Data Networking/Fall 2016/SARA
Motivation
[edit | edit source]This project builds a deeper understanding of basic Networking fundamentals through practical implementation of a Domain Name System Server (DNS), Dynamic Host configuration Protocol Server (DHCP), Web Server, Firewall, Backup Server. The concepts that are part of the Data Networking class (TELE5330) became clearer through the implementation of this project.
The aim of this project is to deliver a complete network solution in which the servers and clients will be able to obtain an IP address from the DHCP server, and then with the help of our DNS Server, the users within our network should be able to successfully fetch the web page that is being host in our own web server... Moreover, we will implement and configure extra networking tools like firewall, backup server etc. to provide a robust, secure, intelligent inter-networking scheme that could be used at any company or organization.
Team Members
[edit | edit source]1. Shriya Kane
2. Aditya Kulkarni
3. Rohit Dongare
4. Amruta Kondra
Behaviour of Protocols
[edit | edit source]Domain Name System
[edit | edit source]DNS resolves domain names into corresponding IP addresses also vice versa. It runs over primarily on UDP and on TCP on port number 53. Reverse look up is facilitated by in-addr.arpa. It follows hierarchical system of Local name servers, Root name servers, Top level domain (TLD) servers and Authoritative name servers. Generally, queries from host to local name server are recursive and rest all are iterative. Resource record is a four-tuple: {Name, Value, Type, TTL}
1. A: Name is hostname and Value is IP address.
2. AAAA: Name is hostname and Value is IPv6 address.
3. NS: Name is hostname and Value is the hostname of the authoritative server.
4. CNAME: Value is the canonical name for a Name hostname.
5. MX: Translation of an alias mail server to its canonical name.
6. PTR:
Gives IP address to hostname translation.
Dynamic Host Configuration Protocol
[edit | edit source]Dynamic Host Configuration Protocol is a client/server protocol that automatically assigns IP-addresses to client machines. It also provides related configuration information like the subnet mask, DNS server, default gateway etc. DHCP is controlled by a DHCP server which helps in automatic allocation of the IP addresses to the machines from a defined range of IP's for a given network .
There are 3 ways of IP address allocation:
- Static Allocation:-IP addresses are assigned statically and remain fix until changes are made by the network administrator.
- Dynamic Allocation:-IP addresses are assigned to the machines from a specified IP address range in the DHCP server.We can assign both IPv4 and IPv6 addresses.In dynamic allocation to avoid wastage of IP addresses , we need to provide a suitable subnet mask for correct IP address allocation.
- Automatic Allocation:-Same IP address is allocated when a machine connects to a network.
Webserver & Firewall
[edit | edit source]A Webserver is a program that uses HTTP to respond to requests made by clients. A computers browser acts as a client which makes a request to a server. The Server can be requested using the fixed IP address of the server as well. Since it is difficult for users to remember the IP address of servers the fixed IP address is mapped with to a unique name using the DNS server. In this case the fixed IP address of the server is 10.10.10.5 and the name it is mapped to is Linuxsara.com. The secondary web server IP 10.10.10.6 is also mapped to the same name. Apache2 is one of the most commonly used web server. This web server is sed to serve Web pages requested by client computers.
A firewall is a network security implementation that allows or denies specific network traffic to the monitored incoming and outgoing traffic. Ubuntu has an inbuilt firewall called “uncomplicated firewall”- ufw. By default, ufw is disabled. We need to enable ufw and add the specific commands to allow or deny IP addresses and protocols.
Backup Server
[edit | edit source]In order to prevent the loss of data due to any unforeseen events backing up of the data is of at most importance. System backup provides security to the network by retaining compressed versions of the filesystems of various nodes in the network.The web server has to create a backup of its files and store in a remote server. In the event of system crash, corruption or failure, the filesystem can be restored from the backup that was stored beforehand. Systems backups are taken as frequently as desired.
Signalling
[edit | edit source]Domain Name System
[edit | edit source]1. DNS request is sent to Local DNS server.
2. Local DNS forwards the query to Root name server.
3. Root name server responds with the A record for TLD server.
4. Local DNS then sends query to TLD.
5. TLD responds with NS and A record for the Authoritative server.
6. Local DNS then queries Authoritative server and it in turn responds with the A record for the queried hostname.
7. Local DNS then responds with that reply from Authoritative server to the client.
Dynamic Host Configuration Protocol
[edit | edit source]DHCP signalling:-
DHCP is a connection-less service model which uses UDP (User Data-gram Protocol). DHCP uses two UDP ports for its operations , 67 is used by the DHCP server and 68 is used by the DHCP client. These ports are similar to the BOOTP protocol.
The DHCP operates as follows:-
1) DHCP DISCOVER: The DHCP server starts with a client broadcasting a request using a destination address or a specific subnet broadcast address.This is the IP address lease request.
2) DHCP OFFER: Once the DHCP server receives the DHCPrequest from the client, the server reserves an IP address for that client and makes the lease offer by sending a DHCPOFFER message to the client. The DHCP OFFER message contains the MAC address of the client, the leased IP address, the subnet mask, the lease duration and the the IP address of the DHCP server.
3) DHCP REQUEST: In response to the DHCPOFFER message, the client replies with a DHCPREQUEST to the server,requesting the offered address.The client can receive DHCP offers from multiple DHCP servers,but the client accepts only one offer. The servers are informed about whose offer is accepted by the client.When the other servers receive this message, they withdraw their offer and send back the offered IP address back to the IP pool.
4) DHCP ACKNOWLEDGEMENT: When the DHCP server receives the DHCPREQUEST message from the client,the configuration goes into the final state.In this phase a DHCPACK packet is sent to the client.This packet has the information about the lease duration and other details requested by the client.
Web Server
[edit | edit source]1.Download the apache2 package for webserver.
2.After the package is installed, the Apache 2 web server is started.
3.Change the directory if desired. (It has been done in this project)
4.The web page of the server is changed and restarted.
5.Add specific address to web server port.
6.To listen only on specific IP address we add commands to ensure web server listens only on specific IPv4 and IPv6 address. Server listens on port 80.
7.Backup data in compressed form which the backup server can retrieve when required.
Firewall
[edit | edit source]1. The IP tables are configured in the web server.
2. The HTTP response and HTTP request from the web server are accepted, forwarded or rejected based on the IP tables.
Backup Server
[edit | edit source]1. The web server backs up its data with backup server.
2. It retrieves the compressed data of .zip file format by using rsync command and with the help of ssh protocol, the data is synced between the web server and the backup serve
3. All these commands are automated using crontab
The Requirements
[edit | edit source]- Implement a DHCP server that assigns IP addresses to the clients in the network
- Implement a web server that hosts a web page
- Implement a master DNS server and a slave DNS server
- Ensure that the clients in the network can access the web pages in the server by getting the name-to-IP address resolved by the DNS server
- Create backups of the webpages of the web server to another backup server on the network
Hierarchy
[edit | edit source]Dynamic Host Configuration Protocol (DHCP)
1. When a clients joins a private network, the Dynamic Host Configuration Protocol(DHCP) assigns an IP address based on the DHCP pool to the client. 2. The client initially sends an DHCP discover message to determine the DHCP server. 3. The DHCP server broadcasts a DHCP Offer message to the client with an IP address. 4. The client sends an DHCP request with the required IP address in the pool of IP address. 5. The DHCP server acknowledges the IP address by sending an DHCP Acknowledgement message back to the client.
Client -> DNS Server -> Client
1.Client sends HTTP request to web server by its URL. 2.DNS request is sent to the appropriate DNS server 3.Client receives DNS response with the corresponding IP address for the web server.
Web Server
1.Using the IP address corresponding to the particular Domain name the Client sends a HTTP request to the Web Server. 2.The Web server responds to the Client with its HTML page 3.Web server creates a Backup zip file.
Backup Server
1. The web server backs up its data with backup server. 2. By using rsync command and with the help of ssh protocol, the data is synced between the webserver and the backup server. 3. All these commands are automated using crontab.
Configuration
[edit | edit source]DNS
[edit | edit source]BIND9 DNS server is used. Master and slave configuration is implemented in which slave is updated automatically with the master DNS. Both forward and reverse look ups have been implemented.
Steps to configure Master DNS server:
1.Installing BIND9 DNS server:
sudo apt-get install bind9 bind9utils bind9-d
2.Change hostname:
sudo nano /etc/hostname primary
3.Edit hosts file:
sudo nano /etc/hosts 127.0.0.1 localhost 10.10.10.2 primary.linuxsara.com primary
4.Edit file
sudo nano /etc/resolvconf/resolv.conf.d/head nameserver 10.10.10.2 nameserver 10.10.10.3 search linuxsara.com
5.Edit this file to configure forwarders:
sudo nano /etc/bind/named.conf.options forwarders { 10.10.10.1; };
6.Create forward and reverse zones:
sudo nano /etc/bind/named.conf.local # Forward zone zone "linuxsara.com" { type master; file "/etc/bind/zones/db.linuxsara.com"; allow-transfer {10.10.10.3;}; };
# Reverse IPv4 Zone
zone "10.10.10.in-addr.arpa" { type master; file "/etc/bind/zones/db.10"; allow-transfer {10.10.10.3;}; };
- Reverse IPv6 Zone
zone "1.0.1.f.0.0.1.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/zones/db.2001"; allow-transfer {10.10.10.3;}; };
7.Create folder ‘Zones’
sudo mkdir /etc/bind/zones
8.Copy contents of local hostname file to the file ‘db.linuxsara.com’
sudo cp /etc/bind/db.local /etc/bind/zones/db.linuxsara.com
9.Edit ‘db.linuxsara.com’ file to create records for forward and reverse zones
sudo nano /etc/bind/zones/db.linuxsara.com ; BIND data file for linuxsara.com ; $TTL 604800 @ IN SOA primary.linuxsara.com. admin.linuxsara.com. ( 7 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS primary.linuxsara.com. @ IN NS sec.linuxsara.com. @ IN A 10.10.10.5 @ IN A 10.10.10.6 primary IN A 10.10.10.2 sec IN A 10.10.10.3 sloth IN A 10.10.10.5 sloth IN A 10.10.10.6 www IN CNAME sloth.linuxsara.com. web IN AAAA 2001:0dbd:0100:f101::5
10.Copy contents of local hostname file to ‘db.10’
sudo cp /etc/bind/db.127 /etc/bind/zones/db.10
11.Edit ‘db.10’ to add reverse records.
sudo nano /etc/bind/zones/db.10 ; BIND reverse data file for linuxsara.com ; $TTL 604800 @ IN SOA primary.linuxsara.com. admin.linuxsara.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS primary.linuxsara.com. @ IN NS sec.linuxsara.com. 5 IN PTR linuxsara.com. 6 IN PTR linuxsara.com. 2 IN PTR primary.linuxsara.com. 3 IN PTR sec.linuxsara.com.
12. Create file ‘db.2001’ in a same way as created for IPv4
sudo nano /etc/bind/zones/db.2001
; 2001:db8:acad:abcd::/64 ; ; $TTL 1h ; Default TTL @ IN SOA primary.linuxsara.com. admin.linuxsara.com. ( 2016120301 ; serial 1h ; slave refresh interval 15m ; slave retry interval 1w ; slave copy expire time 1h ; NXDOMAIN cache time )
; ; domain name servers ; @ IN NS primary.linuxsara.com. @ IN NS sec.linuxsara.com.
; IPv6 PTR entries 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR web.linuxsara.com. 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR web.linuxsara.com.
Steps to Configure Slave DNS Server:
Repeat steps from 1 to 5.
Create forward and reverse zones:
sudo nano /etc/bind/named.conf.local
- Forward zone
zone "linuxsara.com" { type slave; masters {10.10.10.2;}; file "/etc/bind/zones/db.linuxsara.com"; };
- Reverse IPv4 Zone
zone "10.10.10.in-addr.arpa" { type slave; masters {10.10.10.2;}; file "/etc/bind/zones/db.10"; };
- Reverse IPv6 Zone
zone "1.0.1.f.0.0.1.0.8.b.d.0.1.0.0.2.ip6.arpa" { type slave; file "/etc/bind/zones/db.2001"; masters {10.10.10.2;}; };
Testing
1.Use ‘nslookup’ command to query DNS server for multiple hostnames.
Example: nslookup linuxsara.com
nslookup www.linuxsara.com
nslookup sloth.linuxsara.com
2.Use ‘dig’ command for the detailed analysis of DNS records and authoritative servers
DHCP
[edit | edit source]STEPS TO CONFIGURE DHCP server for IPv4:-
Step 1: Update all the packages
sudo apt-get update
Step 2: Install DHCP server
sudo apt-get install isc-dhcp-server
Step 3: Edit the configuration file
cd /etc / dhcp / dhcpd.conf
sudo nano dhcpd.conf
subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.30 10.10.10.50; option domain-name-server 10.10.10.2, 10.10.10.3; option domain-name "linuxsara.com"; option routers 10.10.10.1; option broadcast-address 10.10.10.255; default-lease-time 21600; max-lease-time 43200; }
static IP address using DHCP
host PrimaryDNSserver{ hardware ethernet 00:0c:29:aa:ef:29; fixed-address 10.10.10.2; }
host WEBserver{ hardware ethernet 00:0c:29:87:26:23; fixed-address 10.10.10.5; }
host Backupserver{ hardware ethernet 00:0c:29:67:FF:83; fixed-address 10.10.10.10; }
host SecondaryDNSserver{ hardware ethernet 00:0c:29:6d:66:03; fixed-address 10.10.10.3; }
STEP 4: edit the interface
sudo nano /etc/default/isc-dhcp-server INTERFACES="eth0"
STEP 5: Assign a static IP to ETH0
sudo nano /etc/network/interfaces #Static IP for DHCP (IPV4) auto eth0 iface eth0 inet static address 10.10.10.4 netmask 255.255.255.0 gateway 10.10.10.1 network 10.10.10.0 broadcast 10.10.10.255
- DNS
dns-domain linuxsara.com dns-search linuxsara.com dns-nameservers 10.10.10.2 10.10.10.3
STEP 6: Restart the interfaces and the DHCP server
sudo /etc/init.d/networking restart sudo service isc-dhcp-server restart sudo service isc-dhcp-server start sudo service isc-dhcp-server stop
STEPS TO CONFIGURE DHCP server for IPv6
STEP 1:Configure the /etc/network/interfaces with static IP of IPV6
sudo nano /etc/network/interfaces iface eth0 inet6 static pre-up modprobe ipv6 address 2001:0db8:0100:f101::4 netmask 64 gateway 2001:0db8:0100:f101::1
STEP 2:Set in /etc/sysctl.conf the following configuration
sudo nano /etc/sysctl.conf net.ipv6.conf.all.forwarding=1
STEP 3:Execute the following command to make changes in the kernel
sudo sysctl -w net.ipv6.conf.all.forwarding=1
STEP 4:Install the router advertisement daemon
sudo apt-get install radvd
STEP 5:Configure the radvd.conf file
/etc/radvd.conf
STEP 6:Start the daemon
sudo service radvd start
STEP 7:Create and edit the dhcpd6.conf file
nano /etc/dhcp/dhcpd6.conf ddns-update-style none;
default-lease-time 600; max-lease-time 720; subnet6 2001:db8:acad:abcd::/64 { range6 2001:0db8:0100:f101::30 2001:0db8:0100:f101::45; option dhcp6.name-servers 2001:0db8:0100:f101::2, 2001:0db8:0100:f101::3; option dhcp6.domain-search "linuxsara.com"; }
STEP 8:Start the dhcp server6
sudo service isc-dhcp-server6 start
DHCP Testing:-
a) ifconfig
Check whether the client has been assigned with an IP address from the given range.
b)grep -i dhcp /var/log/syslog
Check logs on the client for the DHCP message
c)sudo dhclient -r
Releases the current IP address assigned.
Webserver
[edit | edit source]1) Install the apache2 package:
sudo apt-get update
sudo apt-get install apache2
2)Change the Default Directory apache2 server: -
a)Change the directory to the user defined directory in apache2.conf file
sudo nano /etc/apache2/apache2.conf
<Directory /home/rohit/@TSM/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
b)Change the Document root to point towards the Particular folder containing the html page.
sudo nano /etc/apache2/sites-enabled/000-default.conf
DocumentRoot /home/rohit/@TSM/Linux_Project
3)Change the HTML file
4)Assigning IP addresses to the Webservers:-
a)The primary webserver has a statically assigned IPv4 address from the DHCP server and a static IPv6 address configured. sudo nano /etc/network/interfaces Add the following: -
auto eth0 allow-hotplug eth0 iface eth0 inet dhcp
iface eth0 inet6 static address 2001:db8:100:f101::6 netmask 64 gateway 2001:db8:100:f101::1
b)The secondary webserver has a statically configured IPv4 address and a static IPv6 address configured. sudo nano /etc/network/interfaces Add the following: -
iface eth0 inet static address 10.10.10.6 netmask 255.255.255.0 network 10.10.10.0 gateway 10.10.10.1 dns-nameservers 10.10.10.2 dns-nameservers 10.10.10.3
iface eth0 inet6 static address 2001:db8:100:f101::6 netmask 64 gateway 2001:db8:100:f101::1
5)Listen for HTTP requests on both IPv4 and IPv6 address for primary and secondary webservers:-
Primary:- sudo nano /etc/apache2/ports.conf Add the following: -
NameVirtualhost *:80 Listen 10.10.10.5:80 Listen [2001:db8:100:f101::5]:80
Secondary:-
sudo nano /etc/apache2/ports.conf Add the following: -
NameVirtualhost *:80 Listen 10.10.10.6:80 Listen [2001:db8:100:f101::6]:80
6)Restart the server
Sudo /etc/init.d/apache2 restart
Testing
1. Enter the URL in the web browser and check if the hosted html page is displayed or not.
Firewall
[edit | edit source]Firewall allows the system administrator to accept, forward or drop the packets using ip tables.
Ubuntu has an inbuilt firewall called “uncomplicated firewall”- ufw. By default, ufw is disabled. We need to enable ufw and add the specific commands to allow or deny IP addresses or protocols.
Firewall on Primary server: -
sudo ufw allow from 10.10.10.6 to any --> Allow Secondary Web server all Access
sudo ufw deny from 10.10.10.30 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw deny from 10.10.10.34 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw deny from 10.10.10.36 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw allow from 10.10.10.0/24 to any port 80 --> Allow HTTP everyone else from a network
sudo ufw deny from 0.0.0.0/0 to any --> Deny everyone for other protocols
sudo ufw enable --> to enable the firewall
Firewall on secondary server: -
sudo ufw allow from 10.10.10.5 to any --> Allow Primary Web server all Access
sudo ufw deny from 10.10.10.30 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw deny from 10.10.10.34 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw deny from 10.10.10.36 to any port 80 --> Deny HTTP access to a particular PC
sudo ufw allow from 10.10.10.0/24 to any port 80 --> Allow HTTP everyone else from a network
sudo ufw deny from 0.0.0.0/0 to any --> Deny everyone for other protocols
sudo ufw enable --> to enable the firewall
Testing:
sudo ufw status
sudo ufw status numbered
Backup
[edit | edit source]rsync is a protocol built for Unix-like systems that provides unbelievable versatility for backing up and synchronizing data. It can be used locally to back up files to different directories or can be configured to sync across the Internet to other hosts.
First, we need to install/update the rsync client:
sudo apt-get install rsync
To configure rsync for external backup, we will use method of tunneling rsync through SSH. Most servers and even many clients already have SSH, and it can be used for your rsync backups.If not, install ssh on webserver and backup server:
sudo apt-get install ssh
Create and share hey generated to allow ssh access from secondary to primary without password access:- To generate a rsa key (The default is a 2048 bit key):-
ssh-keygen -t rsa
Allows a host to transfer the generated key to another host. By sharing of such a key a ssh can be perfomed without the use of any password
ssh-copy-id rohit@10.10.10.5
Automatically create a backup zip file on Primary server:-
sudo crontab -e
The data files on the webserver are first zipped and compressed:
18 14 * * * sudo zip -r /home/rohit/@TSM/Backup -j /home/rohit/@TSM/Linux_Project/
Then, this compressed .zip is moved to the backup server using the following command:
Automatically retrieve backup zip file from primary server and unzip it to be in synch with the primary server:-
sudo crontab -e
Retrieve File:- 19 14 * * * sudo rsync -avzhe ssh rohit@10.10.10.5:/home/rohit/@TSM/Backup.zip /home/rohitd/@TSM/Linux_Project/ -v: verbose -r: copies data recursively -a: archive mode -z: compress file data -h: human-readable format
Then this file is decompressed using unzip to obtain original files.
Unzip File:-
20 14 * * * sudo unzip -o /home/rohitd/@TSM/Linux_Project/Backup -d /home/rohitd/@TSM/Linux_Project/
Testing:
To test the backup server functioning, check the files after the scheduled time in the crontab.
Integrated Testing
[edit | edit source]1) DHCP should be up and running
2) Ensure the Primary and Secondary DNS is up and running.
3) Enter the command 'ifconfig' in the terminal and check whether IP address is assigned to the client from the range assigned.
4) Execute 'nslookup' linuxsara.com' on the client. This will confirm that the client can access the DNS server.
5) Client requests for the WEB-PAGE "www.linuxsara.com" which is hosted by the webserver.
6) The firewall will authenticate the request and send the webpage as a reply to the client request.
7) Client request for the Web-Page and is blocked by the Firewall.This is because the client has the IP address which belongs to the denial range.
8) Check the system time , modify the crontab accordingly , confirm backup is taken and copied to the backup server.
ALGORITHM
[edit | edit source]1) DHCP:
Client request for an IP from DHCP server
if (request==success) { IP address is assigned to client else { Check network connectivity , flush previous IP and reconnect }
2) DNS:
DNS Query is generated by the client and sent to the DNS server
if(DNS has entry) { DNS server sends the DNS response to client } else { check for network interconnectivity , restart bind9 }
3) Webserver:
Client gets an IP address after DNS resolving
Client sends an HTTP request to the webserver to get the web page hosted on the server
if (IP address is resolved correctly) { WEBPAGE will be displayed else { ERROR PAGE will be reflected to client }
4) FIREWALL:
The packet received by the Web Server is authenticated
if (packet is in the IP table) { the packet is accepted or rejected depending upon firewall settings else { the packet is dropped }
Future Improvements
[edit | edit source]1) Security and Robustness can be improved by adding security features like VPN, NTP etc.
2) Dyanamic DNS can be implemented
3) Simulation of real-time network traffic and validating network performance.
References
[edit | edit source][1] [2] [3] [4] [5] [6] [7] [8] [9]
- ↑ https://www.youtube.com/watch?v=bdIOrm0gKWo
- ↑ https://en.wikipedia.org/wiki/File:DHCP_session_en.svg
- ↑ https://help.ubuntu.com/lts/serverguide/dhcp.html
- ↑ https://wiki.ubuntu.com/IPv6
- ↑ http://manpages.ubuntu.com/manpages/trusty/man8/radvd.8.html
- ↑ https://help.ubuntu.com/lts/serverguide/dns.html
- ↑ https://help.ubuntu.com/community/UFW
- ↑ https://help.ubuntu.com/lts/serverguide/httpd.html
- ↑ http://www.howtogeek.com/135533/how-to-use-rsync-to-backup-your-data-on-linux/