Data Networking/Fall 2016/Ad Hoc Network in Linux
LINUX PROJECT
1. Akshay Tandel
2. Vinay Nambiar
3. Kalpesh Shardul
4. Aditya Kadam
Motivation
[edit | edit source]Most network operating systems are based on some variation of Linux. Linux influences every aspect of network administration, hence a network engineer should know Linux. The range and scope of networking technologies that use Linux is vast and growing. So for a successful career as a network engineer, knowing Linux is necessary. This project helped us to implement our networking concepts and skills and it gave us idea of Linux's flexibility and usefulness.
Protocols and their behavior
[edit | edit source]DNS
[edit | edit source]For humans, remembering websites by name is much easier than remembering their IP addresses. DNS is a service that allows us to do so. Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to each other. In this way, DNS mitigates the need to remember IP addresses. It is even possible to associate multiple names to the same device to update the multiple available services. Computers that run DNS are called 'name servers'. The basic task of DNS server is to map the IP address of the query made by the user. It It also caches the query and its response for further use. This reduces time required to load the cached page.
DHCP
[edit | edit source]DHCP stands for Dynamic Host Configuration Protocol. A DHCP server automatically assigns settings to hosts on network as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user.
Important services provided by DHCP server to DHCP clients are:
1. IP address and netmask
2. IP address of the default-gateway to use
3. IP addresses of the DNS servers to use
The advantage of using DHCP is that changes common to the all hosts on the network, need to be configured only at the DHCP server, and all network hosts will be reconfigured. It is also easier to add new computers into the network, as there is no need to check for the availability of an IP address.
DHCP clients can get configured by DHCP server in following fashions:
1. Manual allocation (MAC address)
2. Dynamic allocation (address pool)
3. Automatic allocation
Webserver
[edit | edit source]Web server is a computer system dedicated to accept HTTP requests from clients' Web browsers (Applications such as Firefox, chrome, Internet Explorer, Safari etc.), and serving them with HTTP responses along with web pages and objects. We have implemented Apache2. Apache is a popular Web server used on Linux systems.
Firewall
[edit | edit source]A firewall is a security feature that filters the incoming and outgoing traffic in the network. IP tables is an extremely useful firewall utility built for Linux operating systems. We can manipulate the network traffic using IP tables by configuring chains and rules, connection specific responses.
Backup
[edit | edit source]The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.
Requirements
[edit | edit source]Operating system: Ubuntu 14.04
DNS: BIND (Berkley Internet Naming Daemon
DHCP: dhcpd (dynamic host configuration protocol daemon)
Webserver: Apache2
Steps and Commands used:
[edit | edit source]DNS
[edit | edit source]DNS Master Server
[edit | edit source]Step 1: Install Bind9
Command:
sudo apt-get install bind9
Step 2: Restart the networking daemon
Command:
sudo /etc/init.d/networking restart
Step 3: Add a DNS zone to BIND9
Command:
edit /etc/bind/named.conf.local
# Forward zone
zone "home.zzz" {
type master;
file "/etc/bind/db.home.zzz";
allow-transfer { 192.168.1.90; };
also-notify { 192.168.1.90; };
};
# Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rdb.home.zzz";
allow-transfer { 192.168.1.90; };
also-notify { 192.168.1.90; };
};
zone "2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa" {
type master;
notify no;
file "/etc/bind/2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa";
};
Step 4: use an existing zone file as a template to create the /etc/bind/db.home.zzz file
Command:
sudo cp /etc/bind/db.local /etc/bind/db.home.zzz
Edit db.linux.abc file as follows:
$TTL 604800
home.zzz. IN SOA ns1.home.zzz. server.home.zzz. (
12 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
home.zzz. IN NS ns1.home.zzz. home.zzz. IN NS ns2.home.zzz. ns1.home.zzz. IN A 192.168.1.89 IN AAAA 2000:2001:2002:2003::89 ns2.home.zzz. IN A 192.168.1.90 IN AAAA 2000:2001:2002:2003::90 example IN A 192.168.1.89 www.example IN CNAME example.home.zzz. example IN AAAA 2000:2001:2002:2003::89 bostonbeast IN CNAME example test IN A 192.168.1.89 www.test IN CNAME test.home.zzz. test IN AAAA 2000:2001:2002:2003::89 bostonbaba IN CNAME test.home.zzz. dn IN A 192.168.1.20 dn IN AAAA 2000:2001:2002:2003::20
Now restart the BIND9:
sudo service bind9 restart
Step 5: Setup reverse zone
Command:
sudo cp /etc/bind/db.127 /etc/bind/rdb.home.zzz
Now edit the rdb.home.zzz file as follows:
$TTL 604800 @ IN SOA home.zzz. server.home.zzz. ( 10 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.home.zzz. @ IN NS ns2.home.zzz. 89 IN PTR ns1.home.zzz. 90 IN PTR ns2.home.zzz. 89 IN PTR example.home.zzz. 89 IN PTR test.home.zzz. 20 IN PTR dn.home.zzz.
Now restart BIND9
sudo service bind9 restart
Zone for ipv6
$ORIGIN 2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa. ; $TTL 604800 @ IN SOA home.zzz. server.home.zzz. ( 5 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.home.zzz. @ IN NS ns2.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN PTR ns1.home.zzz. 0.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN PTR ns2.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN PTR example.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN PTR test.home.zzz. 0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN PTR dn.home.zzz.
slave DNS Server
[edit | edit source]Edit the /etc/bind/named.conf.local:
# Forward zone zone "linux.abc" { type slave; file "/var/cache/bind/db.linux.abc"; masters { 192.168.1.10; }; }; # Reverse Zone zone "1.168.192.in-addr.arpa" { type slave; file "/var/cache/bind/db.192"; masters { 192.168.1.10; }; };
Now restart BIND9
sudo service bind9 restart
DHCP
[edit | edit source]1. Install DHCP Server
sudo apt-get install isc-dhcp-server
2. Install radvd package
apt-get install radvd
3. Set the static IP address of the DHCP server
sudo nano /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.91 netmask 255.255.255.0 gateway 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255 dns-domain-nameserver 192.168.1.89 dns-domain-search home.zzz
iface eth0 inet6 static address 2000:2001:2002:2003::91 netmask 64 gateway 2000:2001:2002:2003::1
4. Configure the IPv6 and IPv4 forwarding
nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1 net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
5. Make eth0 as the default interface
nano /etc/default/isc-dhcp-server
INTERFACES="eth0"
6. Configure the DHCP server for ipv4
nano /etc/dhcp/dhcpd.conf
subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.150; option domain-name-servers 192.168.1.89,192.168.1.90; option domain-name "home.zzz"; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; }
7. Edit the resolv.conf file
sudo nano /etc/resolv.conf nameserver 192.168.1.89
8. Configure the DHCP server for ipv6
nano /etc/dhcp/dhcpd6.conf default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2000:2001:2002:2003::/64 { default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2001:db8:0:1::/64 { # Range for clients range6 2000:2001:2002:2003::100 2000:2001:2002:2003::150;
# Range for clients requesting a temporary address range6 2000:2001:2002:2003::/64 temporary; }
9. Configuration of the radvd module
nano /etc/radvd.conf
interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2000:2001:2002:2003::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; };
10. Reboot the System
Sudo init 6
11.
Sudo service isc-dhcp-server
12. Restart the DHCP server
Sudo service networking restart
Webserver
[edit | edit source]1. Install apache2
install apt-get install apache2
2. Make directories
sudo mkdir -p /var/www/example.home.zzz/public_html sudo mkdir -p /var/www/test.home.zzz/public_html
3. Create Webpages for Each Host: open up an index.html
nano /var/www/example.home.zzz/public_html/index.html
4. Create a HTML document that indicates the site it is connected to.
Save and close the file when you are finished.
5. Do same procedure for test.home.zzz
6. Create New Virtual Host Files.
Create the First Virtual Host File
Start by copying the file for the first domain:
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.zzz.conf
Open the new file in nano editor with root privileges:
sudo nano /etc/apache2/sites-available/example.com.conf
Virtualhost file should look like this:
<VirtualHost *:80> ServerAdmin admin@example.home.zzz ServerName example.home.zzz ServerAlias www.example.home.zzz DocumentRoot /var/www/example.home.zzz/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Save and close the file.
Copy First Virtual Host and Customize for Second Domain
sudo cp /etc/apache2/sites-available/example.home.zzz.conf /etc/apache2/sites-available/test.home.zzz.conf
Open the new file in nano editor with root privileges:
sudo nano /etc/apache2/sites-available/test.home.zzz.conf
It should look like this:
<VirtualHost *:80> ServerAdmin admin@test.home.zzz ServerName test.home.zzz ServerAlias www.test.home.zzz DocumentRoot /var/www/test.home.zzz/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Save and close the file when you are finished.
7. Enable the New Virtual Host Files
sudo a2ensite example.home.zzz.conf sudo a2ensite test.home.zzz.conf
8. Restart Apache to make these changes take effect:
sudo service apache2 restart
9. Set Up Local Hosts File (Optional)
sudo nano /etc/hosts
It should look like this:
127.0.0.1 localhost 127.0.1.1 ubuntu 192.168.1.89 example.home.zzz 192.168.1.89 test.home.zzz
Save and close the file.
10. Test your Results In web-browser:
http://example.home.zzz http://test.home.zzz
Firewall
[edit | edit source]1. only 192.168.1.90 IP can telnet to webserver.
iptables -I INPUT 1 -s 192.168.1.90 -p tcp -m tcp --dport 23 -j ACCEPT
2. The below command will block all telnet access.
iptables -A INPUT -p tcp -m tcp --dport 23 -i eth0 -j REJECT
3. The below commands will block FTP.
iptables -A INPUT -p tcp -m tcp --dport 21 -i eth0 -j REJECT iptables -A INPUT -p tcp -m tcp --dport 20 -i eth0 -j REJECT
4. To save IP tables use following commands:
sudo apt-get install iptables-persistent sudo invoke-rc.d iptables-persistent save
Backup
[edit | edit source]Step :
Command:
1. Install ssh server
sudo apt-get install openssh-server
2. Install ssh client on another VM
sudo apt-get install openssh-client
3. Generate public and private keys in the client
sudo ssh-keygen -t rsa
4. Copy the public key to ssh server
cp .ssh/id_rsa.pub authorized_keys ssh-copy-id akshay@192.168.1.90(Backup server)
5. For creating tar file and securely sending to backup server.
tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/
6. For executing automatic backup
sudo crontab –e 0 12 * * * /bin/tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com; scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/
Add-ons
[edit | edit source]ARP cache poisoning
[edit | edit source]ARP is The Address Resolution Protocol a telecommunication protocol used for resolution of Internet layer addresses into link layer addresses, a critical function in computer networks.
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.
We have created a Python script using Scapy for poisoning the ARP Cache of a client system.
Step :
We have three different systems in our network.
1.Attacker
2.Victim
3.Web Server.
Web server acts as a host for viewing the webpage. Victim can see the webpage hosted by the Webserver. Then we executed a Scapy script which floods the ARP Cache of the victim with its own MAC address. Thus, whenever the client send request at port 80 it will see the HACKED webpage hosted by the Attacker.
Command: Python commands
IPsec VPN tunnels
[edit | edit source]IPSec works at the network layer.We have implemented IPsec to protect data through internet. IPSec provides data security by encrypting and authenticating data, protection against masquerading and manipulation. When two machines want to make a VPN connection between them, they agree on certain settings and parameters. Eg. what type of authentication and encryption will be used within the VPN tunnel. This is generally called VPN negotiation. We have created transport IPsec VPN between two different systems.
Step :
Two different independent systems in the Virtual Machine can have encrypted communications. We have used Strongswan for having encrypted communications between them.
Command:
1.apt-get install ipsec-tools strongswan-starter
2.nano /etc/ipsec.conf
3.conn red-to-blue
authby=secret auto=route keyexchange=ike left=<Left IP> right=<Right IP> type=transport esp=aes128gcm16!
4.nano /etc/ipsec.secrets
5.<Left IP> <Right IP> : PSK "Your password here!"
6.ipsec restart
7.ipsec statusall
The same configuration needs to be done in the other system.
Then, we can check the tunnel using ping command from the one side and then checking the ping through tcpdump esp
NFS
[edit | edit source]Network File system allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. The commonly used data can be stored on a single machine and other machines over the network can access it. Home directories are configured on NFS server and are applied over machines on network. Storage devices can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.
Step 1:Configuring the NFS-Host
Command:
sudo apt-get install nfs-kernel-server
Create the Share Directory on the Host Server
sudo mkdir /var/nfs
Configure the NFS Exports on the Host Server
sudo nano /etc/exports
On the last line
append ==> /home <IP address of client>(rw,sync,no_root_squash,no_subtree_check) /var/nfs <IP address of client>(rw,sync,no_subtree_check)
create the NFS table that holds the exports of the shares
sudo exportfs -a
Start NFS service
sudo service nfs-kernel-server start
Step 2:Configuring the NFS-client
Install a package called nfs-common on NFS client
sudo apt-get install nfs-common
Create the Mount Points on the Client Server
create each directory, and the necessary parent directories
sudo mkdir -p /mnt/nfs/home sudo mkdir -p /mnt/nfs/var/nfs
Create the mount remote shares on NFS client
sudo mount 1.2.3.4:/home /mnt/nfs/home sudo mount 1.2.3.4:/var/nfs /mnt/nfs/var/nfs
References
[edit | edit source]Websites Referred:
1. https://help.ubuntu.com/community/BIND9ServerHowto
2. https://help.ubuntu.com/community/Postfix
3. https://help.ubuntu.com/community/isc-dhcp-server
4. http://www.bind9.net
5. http://net.tutsplus.com/tutorials/other/the-linux-firewall
6. https://help.ubuntu.com/community/OpenVPN
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross