Jump to content

Data Networking/Fall 2015/Shrutik Patel

From Wikiversity

Group Members

[edit | edit source]

1) Mugdha Gulati

2) Shrutik Patel

3) Dharak Savalia

4) Raj Kukadia

Motivation

[edit | edit source]

Linux is an operating system i.e. a software that is used by the network engineers to control a network device to perform the desired function. The Linux operating systems transmit the control information to the processor. We had great opportunity to learn configuration of DNS server, DHCP server, Web server, Firewall, NIS, NFS, VPN and Backup server.

Understanding the Protocols

[edit | edit source]

Domain Name System

[edit | edit source]

DNS translates IP address to humanly devised names and vice versa. DNS distributes the responsibility of assigning domain names and mapping those names to IP addresses. It has a distributed database implemented in a hierarchy of different levels of name servers. Protocol: It is an application layer protocol which uses the services of UDP (Transport layer Protocol) at port number 53 (RFC 1035). A client will request for mapping of a host with a DNS request packet and the DNS server will fetch the associated record, encapsulates it in a reply packet and sends it via UDP.

Dynamic Host Configuration Protocol

[edit | edit source]

The Dynamic Host Configuration (DHCP) is a client/server protocol based on TCP/IP network that automatically provides an Internet Protocol (IP) host with its IP address and other configuration information such as the subnet mask and default gateway (i.e. address of first-hop router). This TCP/IP standard reduces the complexity and administrative overhead of managing network client IPv4 / IPv6 addresses and other configuration parameters. A network administration can configure DHCP so that a given device/host receives the same IP address each time it connects to the server or a device/host can be assigned with different IP address each time it connects to the server. Since it has the ability to automate the network-related aspects of connecting a host into a network, it is also known as plug-and-play protocol.
The DHCP server stores the configuration information in a database that includes:

1. Valid TCP/IP configuration parameters for all clients on the network.

2. Valid IP address pool for assignment to clients, as well as excluded addresses.

3. Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.

4. The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.

A DHCP-enabled client, upon accepting a lease offer, receives:

1.A valid IP address for the subnet to which it is connecting.

2. Requested DHCP options, which are additional parameters that a DHCP server is configured to assign to clients. Some examples of DHCP options are Router (default gateway), DNS Servers and DNS Domain Name.

Web Server & Firewall

[edit | edit source]

Web servers are one of the many servers that exist in the data center of any organization. It communicates with multiple browsers like Internet Explorer, Google Chrome, Firefox etcetera. It can run on multiple operating systems like Linux and Microsoft. Web servers are configured to host a particular website written on HTML. They have daemons running in their backend. Daemons are nothing but a software, for example, for a web server, HTTP is the daemon which uses port 80 and HTTPS uses port 443. Apache is the most popular web server and we have used its version 2.0.

A firewall follows a specific set of rules i.e. protocols to block or allow incoming and the outgoing traffic from the web server. A firewall forms a barrier between the trusted internal network and the external network i.e. the Internet. IP tables are used to block certain IP address to perform specific operations such as ICMP, Telnet, SSH and FTP. All the traffic that is not mentioned in the IP tables are blocked by the firewall.

Backup Server

[edit | edit source]

Backup is used to store the data from a server to another sever so that in case of data loss it can be easily recovered. Secure Shell (SSH) protocol is used which uses RSA encryption and shares the public key to the remote host who should be able to access the local host. Secure Copy (SCP) is used to securely copy the backup file from the local host to the remote host.

The Address Resolution Protocol (ARP) and Scappy

[edit | edit source]

Scapy is a tool that can be used for packet manipulation and is written in python. Scapy provide indirect access to libpcap. It allows to packet capture, manipulation and network discovery. Scapy can be used in many ways we will concentrate on ARP Poisoning using Scapy.

ARP Protocol is protocol used by devices to find or map IP address to corresponding MAC address. There are two types of ARP Packets ARP request and ARP reply. To poison a particular host it is best to use arp request from attacker MAC since some of latest ARP reply wont work and will be consider as gratuitous.

IPSec VPN

[edit | edit source]

VPN protocol is used to develop a secured tunnel between two hosts. The data traversing through the tunnel is encrypted using AES 128 bit encryption. It is used for security purposes and to avoid eavesdropping and attacks from hackers. There are two types of VPN namely network to network and IPsec transport VPN. Here transport VPN is used since it is used within a network.

Network File System

[edit | edit source]

Network File System(NFS) NFS allow is implement so that the Files and Folder can be shared over network in control way. This has many advantage as common folder and files or projects people working on can shared and hence saves local memory. Many of removable drives which are not necessary or are required sometimes can be shared like CDROM, USB Thumb drives can be shared on network.
Steps for installation of NFS there are two parts one Server part (whose drives are shared), and other client part who can access the drives exported by Server machines.

Signaling

[edit | edit source]

Domain Name System

[edit | edit source]

DNS Query working:
DNS queries can be resolved in multiple ways. DNS server can use its cache to answer a query or contact other DNS servers on behalf of the client to resolve the name fully. When the DNS server receives a query, it first checks to see if it can answer it authoritatively, based on the resource record information contained in a locally configured zone on the server. If the queried name matches a corresponding resource record in the local zone information, the server answers authoritatively, using this information to resolve the queried name.
We have used BIND( Berkely Internet Name Domain) version 9 for because it can be used on majority of name serving machines on the internet and provide a robust architecture. Also we decided to use BIND because of its some important features like DNS security, DNS protocol enhancements and Multiprocessor support.

Dynamic Host Configuration Protocol

[edit | edit source]

1. DHCP server Discover: The client sends the DHCP discover to the 255.255.255.255 with the source IP of 0.0.0.0 to port 67.
2. DHCP Offer: The server responds to the Discover message with DHCP offer which is sent on a broadcast IP address of 255.255.255.255 with the offered IP address to the client.
3. DHCP request: The client chooses from one or more DHCP offers and responds with the DHCP request.
4. DHCP ACK: The server confirms the IP chosen by the client with DHCP ACK message.

Web Server

[edit | edit source]

1. After the package is installed, the Apache 2 web server is started.
2. The web page of the server is changed and restarted.
3. The server is in active mode and listening for HTTP requests in port 80.

Firewall

[edit | edit source]

1. The IP tables are configured in the web server.
2. The HTTP response and HTTP request from the web server are accepted, forwarded or rejected based on the IP tables.

Network File System

[edit | edit source]

1. NFS server is created and the directory to be shared is declared.
2. An NFS connection is established with the client using exports file by giving specific permissions to the client.
3. The client is mounted with the server system and the data is shared between the two systems.

Configuration

[edit | edit source]

Here in this project, we used private network, we configured static private ip address for the DNS server, by editing /etc/network/interfaces file and setting iface eth0 inet static.For installing of DNS server have used BIND9 , which is actually Berkely Internet Name Domain version 9.The reason for choosing this BIND9 is that it was used in most of name serving machines on the internet and also it provides robust architecture on which DNS server of an organization. Other possible configurations available for DNS are Posadis and Power DNS.
Here in this project, We configured Master and Slave DNS with IPv6 support.

Steps to configure Master DNS server:

Step 1: To configure static ip address, one have to configure in “/etc/network/interfaces” file with IP address and other details.
Command:

        auto eth0 
iface eth0 inet static
address 192.168.11.5
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.11.255
gateway 192.168.11.1
iface eth0 inet6 static
address 2001:db8:0:1::124
netmask 64
gateway 2001:db8:0:1::1

Step 2: Edit the nameserver and domain name details in the below path
Command:

        cat /etc/resolvconf/resolv.conf.d/head 
nameserver 192.168.11.5
search rajkukadia.com

Step 3: Edit “named.conf.local” file for specifying forward and reverse zones.
Command:

        cat /etc/bind/named.conf.local 
#Forward zone
zone "rajkukadia.com" {
allow-transfer {192.168.11.6;};
also-notify {192.168.11.6 ;};
file "/etc/bind/db.rajkukadia.com";
type master; };

Command:

        #Reverse Zone 
zone "11.168.192.in-addr.arpa" {
allow-transfer {192.168.11.6;};
allow-transfer {192.168.11.6 ;};
type master;
file "/etc/bind/db.192"; };

Command:

        #Reverse Zone for V6 
zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"
{
type master;
allow-transfer {192.168.10.6;};
file "/etc/bind/db.2001";
also-notify { 192.168.11.6; };
};


Step 4: Edit the named.conf.options file for ISP DNS IP, in the forwarders column, as below
Command:

        cat /etc/bind/named.conf.options 
forwarders {
# ISP DNS IP’s
192.168.11.6;
192.168.11.5;
8.8.8.8;
8.8.4.4;
};


Step 5: Create forward zone and Reverse zone db files in the path “/etc/bind” location.
Command:

        For Forward Zone, Create db.rajkukadia.com file by referring to contents of /etc/bind/db.local file 
cat /etc/bind/db.rajkukadia.com
 ;
 ; BIND data file for rajkukadia.com
 ;
$TTL 604800
@ IN SOA ubuntu.rajkukadia.com. root.rajkukadia.com. (
7  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL

        @	IN	NS	ubuntu.rajkukadia.com.	
@ IN A 192.168.11.7
@ IN AAAA 2001:db8:0:1::125
ubuntu IN A 192.168.11.5
IN AAAA 2001:db8:0:1::124
ubuntu1 IN A 192.168.11.6

IN AAAA 2001:db8:0:1::128

        www	IN	CNAME	rajkukadia.com. 
stu1 IN A 192.168.11.9

IN AAAA 2001:db8:0:1::126

        stu2	IN	A	192.168.11.10 

IN AAAA 2001:db8:0:1::127

For reverse zone:

        cat /etc/bind/db.192 
 ;
 ; BIND reverse data file for local loopback interface
$TTL 604800
@ IN SOA ubuntu.bdrn.com. root.bdrn.com. (
7  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
@ IN NS ubuntu.
5 IN PTR ubuntu.rajkukadia.com.
6 IN PTR ubuntu1.rajkukadia.com.
7 IN PTR rajkukadia.com.
9 IN PTR stu1.rajkukadia.com.
10 IN PTR stu2.rajkukadia.com.
1 IN PTR gw.rajkukadia.com.

Step 6: Restart system and bind9 software to have the changes reflected:
Command:

       sudo init 6 
sudo service bind9 restart

Steps to Configure Slave DNS Server:

Step 1: To configure static IP address of Slave DNS, edit “/etc/network/interfaces” file
Command:

        cat /etc/network/interfaces 
auto eth0
iface eth0 inet static
address 192.168.11.6
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.1.255
gateway 192.168.11.1


Step 2: Configure nameserver and domain name details in “resolv.conf” file
Command:

        cat /etc/resolvconf/resolv.conf.d/head
        nameserver 192.168.11.6 
search rajkukadia.com

Step 3: Edit named.conf.local file for configuring forward zone and reverse zone details
Command:

        cat /etc/bind/named.conf.local </ br>
        # Forward zone 
zone "rajkukadia.com" {
type slave;
masters {192.168.11.5;};
file "/etc/bind/db.rajkukadia.com"; };
        # Reverse Zone 
zone "11.168.192.in-addr.arpa" {
type slave;
masters {192.168.11.5;};
file "/etc/bind/db.192"; };

Step 5: Edit the named.conf.options file for forwarders details
Command:

        cat /etc/bind/named.conf.options 
forwarders {
192.168.11.5;
192.168.11.6;
8.8.8.8;
8.8.4.4;

};

Step 6: Restart system and bind9 software to have the changes reflected:
Command:

        sudo init 6 
sudo service bind9 restart

Steps for Configuring DHCP server
Step1: Install the DHCP Server
Command:

 sudo apt-get install isc-dhcp-server

Step2: Install the router advertisement daemon (radvd ) for IPv6
Command:

 sudo apt-get install radvd 

Step3: Set the static IP address of the DHCP server
Command:

 sudo nano /etc/network/interfaces 
auto lo iface lo inet loopback
   auto eth0
   iface eth0 inet static
   address 192.168.11.4
   netmask 255.255.255.0
   gateway 192.168.11.1
   network 192.168.11.0
   broadcast 192.168.11.255
   dns-nameserver 192.168.11.5 192.168.11.6
   dns-domain-search rajkukadia.com
   iface eth0 inet6 static
   address 2001:db8:0:1::120
   netmask 64
   gateway 2001:db8:0:1::1

Step4: Configure the IPv6 and IPv4 forwarding
Command:

 sudo nano /etc/sysctl.conf
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.ip_forward=1
    net.ipv6.conf.all.forwarding=1

Step5: Make eth0 as the default interface
Command:

 sudo nano /etc/default/isc-dhcp-server
   INTERFACES="eth0"

Step6: Configure the dhcpd.config file.Open the dhcpd.config file using the following command for IPv4 :
Command:

 sudo nano /etc/dhcp/dhcpd.conf

Create configuration file dhcpd.conf:

        subnet 192.168.11.0 netmask 255.255.255.0 {
range 192.168.11.20 192.168.11.40;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.11.255;
option routers 192.168.11.1;
option domain-name "rajkukadia.com";
option domain-name-servers 192.168.11.5;
option domain-name-servers 192.168.11.6;
default-lease-time 600;
max-lease-time 7200; }

Step7: Edit the resolv.conf file
Command:

 sudo nano /etc/resolv.conf
    nameserver 192.168.11.5
    nameserver 192.168.11.6

Step8: Configure the DHCP server for IPv6
Command:

 sudo nano /etc/dhcp/dhcpd6.conf 
    default-lease-time 600;
    max-lease-time 7200;
    log-facility local7;
    subnet6 2001:db8:0:1::/64 {
    range6 2001:db8:0:1::20 2001:db8:0:1::40;
    range6 2001:db8:0:1::/64 temporary;
    }

Step9: Create /etc/radvd.conf and configure as follows
Command:

 sudo nano /etc/radvd.conf 
    interface eth0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    prefix 2001:0db8:1:1::/64 {
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr on;
    };
    };

Step10: Reboot the System
Command:

 sudo init 6

Step11: Restart the DHCP server
Command:

 sudo service isc-dhcp-server restart 

Step12: Restart the DHCPv6 server with the following command
Command:

 sudo service isc-dhcp-server6 restart 

Webserver

[edit | edit source]

Step 1: Get updates and install Apache2 Webserver
Command:

        sudo apt-get update 
sudo apt-get install apache2

Step 2: Make a new directory in /var/www/
Command:

        sudo mkdir -p /var/www/websitename.com/public_html 

Step 3: • Provide permissons to access the file and the folder
Command:

        sudo chown -R $USER:$USER /var/www/websitename.com/public_html 
sudo chmod -R 755 /var/www

Step 4: Edit the HTML file
Command:

        sudo nano /var/www/websitename.com/public_html/index.html 

Step 5: Copy content from 000-default-conf to websitename.com.conf i.e. virtual hosts in the configuration file
Command:

       sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/websitename.com.conf 

Step 6: Edit websitename.com.conf
Command:

      ServerAdmin admin@websitename.com 
ServerName websitename.com
ServerAlias www.websitename.com
ServerRoot /var/www/websitename.com/public_html

Step 7: Enable the virtual hosts
Command:

        sudo a2ensite websitename.com.conf 

Step 8: Restart the Apache web server
Command:

        sudo service apache2 restart 

Step 9: Add your IP address and domain name to the hosts file
Command:

       192.168.11.7 websitename.com 
Search http://websitename.com from your browser

Firewall

[edit | edit source]

Firewall allows the system administrator to accept, forward or drop the packets using ip tables.

1. Enable it by below command:

        1.	sudo ufw enable 

2. Add the rules below rules allow only below allow only http trafic

        sudo ufw allow 80

3. add rules for ssh

        sudo ufw allow 22

4. reject icmpt

        1.	sudo iptables -A INPUT -p icmp -j REJECT 

The Address Resolution Protocol (ARP) and Scappy

[edit | edit source]

Step 1: After executing the code by sudo python poison.py on Terminal on attacker machines the Victim can be arp table can seen by arp -a. Now all traffic for Webserver will flow from your machine now you have NAT IP the attacker machine to accept the IP other than his ip.
Enter in root mode , first flush iptable
Command:

       iptables -t nat –flush

iptables –zero
iptables -A FORWARD --in-interface ens33 -j ACCEPT
iptables -t nat --append POSTROUTING --out-interface ens33 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination attacket’s ip

Step 2: After attack has been finished if we want to restore the original condition than send ARP request with original dst mac and its ip.

IPSec VPN

[edit | edit source]

Step 1: Install the following package used to configure VPN
Command:

               sudo apt-get install ipsec-tools strongswan-starter 

Step 2:Open and Edit the following file
Command:

               sudo nano /etc/ipsec.conf

Step 3: Add the following
Command:

   conn webserver-to-nfs
   authby=secret
   auto=route
   keyexchange=ike
   left=192.168.11.7
   right=192.168.11.13
   type=transport
   esp=aes128gcm16!

Step 4: Create the file which will have the pre shared keys
Command:

        sudo nano /etc/ipsec.secrets

Step 5: Add the following
Command:
192.168.11.13 192.168.11.7 : PSK “ your keys”

Step 6: Restart IPSec
Command:
ipsec restart

Step 7: To check the status use statusall
Command:
ipsec statusall

Host 2

Step 1: Install the following
Command:
sudo apt-get install ipsec-tools strongswan-starter

Step 2: Open andeEdit the following file
Command:

sudo nano /etc/ipsec.conf

Step 3: Add the following
Command:

   conn webserver-to-nfs
authby=secret
auto=route
keyexchange=ike
left=192.168.11.13
right=192.168.11.7
type=transport
esp=aes128gcm16!

Step 4: Create the file which will have the pre shared keys
Command:

sudo nano /etc/ipsec.secrets

Step 5: Add the following
Command:

192.168.11.13 192.168.11.7 : PSK “ your keys”

Step 6: Restart IPSec
Command:

ipsec restart

Step 7: To check the status use statusall
Command:
ipsec statusall


Testing: Step 1: Use this on any one host:
Command:
Ping -s 4048 192.168.11.13

Step 1: Watch status from other host
Command:
watch ipsec statusall

Network File System

[edit | edit source]

Configure the NFS Server

Step 1: Install NFS Server on server machine by below command:
Command:

       sudo apt install nfs-kernel-server 

Step 2: Configure the exports by editing the /etc/exports
Command:

       sudo nano /etc/exports

Step 3: Add directories you want to export or want to share on network in the above files /ubuntu*(ro,sync,no_root_squash) * is the username it include IP address you want to allow to share
Command:

       /home/dharak 192.168.11.0/24 (rw,sync,no_root_squash)

Step 4: start the NFS Server
Command:

       sudo systemctl start nfs-kernel-server.service

Configure the NFS Client

Step 1: install nfs common on the client machine
Command:

       sudo apt install nfs-common 

Step 2: Mount the exported folders in an client machine in an empty directory
Command:

       sudo mount 192.168.11.13:/home/dharak /home/rajkukaidia/NFS 
“/home/dharak” is exported directory and “/home/local/NFS” is local directory which should be empty before mouting

Backup

[edit | edit source]

Secure Shell (SSH) protocol is used which uses RSA encryption and shares the public key to the remote host who should be able to access the local host. Secure Copy (SCP) is used to securely copy the backup file from the local host to the remote host.
Step 1: Generate the public and private keys

         ssh-keygen -t rsa 

Step 2: Make a copy of the public key

         cp  id_rsa.pub authorized_keys 

Step 3: Copy authorized key to the remote host

         ssh-copy-id dharak@192.168.11.13 

Step 4: Create a backup file

         tar -zcvf /path for backup/  Backupfile.tgz  /path for file to backup/ 

Step 5: Copy the backup file to remote host

         scp /path of the backup file/ dharak@192.168.11.13 :/path of the destination folder/ 

Step 6: • Open crontab and add following

         * * * * * chmod 777 cron.sh
         * * * * * /path/cron.sh 

Test Plan

[edit | edit source]

VPN Test

[edit | edit source]

1) Connect to the VPN server and once connected a point to point tunnel session is established which can be retrieved in the interface list.

              ifconfig                                  - Retrieves the detected network interface and its information 
ppp0 Link encap:Point-to-Point Protocol - Shows that the device is connected to a private network.

DNS Test

[edit | edit source]

The following commands are used for DNS testing:
1) Dig
Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.
2) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and information that is requested for a particular host or domain.
3) Ping
Ping is used for checking the network layer status of the server.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.

DHCP Test

[edit | edit source]

DHCP allocates the IP address for the device entering the network.IP address can be verified using ifconfig/ipconfig in the client machine.

                sudo dhclient –r                  -  It will release the current IP address in the client 
cat /var/lib/dhcp/dhcpd.leases - It will display the lease provided by the DHCP server.

Webserver Test

[edit | edit source]

1. The web browser is opened in the client machine.
2. Type the URL address www.bdrn.com.
3. A successfull page is displayed at the client machine.

Firewall Test

[edit | edit source]

1. When an HTTP request is sent from the client machine, the request is received at the web browser.
2. The web server is configured to block the connections from the ip address 192.168.1.30.
3. When a client with IP address 192.168.1.30 sends a packet to the web server, the packet is blocked by the firewall and the access is restricted.

NFS Test

[edit | edit source]

After a connection is established between the server and the client using NFS server.
The changes made in the server is reflected in the client machine.

Future Improvements

[edit | edit source]

1. Improved Firewall security features.
2. Behaviour of the servers located in a public network environment.
3. Implementation of AAA servers for authorization, authentication and accounting.
4. Simulating real-time network traffic and validating network performance.

References

[edit | edit source]

Websites Referred:
1. http://www.howtogeek.com/135533/how-to-use-rsync-to-backup-your-data-on-linux/
2. https://help.ubuntu.com/lts/serverguide/NTP.html
3. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-ubuntu-14-04
4. https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts
5. http://www.krizna.com/ubuntu/configure-dns-server-ubuntu-14-04/
6. http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
7. https://help.ubuntu.com/community/isc-dhcp-server
8. http://koo.fi/blog/2013/03/20/linux-ipv6-router-radvd-dhcpv6/
9. https://help.ubuntu.com/community/SettingUpNISHowTo
10. https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-postfix-on-ubuntu-14-04
11. https://technet.microsoft.com/en-us/library/dd145320(v=ws.10).aspx
12. https://www.youtube.com/
13. Linux NFS faq3
14. Ubuntu Wiki NFS
15. http://nfs.sourceforge.net/
16. https://help.ubuntu.com/community/NFSv4