclient

Secure your Apache server using ssl Install opensssl

sudo apt-get install openssl

Edit /etc/httpd/conf/ssl.conf

Create self-signed certificate Query server.example.com with “https” secured http using SSL

We have used all Linux machines to implement various components like DNS, DHCP, WEB SERVER. We have used 192.168.100.0/24 network with 192.168.100.1 as our default gateway and 192.168.100.255 as broadcast address. First, all devices will be connected to the network via router. Then DHCP will allocate IP addresses to clients. Web Server will have 192.168.100.2 DNS will have 192.168.100.3 Now, client will open his browser and try to access the web page. DNS Master Server static IP allocation 192.168.100.3 DNS Master Server static IP allocation 192.168.100.4 Forward and Reverse zone lookup for DNS

DHCP static configuration and DHCP IP address checking on terminal

Checking the website example.com on browser

1. Should support IPv6 and IPv4 simultaneously (IP tunneling).
2. More DNS servers for backup, load distribution and decentralization.
3. Adding security for mail server by integrating confidentiality, integrity and more authentication options by using methods such as RSA, DES, MD5, including certificates etc.
4. Adding more security in Firewall for prevention against serious external attacks.
5. Expand the server capabilities to accommodate many more uses using at the same time.

1. Computer Networking A TopDown Approach by KUROSE and ROSS
2. http://ubuntuforums.org/showthread.php?t=2220457
3. https://help.ubuntu.com/community/isc-dhcp-server
4. http://mixeduperic.com/ubuntu/seven-easy-steps-to-setting-up-an-interal-dns-server-on-ubuntu.html
5. http://www.thegeekstuff.com/2011/07/rsync-over-ssh-without-password/
6. https://ihnc.wordpress.com/2010/06/18/step-by-step-nis-server-client-configuration-on-redhat-enterprise-linux/
7. https://www.sixxs.net/faq/dns/?faq=revers
8. https://www.sslshopper.com/apache-server-ssl-installation-instructions.html