Data Networking/Fall 2015/Sman
Team:
1. Abhishek Mishra
2. Madhura Hulsurkar
3. Navneet Kaur Randhava
4. Samarpit Srivastava
Motivation:
Today the use of internet is ubiquitous. Interconnection of different networks is nothing but Internet. It is basically a group of computer networks which is based on TCP/IP model. The theoretical knowledge of all the concepts encountered while configuration has been taught in theory classes. This project has helped us in understanding these concepts practically with the theoretical knowledge gained in class. With the rapid usage of Internet, need arises to actually implement our network, ad-hoc networks. Dynamic Host Configuration (DHCP) server assigns IP addresses to different clients which are present in this ad-hoc network which gives access to the web page post IP resolution from Domain Name System. Security is the biggest concern which needs to be incorporated in networking. Thus, Firewall is implemented to secure our servers. Every machine should be able to sustain any catastrophe that may arise at any moment, so creating Backup in our own network is very essential. Since ages, Windows has captured the market and hence to add flavor to our lives we need to move from Windows to a different Operating System called as Linux. Linux is an open-source Operating system; it is easy for development, modification and distribution also it is free of cost. In our project we have used 14.04 version of Ubuntu.
Behavior of Protocols:
Domain Name System:
DNS stands for Domain Name Server. It is a hierarchical distribution of naming systems for the servers and services throughout the network. DNS is used to translate the URLs Domain name to IP addresses. It uses services of either TCP or UDP on port 53. It uses TCP in case when the response of the query is more than 512 bytes. In case, source has sent a DNS query using UDP and server notices that response is going to be greater than 512 bytes, then it uses truncate bit (TC bit) in the flag field which is set to 1. Source now initiates a TCP connection on port 53 to which the server replies. TCP connection is also used during zone transfers. Implementation of BIND9 server with caching can be used to reduce latency. Advantage of doing this is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is noticeably reduced, thus decreasing the waiting time of the user to obtain the data from the webpage.
Types of DNS records:
MX:
This type specifies host as the Mail Server. If any request comes to this server it is then directed to the mail server.
CNAME:
It specifies the URL’s canonical or primary name. Domain name is nothing but the alias.
A:
It is the Authoritative entry for the domain name, A specifies the IP of the actual server.
NS:
This type is the Name server lookup name of the domain. This type specifies a host which should be authoritative for the specified class and the domain.
PTR:
It is a Domain Name which points to some location in the domain name space.
The reverse DNS lookup is in IN-ADDR.ARPA domain. In Reverse DNS, entries contain host name with reverse IP addresses with “.in-addr.arpa” added. These are set up with the PTR records. They are defined with 4 labels along with suffix IN_ADDR.ARPA and each label presenting one octet presenting one octet of ip address, which is in the range of 0 to 255 and expressed in a character string for a decimal value. The network addresses of host have domain names containing all the 4 labels i.e an IP address 192.168.1.36 will be located in the domain name of 36.1.168.192.IN-ADDR.ARPA. IPv6 is configured same as IPv4. For IPv6 reverse DNS, a new zone file is configured.
Dynamic Host Configuration Protocol (DHCP):
1. To assign IP addresses to networking component is done by using DHCP. It is done in following ways:
i. Static Allocation: In static allocation, IP addresses are assigned to networking devices like routers, computers etc. statically and it remains same unless it is changed by the network administrator.
ii. Automatic Allocation: In this type of allocation, same IP address get allocated to the systems which whenever gets connected to a particular network.
iii. Dynamic Allocation: In this type of allocation, a DHCP server allocates IP addresses to the devices from the defined pool of addresses as mentioned in the DHCP server. IPv4 and IPv6 addressing can be done by using DHCP server. To prevent wastage of IP addresses, correct subnet mask should be given.
2. DHCP is a client-server protocol where a server shares its clients and the resources and establishes a connection with the server to utilize these resources.
i. Behavior of DHCP server:
When a DHCP client tries to connect to the server by sending a DHCP message, on the current binding state of the client, the server processes it. The various types of DHCP message can be as DHCPDISCOVER, DHCPREQUEST, DHCPRELEASE, DHCPINFORM.
a. DHCPDISCOVER:
To each and every DHCPDISCOVER message from the client, the server picks an IP address from its given DHCP pool. If IP address is not available, it reports the system admin or otherwise it assigns the IP to the client based on the binding state with that particular client.
b. DHCPREQUEST:
When server gives an IP to the client in reply to DHCPDISCOVER, the clients returns a DHCPREQUEST message to the server, by checking if the IP is previously allocated or if the lease has ended, etc. Normally, in response to any DHCPOFFER given by server, the client sends back a DHCP request having option as 'Server Identifier'.
c. DHCPRELEASE:
If no network address is allocated, the client returns a DHCPRELEASE message to the server and the server hence makes an entry of client's initialization fields.
d. DHCPINFORM: To every DHCPINFORM message from the client, the server sends a DHCPACK message directly to the address mentioned at 'ciaddr' of the DHCPINFORM message. ii. Behaviour of DHCP client: The client may receive following messages from the server. DHCPOFFER DHCPACK DHCPNACK. The client then sends DHCPINFORM message to the server and waits for DHCPACK message from the server. The client then completes the configuration process by setting up its own parameters.
Webserver and Firewall:
To host a website, we need a webserver to run on the Linux Operating System. Apache2 is the popularly used webserver in Linux. Firewall is used to protect the network from the incoming and outgoing traffic in a network. Other than the allowed set of rules, all other traffic is denied by this firewall at the gateway router.
Requirements:
The most and foremost requirement in today’s world is of Linux based OS. We have implemented our project by using Ubuntu 14.04 version. In addition to this, BIND9 is implemented for DNS caching purpose, DHCP server for assigning IP addresses dynamically and Apache2 server for website hosting is required.
Installation Steps:
Steps to perform the setup/installation.
Dynamic Host Configuration Protocol Configuration
DHCP assigning IP addresses to all the clients present in a particular network. As and when any system joins any particular DHCP assigns IP address to that system and releases IP address if any system leaves that network.
Steps to configure DHCP:
1. The first step is to open the terminal in Ubuntu, and update the apt-get before installing any new package. APT is a UI named Advanced Packing Tool which is used to install and remove packages in Ubuntu systems.
Command: sudo apt-get update.
2. Install the packages which are required for DHCP configuration.
Command: sudo apt-get install isc-dhcp-server
This package consists of multiple files from which we need to edit few important files for DHCP server configuration. Even if other files are kept untouched they play an important role in DHCP configuration.
3. An interface or port should listen to all the incoming DHCP requests. Port or interface should be assigned and this can be done using test editors like nano, vi, vim etc. Here we have used vim and nano and have specified the port to which our DHCP server will listen all the DHCP requests. DHCP by default listens on eth0 interface and hence we have kept the same in our project. Server leases IP on this interface.
Command: sudo nano /etc/default/isc-dhcp-server
Here we will see on option named Interface which needs to be set to required port or interface number.
Interface=”eth0”
4. While configuring server on any interface, IP address needs to be assigned to that particular interface. DHCP server assigns IP address dynamically to all the clients in its network while this server needs to be given one static IP address. We have given static IP address as 192.168.1.36.
Command: sudo nano /etc/network/interfaces
Until now both IPv4 and IPv6 both had the same configuration. Now we will discuss IPv4 configuration first.
IPv4 Implementation:
5. One of the important files is the /etc/dhcp/dhcp.conf file. In this file we give a range of IP addresses which can be dynamically assigned to the client machines, the subnet mask, network ID , lease time etc.
Command: sudo nano /etc/dhcp/dhcpd.conf
Here we have made all the settings as per the network requirement. The option domain name is linuxlab.project which is the domain name given by us in our project. The IP pool given here is from 192.168.1.35 to 192.168.1.50.
6. Now we need to start the dhcp service.
Command: sudo service isc-dhcp-server restart
Once the server is restarted, server starts running and assigns IP to all the client machines in that network. Every client machine gets an IP from the IP pool given in the file.
IPv6 Configuration:
1. IPv6 routing is enabled by the following process:
Command: sudo nano /etc/sysctl.conf
Set the command to the following: net.ipv6.conf.default.forwarding=1;
2. To advertise the IPs and let the client systems select IPs from these IP addresses, we need to install advertisement daemon of the router named radvd.
Command: sudo apt-get install radvd
After installing this daemon, we need to edit /etc/radvd.conf. This file does not exists and is initially blank and we need to setup few commands for it to work.
Command: sudo nano /etc/radvd.conf
3. For the DHCP server to assign the IP addresses to all the clients in this network, a dedicated file needs to be created and edited.
Command: sudo nano /etc/dhcp/dhcp6.conf
4. To generate address space for IPv6, radvd needs to be restarted.
Command: sudo service radvd restart
In this way DCHP server is configured for IPv4 and IPv6.
Domain Name Server Configuration:
Commands used in DNS server configuration:
1. Initially we give static IP in the interfaces file to configure the DNS server. It is as follows:
sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.1.36
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.0
dns-nameservers 192.168.1.36
2. We then restart the networking server after the above changes are made.
Command: sudo /etc/init.d networking restart
3. Creating a hostname
Command: sudo nano /etc/hostname
Ubuntu
4. To create a domain-name by editing /etc/hosts
Command:
sudo nano /etc/hosts
Add the following in this file:
127.0.0.1 locathost
192.168.1.5 ubuntu.linuxlab.project Ubuntu
To restart the server.
5. Install Bind9
Command: sudo apt-get install bind9
6.Configuring named.conf.options
Command:
forwarders{
192.168.1.36
8.8.8.8
};
7. To configure named.conf.local
Command:
sudo nano /etc/bind/named.conf.local
Edit the following:
Forward Zone is defined as below:
zone “linuxlab.project”{
type master;
file “/etc/bind/zones/db.linuxlab.project”
};
Reverse Zone is defined as below:
Zone “36.1.168.192.in.addr-arpa”{
type master;
file “/etc/bind/zones/db.lablinux.project”
};
8. Creating database files db.lablinux.project and db.192 in zones folder
Command:
i. To make the directory /etc/bind/zones
sudo mkdir /etc/bind/zones
ii. To copy db.local to db.lablinux.project
sudo cp /etc/bind/db.local /etc/bind/zones/db.lablinux.project
iii. To open db.lablinux.project file
sudo nano /etc/bind/zones/db.lablinux.project
Edit this file.
9. Edit the two database files db.linuxlab.project and db.192 in zones folder.
Command: Edit, Save and Exit
i. Copy db.127 to db.192
sudo cp /etc/bind/db.127 /etc/bind/zones/db.192
ii. Open db.192 file
sudo nano /etc/bind/db.192
iii. Edit this file, save and exit. Check both zones if they are working properly or not.
10. To configure resolv.conf
Command: sudo nano /etc/resolv.conf
Edit, restart the bind server and check if the log files have any errors or not.
sudo /etc/init.d/bind9 restart
tail –f /var/log/syslog
Webserver & Firewall:
To host a particular website, we need to run a webserver on the Linux Operating System. The most popularly used webserver is Apache2. To ensure security over the incoming and outgoing traffic in a network we have implemented Firewall, using iptables. Appending rules to the iptables the incoming traffic is filtered at the incoming port, based on the rule given.
Commands to configure Webserver:
1. Installing Apache2 Webserver
Command: sudo apt-get install Apache2
2. To check if the web server is able to listen on port 80 or not
Command: netstat –a | more
3. To restart the web server
Command: sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
4. To develop a webpage for the server
Command: cd /var/www
sudo nano index.html
Commands to configure Firewall:
1. To block the ICMP requests:
Command: sudo iptables –A INPUT -d <IP address of the destination system> -p icmp –icmp –type 0 –j DROP
2. In order to prevent SSH login:
Command: sudo iptables –A INPUT -s <IP address of the source system> -d <IP address of the destination> -p tcp –dport ssh –j DROP
3. To block the FTP ports:
Command: sudo iptables -A INPUT -p tcp --dport 20 -j DROP sudo iptables -A INPUT -p tcp --dport 21 -j DROP
4. To block the Telnet port:
Command: sudo iptables –A INPUT -d 192.168.1.40 –p tcp –dport 23 –j DROP
5. To block a webpage:
Command: sudo iptables –A INPUT -d 192.168.1.40 –s 192.168.1.45 –p tcp –dport -j DROP
Backup:
The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data which is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users.
Steps to configure
1. Install rsync
Command: sudo apt-get install rsync
2. Install ssh
Command: sudo apt-get install openssh-server
3. Create a public and a private key for security
Command: ssh-keygen -t rsa -b 1000
4. Copy this into the web server
Command: ssh-copy-id -i /root/.ssh/id_rsa.pub
webserver@ipaddress
5. Edit crontab
Command: crontab –e
6. Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync
Command: rsync -avzh -e ssh
webserver@ipaddress:/var/www /home/backupserver/DestinationFolder
Additional Features:
1. Mail Server:
The default mail transfer agent for Ubuntu is Postfix.
Step 1. Install postfix
Command: sudo apt-get install postfix
Step 2. Configure the following:
Command: sudo dpkg-reconfigure postfix
To add the following details:
1. General type of Mail configuration: Internet Site
2. NONE doesn’t appear in the current configuration.
3. System Mail Name: mail.linuxlab.project
4. Root and postmaster mail recipient: <admin_user_name>
5. Other destinations for mail: server1.linuxlab.project
6. Force synchronous updates on mail queue: NO
7. Local network: 127.0.0.0/8
8. Yes does not appear to be requested in current configuration.
9. Mailbox size limit (bytes): 0
10. Local address extension character: +
11. Internet protocols to use: ALL
Step 3. To configure the mailbox format for Maildir
Command: sudo postconf –e ‘home_mailbox = Maildir/’
sudo postconf –e ‘mailbox_command =’
Step 4. Configuring POSTFIX to perform SMTP, AUTH by using SSH
Command: sudo postconf –e ‘smtp_sasl_local_domain =’
sudo postconf –e ‘smtp_sasl_auth_enable = yes’
sudo postconf –e ‘smtp sasl security options = noanonymous’
sudo postconf –e ‘broken sasl auth clients = yes’
sudo postconf –e ‘smtp_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
sudo postconf –e ‘inet_interfaces = all’
Generate certificates to be used for TLS encryption and/or certificate Authentication
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
Step 5. Configuration of Postfix to do TLS encryption for incoming and outgoing mail:
Command: sudo postconf –e ‘smtp_tls_security_level = may’
Step 6. To restart the postfix daemon.
Command: sudo /etc/init.d/postfix restart
2. VPN (Virtual Private Network):
Commands to configure VPN is as given below.
i. In order to configure VPN, install pptpd package.
Command: sudo apt-get install pptpd
ii. Edit and change the files present in /etc/pptpd.conf
Command: localip <VPN server IP>
remoteip 192.168.1.40 192.168.1.45
iii. Edit file /etc/ppp/pptpd-options:
Command: ms-dns 192.168.1.254
iv. To set the userid and password:
Command: sudo nano /etc/ppp/chap-secrets
User pptpd password *
‘*’ indicates the IP addresses in the specified IP range.
3. NFS (Network File System):
Configuration of NFS is as given below:
i. Configuration of NFS Server:
Command: sudo apt-get install nfs-kernel-server
sudo mkdir /export/shared
sudo chmod 777/export/shared
ii. To edit the file:
Command: sudo nano /etc/exports
And on the last line edit as given below:
append ==> /export/shared <ip address of the client> (rw,sync,no_root_squash)
Save and exit
iii. Change the directory:
Command: cd /export/shared
touch abc
sudo nano abc
sudo reboot
# To enter the data which is required to be seen by the client.
iv. To restart the server.
Command: sudo service nfs-kernel-server restart
v. Configuration of the NFS-client
Command: sudo apt-get install nfs-common
vi. Make directory in /home
Command: mount serverip:/serverpath /clientpath sudo reboot sudo mount –a
4. Master & Slave:
Steps to configure Master and Slave is as given below:
i. Edit /etc/hosts
Command: sudo nano /etc/hosts
ii. Add the following:
Command: 127.0.0.1 localhost 192.168.1.40 ubuntu.linuxlab.project ubuntu 192.168.1.45 ubuntu.linux.abc ubuntu
iii. Edit the file /etc/bind/named.conf.local on the master virtual machine
Command: sudo nano /etc/bind/named.conf.local
iv. Edit the following:
- Forward zone zone "linuxlab.project" { type master; allow transfer{ip address of the slave;}; file "/etc/bind/zones/db.linuxlab.project";
5. PXE Boot and RARP:
For a client to obtain an IP address from a server Bootstrap protocol is used. This is basically a network protocol. The server actually provides a pool of IP address. An extension of BOOTP and DHCP is nothing but PXE Boot. By using this protocol we can boot thousands of Linux terminals from a server which is placed remotely. The PXE Boot configuration is as follows:
i. Configuring the dhcp service.
Add the following lines:
allow booting;
allow bootp;
filename “/pxelinux.0”
ii. To restart the DHCP server. Configuring the tftp service.
Command: sudo apt-get install tftp-server
sudo nano /etc/xinetd.d/tftp
Change “disable=yes” to “disable=no”
sudo service xinetd restart
iii. Configuring the vsftp service:
Command: sudo apt-get install vsftp
sudo nano /etc/vsftp/vsftp.conf
Add anon_root= /mnt
Anon_upload_enable=NO
iv. Configuring the pxe service
Command: sudo mkdir /tftpboot
cp /usr/lib/syslinux/pxelinux.0 /tftpboot/
By using PXE boot, copy the file from boot Ubuntu to /tftpboot and boot Ubuntu.
6. NTP:
It is a network time protocol which is used for clock synchronization among the computer systems to some time reference. It is a client server model. Timestamps are sent and received using UDP on port number 123. NTP clients try to synchronize the time with NTP server.
a. For NTP server
i. Install NTP
Command: sudo apt-get install ntp
ii. Edit /etc/ntp.conf to check it has two restrict lines
Command: restrict default kod nomodify notrap nopeer noquery
Command: restrict -6 default kod no modify notrap nopeer noquery
iii. Edit /etc/ntp.conf file to only allow specific machines on your own network to synchronize with your NTP server.
Command: restrict 192.168.1.0 mask 255.255.255.0 no modify notrap
iv. To add local clock as backup edit ntp.conf file
Command: server 127.127.1.0 iburst
Fudge 127.127.1.0 stratum 1
v. Restart NTP server
Command: /etc/init.d/ntp restart
a. For NTP client
i. To synchronize NTP client to NTP server modify ntp.conf
Command: server 192.168.1.38 prefer
ii. Start the ntp daemon process
Command: /etc/init.d/ntp start
iii. To check the NTP status
Command: sudo ntpq -p
iv. Setting local time and date
Command: ntpdate –u 192.168.1.38
To get the current status of NTP
Command: ntpdc –c sysinfo
7. IPSEC OpenSwan:
Installed openswan and edited /etc/ipsec.conf file to define peer gateway, remote and local subnets and local gateway address.
10.1.1.0/24----(linux)192.168.1.49----------192.168.1.36(linux)------172.16.0.0/24
Status of tunnels can be checked through:
- service ipsec status
- ipsec auto --status
8. NIS:
Network Information Service is a directory service client-server protocol used for distribution of system configuration data such as user or hostnames between computers in a network. It provides simple lookup services of databases and processes.
1. Install portmap
Command: sudo apt-get install portmap
2. Update portmap default
Command: sudo update-rc.d portmap f=defaults 10
3. Install NIS
Command: sudo apt-get install nis
You will be given a prompt for your domain name. We used linuxlab.project
4. Edit /etc/default/nis
Command: sudo vim /etc/default/nis
NISSERVER=master
NISCLIENT=false
5. Edit /etc/ypserv.securenets by giving access to your clients
Command: sudo vim /etc/ypserv.securenets
- 0.0.0.0 0.0.0.0
255.255.255.0 192.168.1.0
6. Edit /var/yp/Makefile
Command: sudo vim /var/yp/Makefile
All = passwd shadow group hosts
7. Restart the portmap daemon
Command: sudo /etc/init.d/portmap restart
8. Restart the NIS daemon
Command: sudo /etc/init.d/nis restart
9. Invoke /usr/lib/yp/ypinit to build NIS DB, you’ll be asked to add hosts
Command: sudo /usr/lib/yp/ypinit –m
10. Add the users and groups to be used by NIS clients throughtout the network to the NIS Server
Command: sudo useradd -d /home/NISUser1 -m NISUser1
sudo useradd -d /home/NISUser2 -m NISUser2
11. Give the new users passwords to login and authenticate with NIS clients in your Linux network
Command: sudo passwd NISUser1
sudo passwd NISUser2
12. Compile the new users, groups and passwords into NIS database
Command: cd /var/yp/
sudo make
13. Test NIS
Command: ypcat passwd
b. Client Configuration
1. Install portmap
Command: sudo apt-get install portmap
2. Update portmap defaults
Command: sudo update-rc.d portmap defaults 10
3. Install NIS, be sure to enter the same domain name: linuxlab.project
Command: sudo apt-get install nis
4. Edit /etc/yp.conf and add a server line
Command: sudo vim /etc/yp.conf
domain linuxlab.project server ubuntu linuxlab.project
5.Edit /etc/nsswitch.conf
Command: sudo vim /etc/nsswitch.conf
Passwd: nis compat
Group: nis compat
Shadow: nis compat
6. Modify the permissions on the default /home folder so XWindows can allow users to login in graphically to a Gnome Desktop
Command: sudo chmod 777 /home
7. Reboot the NIS client
Command: sudo reboot
8. Test NIS client’s connection to the NIS server
Command: ypcat passwd
NISUser1…
NISUser2…
9. Login with NIS user
Command: ypwhich
Ubuntu linuxlab.project
Test Plan:
1. DNS Test Plan:
Following commands are used for testing:
i. Domain Information Groper (DIG): It is used for querying the DNS Name Server. This command performs DNS lookups and returns the response from the same servers.
ii. Nslookup: It is used to query the DNS servers. Its Interactive mode gives user the permission to query the name servers to get information about all the hosts and domains. Its Non-interactive mode gives user the permission to print just the name and information which is requested for a particular host or domain.
iii. Ping: It is used to check the status of the network layer of the server.
iv. Host: This is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.
2. DHCP Test: Any system/machine/device which enters a network gets an IP address, and this is done by the DHCP server. These IP addresses can be verified using ifconfig/ipconfig.
Command: sudo dhclient –r (This command is used to get fresh IP for the client system)
cat /var/lib/dhcp/dhcpd.leases (This command is used to view the lease provided to any particular device by the DHCP server)
3. Webserver Test: Open the web browser and enter the host name or the local IP address. If this works, then the web server is up and running.
4. Firewall Test: Any client can try to ping the servers which are blocked. If the client gets a request timed-out response then, the firewall has blocked the client and this says that the Firewall is working properly. The client doesn’t have access to the webpage because it is restricted.
Future Improvements:
1. In this project, Dynamic DNS concept can be implemented.
2. IP spoofing can be restricted for firewall configuration using iptables. Traffic from MAC address can be restricted or blocked.
3. By using iptables, the number of parallel connections establishing to any particular client can be blocked.
4. By using symmetric cryptography, Backup can be taken.
Citations:
Website:
1. www.help.ubuntu.com
2. www.google.com
3. www.youtube.com
Books:
1. Computer Networking – A top down approach (James Kurose and Keith Ross)