Jump to content

Data Networking/Fall 2015/Sman

From Wikiversity

Team:

1. Abhishek Mishra

2. Madhura Hulsurkar

3. Navneet Kaur Randhava

4. Samarpit Srivastava


Motivation:

Today the use of internet is ubiquitous. Interconnection of different networks is nothing but Internet. It is basically a group of computer networks which is based on TCP/IP model. The theoretical knowledge of all the concepts encountered while configuration has been taught in theory classes. This project has helped us in understanding these concepts practically with the theoretical knowledge gained in class. With the rapid usage of Internet, need arises to actually implement our network, ad-hoc networks. Dynamic Host Configuration (DHCP) server assigns IP addresses to different clients which are present in this ad-hoc network which gives access to the web page post IP resolution from Domain Name System. Security is the biggest concern which needs to be incorporated in networking. Thus, Firewall is implemented to secure our servers. Every machine should be able to sustain any catastrophe that may arise at any moment, so creating Backup in our own network is very essential. Since ages, Windows has captured the market and hence to add flavor to our lives we need to move from Windows to a different Operating System called as Linux. Linux is an open-source Operating system; it is easy for development, modification and distribution also it is free of cost. In our project we have used 14.04 version of Ubuntu.


Behavior of Protocols:

Domain Name System:

DNS stands for Domain Name Server. It is a hierarchical distribution of naming systems for the servers and services throughout the network. DNS is used to translate the URLs Domain name to IP addresses. It uses services of either TCP or UDP on port 53. It uses TCP in case when the response of the query is more than 512 bytes. In case, source has sent a DNS query using UDP and server notices that response is going to be greater than 512 bytes, then it uses truncate bit (TC bit) in the flag field which is set to 1. Source now initiates a TCP connection on port 53 to which the server replies. TCP connection is also used during zone transfers. Implementation of BIND9 server with caching can be used to reduce latency. Advantage of doing this is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is noticeably reduced, thus decreasing the waiting time of the user to obtain the data from the webpage.

Types of DNS records:

MX:

This type specifies host as the Mail Server. If any request comes to this server it is then directed to the mail server.

CNAME:

It specifies the URL’s canonical or primary name. Domain name is nothing but the alias.

A:

It is the Authoritative entry for the domain name, A specifies the IP of the actual server.

NS:

This type is the Name server lookup name of the domain. This type specifies a host which should be authoritative for the specified class and the domain. 

PTR:

It is a Domain Name which points to some location in the domain name space.

The reverse DNS lookup is in IN-ADDR.ARPA domain. In Reverse DNS, entries contain host name with reverse IP addresses with “.in-addr.arpa” added. These are set up with the PTR records. They are defined with 4 labels along with suffix IN_ADDR.ARPA and each label presenting one octet presenting one octet of ip address, which is in the range of 0 to 255 and expressed in a character string for a decimal value. The network addresses of host have domain names containing all the 4 labels i.e an IP address 192.168.1.36 will be located in the domain name of 36.1.168.192.IN-ADDR.ARPA. IPv6 is configured same as IPv4. For IPv6 reverse DNS, a new zone file is configured.


Dynamic Host Configuration Protocol (DHCP):

1. To assign IP addresses to networking component is done by using DHCP. It is done in following ways:

i. Static Allocation: In static allocation, IP addresses are assigned to networking devices like routers, computers etc. statically and it remains same unless it is changed by the network administrator.

ii. Automatic Allocation: In this type of allocation, same IP address get allocated to the systems which whenever gets connected to a particular network.

iii. Dynamic Allocation: In this type of allocation, a DHCP server allocates IP addresses to the devices from the defined pool of addresses as mentioned in the DHCP server. IPv4 and IPv6 addressing can be done by using DHCP server. To prevent wastage of IP addresses, correct subnet mask should be given.

2. DHCP is a client-server protocol where a server shares its clients and the resources and establishes a connection with the server to utilize these resources.

i. Behavior of DHCP server:

When a DHCP client tries to connect to the server by sending a DHCP message, on the current binding state of the client, the server processes it. The various types of DHCP message can be as DHCPDISCOVER, DHCPREQUEST, DHCPRELEASE, DHCPINFORM.

a. DHCPDISCOVER:

To each and every DHCPDISCOVER message from the client, the server picks an IP address from its given DHCP pool. If IP address is not available, it reports the system admin or otherwise it assigns the IP to the client based on the binding state with that particular client. 

b. DHCPREQUEST:

When server gives an IP to the client in reply to DHCPDISCOVER, the clients returns a DHCPREQUEST message to the server, by checking if the IP is previously allocated or if the lease has ended, etc. Normally, in response to any DHCPOFFER given by server, the client sends back a DHCP request having option as 'Server Identifier'.

c. DHCPRELEASE:

If no network address is allocated, the client returns a DHCPRELEASE message to the server and the server hence makes an entry of client's initialization fields.

d. DHCPINFORM: To every DHCPINFORM message from the client, the server sends a DHCPACK message directly to the address mentioned at 'ciaddr' of the DHCPINFORM message. ii. Behaviour of DHCP client: The client may receive following messages from the server. DHCPOFFER DHCPACK DHCPNACK. The client then sends DHCPINFORM message to the server and waits for DHCPACK message from the server. The client then completes the configuration process by setting up its own parameters.


Webserver and Firewall:

To host a website, we need a webserver to run on the Linux Operating System. Apache2 is the popularly used webserver in Linux. Firewall is used to protect the network from the incoming and outgoing traffic in a network. Other than the allowed set of rules, all other traffic is denied by this firewall at the gateway router.


Requirements: The most and foremost requirement in today’s world is of Linux based OS. We have implemented our project by using Ubuntu 14.04 version. In addition to this, BIND9 is implemented for DNS caching purpose, DHCP server for assigning IP addresses dynamically and Apache2 server for website hosting is required.


Installation Steps:

Steps to perform the setup/installation.


Dynamic Host Configuration Protocol Configuration

DHCP assigning IP addresses to all the clients present in a particular network. As and when any system joins any particular DHCP assigns IP address to that system and releases IP address if any system leaves that network.

Steps to configure DHCP:

1. The first step is to open the terminal in Ubuntu, and update the apt-get before installing any new package. APT is a UI named Advanced Packing Tool which is used to install and remove packages in Ubuntu systems.

Command: sudo apt-get update.

2. Install the packages which are required for DHCP configuration.

Command: sudo apt-get install isc-dhcp-server

This package consists of multiple files from which we need to edit few important files for DHCP server configuration. Even if other files are kept untouched they play an important role in DHCP configuration.

3. An interface or port should listen to all the incoming DHCP requests. Port or interface should be assigned and this can be done using test editors like nano, vi, vim etc. Here we have used vim and nano and have specified the port to which our DHCP server will listen all the DHCP requests. DHCP by default listens on eth0 interface and hence we have kept the same in our project. Server leases IP on this interface.

Command: sudo nano /etc/default/isc-dhcp-server

Here we will see on option named Interface which needs to be set to required port or interface number.

Interface=”eth0”

4. While configuring server on any interface, IP address needs to be assigned to that particular interface. DHCP server assigns IP address dynamically to all the clients in its network while this server needs to be given one static IP address. We have given static IP address as 192.168.1.36.

Command: sudo nano /etc/network/interfaces

Until now both IPv4 and IPv6 both had the same configuration. Now we will discuss IPv4 configuration first.

IPv4 Implementation:

5. One of the important files is the /etc/dhcp/dhcp.conf file. In this file we give a range of IP addresses which can be dynamically assigned to the client machines, the subnet mask, network ID , lease time etc.

Command: sudo nano /etc/dhcp/dhcpd.conf

Here we have made all the settings as per the network requirement. The option domain name is linuxlab.project which is the domain name given by us in our project. The IP pool given here is from 192.168.1.35 to 192.168.1.50.

6. Now we need to start the dhcp service.

Command: sudo service isc-dhcp-server restart

Once the server is restarted, server starts running and assigns IP to all the client machines in that network. Every client machine gets an IP from the IP pool given in the file.


IPv6 Configuration:

1. IPv6 routing is enabled by the following process:

Command: sudo nano /etc/sysctl.conf

Set the command to the following: net.ipv6.conf.default.forwarding=1;

2. To advertise the IPs and let the client systems select IPs from these IP addresses, we need to install advertisement daemon of the router named radvd.

Command: sudo apt-get install radvd

After installing this daemon, we need to edit /etc/radvd.conf. This file does not exists and is initially blank and we need to setup few commands for it to work.

Command: sudo nano /etc/radvd.conf

3. For the DHCP server to assign the IP addresses to all the clients in this network, a dedicated file needs to be created and edited.

Command: sudo nano /etc/dhcp/dhcp6.conf

4. To generate address space for IPv6, radvd needs to be restarted.

Command: sudo service radvd restart


In this way DCHP server is configured for IPv4 and IPv6.


Domain Name Server Configuration:


Commands used in DNS server configuration:


1. Initially we give static IP in the interfaces file to configure the DNS server. It is as follows:

sudo nano /etc/network/interfaces

auto eth0

iface eth0 inet static

address 192.168.1.36

network 192.168.1.0

netmask 255.255.255.0

broadcast 192.168.1.255

gateway 192.168.1.0

dns-nameservers 192.168.1.36


2. We then restart the networking server after the above changes are made.

Command: sudo /etc/init.d networking restart

3. Creating a hostname

Command: sudo nano /etc/hostname

Ubuntu

4. To create a domain-name by editing /etc/hosts

Command:

sudo nano /etc/hosts

Add the following in this file:

127.0.0.1 locathost

192.168.1.5 ubuntu.linuxlab.project Ubuntu

To restart the server.

5. Install Bind9

Command: sudo apt-get install bind9

6.Configuring named.conf.options

Command:

forwarders{

192.168.1.36

8.8.8.8

};

7. To configure named.conf.local

Command:

sudo nano /etc/bind/named.conf.local

Edit the following:

Forward Zone is defined as below:

zone “linuxlab.project”{

type master;

file “/etc/bind/zones/db.linuxlab.project”

};

Reverse Zone is defined as below:

Zone “36.1.168.192.in.addr-arpa”{

type master;

file “/etc/bind/zones/db.lablinux.project”

};

8. Creating database files db.lablinux.project and db.192 in zones folder

Command:

i. To make the directory /etc/bind/zones

sudo mkdir /etc/bind/zones

ii. To copy db.local to db.lablinux.project

sudo cp /etc/bind/db.local /etc/bind/zones/db.lablinux.project

iii. To open db.lablinux.project file

sudo nano /etc/bind/zones/db.lablinux.project

Edit this file.

9. Edit the two database files db.linuxlab.project and db.192 in zones folder.

Command: Edit, Save and Exit

i. Copy db.127 to db.192

sudo cp /etc/bind/db.127 /etc/bind/zones/db.192

ii. Open db.192 file

sudo nano /etc/bind/db.192

iii. Edit this file, save and exit. Check both zones if they are working properly or not.

10. To configure resolv.conf

Command: sudo nano /etc/resolv.conf

Edit, restart the bind server and check if the log files have any errors or not.

sudo /etc/init.d/bind9 restart

tail –f /var/log/syslog


Webserver & Firewall: To host a particular website, we need to run a webserver on the Linux Operating System. The most popularly used webserver is Apache2. To ensure security over the incoming and outgoing traffic in a network we have implemented Firewall, using iptables. Appending rules to the iptables the incoming traffic is filtered at the incoming port, based on the rule given.

Commands to configure Webserver:

1. Installing Apache2 Webserver

Command: sudo apt-get install Apache2

2. To check if the web server is able to listen on port 80 or not

Command: netstat –a | more

3. To restart the web server

Command: sudo /etc/init.d/apache2 stop

sudo /etc/init.d/apache2 start

4. To develop a webpage for the server

Command: cd /var/www

sudo nano index.html

Commands to configure Firewall:

1. To block the ICMP requests:

Command: sudo iptables –A INPUT -d <IP address of the destination system> -p icmp –icmp –type 0 –j DROP

2. In order to prevent SSH login:

Command: sudo iptables –A INPUT -s <IP address of the source system> -d <IP address of the destination> -p tcp –dport ssh –j DROP

3. To block the FTP ports:

Command: sudo iptables -A INPUT -p tcp --dport 20 -j DROP sudo iptables -A INPUT -p tcp --dport 21 -j DROP

4. To block the Telnet port:

Command: sudo iptables –A INPUT -d 192.168.1.40 –p tcp –dport 23 –j DROP

5. To block a webpage:

Command: sudo iptables –A INPUT -d 192.168.1.40 –s 192.168.1.45 –p tcp –dport -j DROP


Backup:

The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data which is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users.

Steps to configure

1. Install rsync

Command: sudo apt-get install rsync

2. Install ssh

Command: sudo apt-get install openssh-server

3. Create a public and a private key for security

Command: ssh-keygen -t rsa -b 1000

4. Copy this into the web server

Command: ssh-copy-id -i /root/.ssh/id_rsa.pub

 webserver@ipaddress

5. Edit crontab

Command: crontab –e

6. Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync

Command: rsync -avzh -e ssh

                    webserver@ipaddress:/var/www /home/backupserver/DestinationFolder


Additional Features:


1. Mail Server:

The default mail transfer agent for Ubuntu is Postfix.

Step 1. Install postfix

Command: sudo apt-get install postfix

Step 2. Configure the following:

Command: sudo dpkg-reconfigure postfix

To add the following details:

1. General type of Mail configuration: Internet Site

2. NONE doesn’t appear in the current configuration.

3. System Mail Name: mail.linuxlab.project

4. Root and postmaster mail recipient: <admin_user_name>

5. Other destinations for mail: server1.linuxlab.project

6. Force synchronous updates on mail queue: NO

7. Local network: 127.0.0.0/8

8. Yes does not appear to be requested in current configuration.

9. Mailbox size limit (bytes): 0

10. Local address extension character: +

11. Internet protocols to use: ALL

Step 3. To configure the mailbox format for Maildir

Command: sudo postconf –e ‘home_mailbox = Maildir/’

sudo postconf –e ‘mailbox_command =’

Step 4. Configuring POSTFIX to perform SMTP, AUTH by using SSH

Command: sudo postconf –e ‘smtp_sasl_local_domain =’

sudo postconf –e ‘smtp_sasl_auth_enable = yes’

sudo postconf –e ‘smtp sasl security options = noanonymous’

sudo postconf –e ‘broken sasl auth clients = yes’

sudo postconf –e ‘smtp_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’

sudo postconf –e ‘inet_interfaces = all’

Generate certificates to be used for TLS encryption and/or certificate Authentication

touch smtpd.key

chmod 600 smtpd.key

openssl genrsa 1024 > smtpd.key

openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts

sudo mv smtpd.key /etc/ssl/private/

sudo mv smtpd.crt /etc/ssl/certs/

sudo mv cakey.pem /etc/ssl/private/

sudo mv cacert.pem /etc/ssl/certs/

Step 5. Configuration of Postfix to do TLS encryption for incoming and outgoing mail:

Command: sudo postconf –e ‘smtp_tls_security_level = may’

Step 6. To restart the postfix daemon.

Command: sudo /etc/init.d/postfix restart


2. VPN (Virtual Private Network):

Commands to configure VPN is as given below.

i. In order to configure VPN, install pptpd package.

Command: sudo apt-get install pptpd

ii. Edit and change the files present in /etc/pptpd.conf

Command: localip <VPN server IP>

remoteip 192.168.1.40 192.168.1.45

iii. Edit file /etc/ppp/pptpd-options:

Command: ms-dns 192.168.1.254

iv. To set the userid and password:

Command: sudo nano /etc/ppp/chap-secrets

User pptpd password *

‘*’ indicates the IP addresses in the specified IP range.


3. NFS (Network File System):

Configuration of NFS is as given below:

i. Configuration of NFS Server:

Command: sudo apt-get install nfs-kernel-server

sudo mkdir /export/shared

sudo chmod 777/export/shared

ii. To edit the file:

Command: sudo nano /etc/exports

And on the last line edit as given below:

append ==> /export/shared <ip address of the client> (rw,sync,no_root_squash)

Save and exit

iii. Change the directory:

Command: cd /export/shared

touch abc

sudo nano abc

sudo reboot

# To enter the data which is required to be seen by the client.

iv. To restart the server.

Command: sudo service nfs-kernel-server restart

v. Configuration of the NFS-client

Command: sudo apt-get install nfs-common

vi. Make directory in /home

Command: mount serverip:/serverpath /clientpath sudo reboot sudo mount –a


4. Master & Slave:

Steps to configure Master and Slave is as given below:

i. Edit /etc/hosts

Command: sudo nano /etc/hosts

ii. Add the following:

Command: 127.0.0.1 localhost 192.168.1.40 ubuntu.linuxlab.project ubuntu 192.168.1.45 ubuntu.linux.abc ubuntu

iii. Edit the file /etc/bind/named.conf.local on the master virtual machine

Command: sudo nano /etc/bind/named.conf.local

iv. Edit the following:

  1. Forward zone zone "linuxlab.project" { type master; allow transfer{ip address of the slave;}; file "/etc/bind/zones/db.linuxlab.project";


5. PXE Boot and RARP:

For a client to obtain an IP address from a server Bootstrap protocol is used. This is basically a network protocol. The server actually provides a pool of IP address. An extension of BOOTP and DHCP is nothing but PXE Boot. By using this protocol we can boot thousands of Linux terminals from a server which is placed remotely. The PXE Boot configuration is as follows:

i. Configuring the dhcp service.

Add the following lines:

allow booting;

allow bootp;

filename “/pxelinux.0”

ii. To restart the DHCP server. Configuring the tftp service.

Command: sudo apt-get install tftp-server

sudo nano /etc/xinetd.d/tftp

Change “disable=yes” to “disable=no”

sudo service xinetd restart

iii. Configuring the vsftp service:

Command: sudo apt-get install vsftp

sudo nano /etc/vsftp/vsftp.conf

Add anon_root= /mnt

Anon_upload_enable=NO

iv. Configuring the pxe service

Command: sudo mkdir /tftpboot

cp /usr/lib/syslinux/pxelinux.0 /tftpboot/

By using PXE boot, copy the file from boot Ubuntu to /tftpboot and boot Ubuntu.


6. NTP:

It is a network time protocol which is used for clock synchronization among the computer systems to some time reference. It is a client server model. Timestamps are sent and received using UDP on port number 123. NTP clients try to synchronize the time with NTP server.

a. For NTP server

i. Install NTP

	       Command:		sudo apt-get install ntp

ii. Edit /etc/ntp.conf to check it has two restrict lines

Command: restrict default kod nomodify notrap nopeer noquery

Command: restrict -6 default kod no modify notrap nopeer noquery

iii. Edit /etc/ntp.conf file to only allow specific machines on your own network to synchronize with your NTP server.

Command: restrict 192.168.1.0 mask 255.255.255.0 no modify notrap

iv. To add local clock as backup edit ntp.conf file

    Command: 		server 127.127.1.0 iburst
       		Fudge 127.127.1.0 stratum 1

v. Restart NTP server

	     Command: 		/etc/init.d/ntp restart

a. For NTP client

i. To synchronize NTP client to NTP server modify ntp.conf

Command: server 192.168.1.38 prefer

ii. Start the ntp daemon process

Command: /etc/init.d/ntp start

iii. To check the NTP status

Command: sudo ntpq -p

iv. Setting local time and date

Command: ntpdate –u 192.168.1.38

To get the current status of NTP

Command: ntpdc –c sysinfo


7. IPSEC OpenSwan:

Installed openswan and edited /etc/ipsec.conf file to define peer gateway, remote and local subnets and local gateway address.

10.1.1.0/24----(linux)192.168.1.49----------192.168.1.36(linux)------172.16.0.0/24

Status of tunnels can be checked through:

  1. service ipsec status
  1. ipsec auto --status


8. NIS:

Network Information Service is a directory service client-server protocol used for distribution of system configuration data such as user or hostnames between computers in a network. It provides simple lookup services of databases and processes.

1. Install portmap

Command: sudo apt-get install portmap

2. Update portmap default

Command: sudo update-rc.d portmap f=defaults 10

3. Install NIS

Command: sudo apt-get install nis

You will be given a prompt for your domain name. We used linuxlab.project

4. Edit /etc/default/nis

Command: sudo vim /etc/default/nis

NISSERVER=master

NISCLIENT=false

5. Edit /etc/ypserv.securenets by giving access to your clients

Command: sudo vim /etc/ypserv.securenets

  1. 0.0.0.0 0.0.0.0

255.255.255.0 192.168.1.0

6. Edit /var/yp/Makefile

Command: sudo vim /var/yp/Makefile

All = passwd shadow group hosts

7. Restart the portmap daemon

Command: sudo /etc/init.d/portmap restart

8. Restart the NIS daemon

Command: sudo /etc/init.d/nis restart

9. Invoke /usr/lib/yp/ypinit to build NIS DB, you’ll be asked to add hosts

Command: sudo /usr/lib/yp/ypinit –m

10. Add the users and groups to be used by NIS clients throughtout the network to the NIS Server

Command: sudo useradd -d /home/NISUser1 -m NISUser1

  sudo useradd -d /home/NISUser2 -m NISUser2

11. Give the new users passwords to login and authenticate with NIS clients in your Linux network

Command: sudo passwd NISUser1

sudo passwd NISUser2

12. Compile the new users, groups and passwords into NIS database

Command: cd /var/yp/

        sudo make

13. Test NIS

Command: ypcat passwd

b. Client Configuration

1. Install portmap

Command: sudo apt-get install portmap

                    2.  Update portmap defaults

Command: sudo update-rc.d portmap defaults 10

3. Install NIS, be sure to enter the same domain name: linuxlab.project

Command: sudo apt-get install nis

            4. Edit /etc/yp.conf and add a server line

Command: sudo vim /etc/yp.conf

domain linuxlab.project server ubuntu linuxlab.project

                    5.Edit /etc/nsswitch.conf

Command: sudo vim /etc/nsswitch.conf

Passwd: nis compat

Group: nis compat

Shadow: nis compat

6. Modify the permissions on the default /home folder so XWindows can allow users to login in graphically to a Gnome Desktop

Command: sudo chmod 777 /home

7. Reboot the NIS client

Command: sudo reboot

8. Test NIS client’s connection to the NIS server

Command: ypcat passwd

NISUser1…

NISUser2…

9. Login with NIS user

Command: ypwhich

Ubuntu linuxlab.project

Test Plan:


1. DNS Test Plan:

Following commands are used for testing:

i. Domain Information Groper (DIG): It is used for querying the DNS Name Server. This command performs DNS lookups and returns the response from the same servers.

ii. Nslookup: It is used to query the DNS servers. Its Interactive mode gives user the permission to query the name servers to get information about all the hosts and domains. Its Non-interactive mode gives user the permission to print just the name and information which is requested for a particular host or domain.

iii. Ping: It is used to check the status of the network layer of the server.

iv. Host: This is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.


2. DHCP Test: Any system/machine/device which enters a network gets an IP address, and this is done by the DHCP server. These IP addresses can be verified using ifconfig/ipconfig.

Command: sudo dhclient –r (This command is used to get fresh IP for the client system)

cat /var/lib/dhcp/dhcpd.leases (This command is used to view the lease provided to any particular device by the DHCP server)


3. Webserver Test: Open the web browser and enter the host name or the local IP address. If this works, then the web server is up and running.


4. Firewall Test: Any client can try to ping the servers which are blocked. If the client gets a request timed-out response then, the firewall has blocked the client and this says that the Firewall is working properly. The client doesn’t have access to the webpage because it is restricted.


Future Improvements:

1. In this project, Dynamic DNS concept can be implemented.

2. IP spoofing can be restricted for firewall configuration using iptables. Traffic from MAC address can be restricted or blocked.

3. By using iptables, the number of parallel connections establishing to any particular client can be blocked.

4. By using symmetric cryptography, Backup can be taken.


Citations:

Website:

1. www.help.ubuntu.com

2. www.google.com

3. www.youtube.com

Books:

1. Computer Networking – A top down approach (James Kurose and Keith Ross)