Data Networking/Fall 2016/TSM
Group Members
[edit | edit source]1. Jibran Ahmed
2. Vijayalakshmi Hunnur
3. Ayanti Sengupta
4. Prerana Joshi
Motivation
[edit | edit source]The Linux operating system allows its users to control almost every aspect of the operating system. The freedom, flexibility and security offered by this OS makes it ideal for network engineers to design their own networks. The desire to learn about various network protocols and security implementations motivated us to approach this project.
Behaviour of Protocols
[edit | edit source]Domain Name System
[edit | edit source]The Domain Name System (DNS) is an application layer protocol which hierarchically implements distributed databases in DNS servers. The main service of the DNS is to translate the domain names into IP addresses. The internet working is based on IP addresses. As it is not easy to remember the IP addresses of all domains, the DNS servers resolves the domain-names into IP addresses. DNS works on port number 53.
In our project, we have maintained two servers viz; master server as PurpleKush and the Slave server as Grapefruit. When the master server is down, the DNS client reaches out to the slave server for the resolving. The two name-servers running on these respectively are stranger1.LinuxProject.jaap.edu and stranger2.LinuxProject.jaap.edu.
Dynamic Host Configuration Protocol
[edit | edit source]Dynamic Host Configuration Protocol (DHCP ) is a client -server protocol which provides IP addresses along with their subnet masks and the gateways to the devices in the network. The DHCP protocol is defined based on the RFC 2131 and RFC 2132 standard. DHCP minimizes configuration errors , such as typographical errors, or address conflicts caused by the assignment of an IP address to more than one computer at the same time. Which are caused by manual assignment of IP addresses.It also results in reduced network administarition. The DHCP server proves to be beneficial in the scenario when the network needs to be scaled up such that when each time a device is added to the network there is no need to manually assign the IP address . Based on the DHCP protocol the new device gets the IP address automatically from the specified range of the IP address.Thus DHCP enables this entire process to be automated and managed centrally. DHCPv4 employs connectionless service model using the User datagram Protocol (UDP ) such that 67 is the destination port of the server and port 68 is used by the client.
The DHCP Implementation has specific terms and definitions :
In our project , we have created two master DHCP servers PurpleKush and GrapeFruit that assign the IP address statistically . They are based on the IPv4 protocol:
PurpleKush IP assignment range : 192.168.5.10 - 192.168.5.100
GrapeFruit IP assignment range: 192.168.5.150 - 192.168.5.200
Exclusion Range : Addresses in the scope that are excluded from leasing . Excluded addresses are normally used to give IP addresses to the routers or the static IP addresses.In our project we have assigned static IP addreses to the DHCP master servers as
PurpleKush : 192.168.5.8
GrapeFruit : 192.168.5.9
Web Server : 192.168.5.3
Reservation : Assigns a permanent IP address to a particular client, server or hardware device. In our project we have assigned the reservation range as 192.168.5.101 to 192.168.5.149
IPv6
The DHCP server PurpleKush assigns both IPv4 and IPv6 addresses dynamically to the device in the network. DHCPv6 uses UDP port 546 for the client and port 547 for the server. DHCPv6 is a network protocol for Internet Protocol Version 6. DHCPV6 is based on RFC 3315 standard.The router advertisement daemon (radvd) is a open source software product that implements link local advertisements and IPv6 routing prefixes using Neighbour Recovery Protocol as specified in RFC 2461 standard.DHCPV6 is not necessary for configuring hosts with addresses of domain name system servers because they can be configured using Neighbour Discovery protocol. The neighbour discovery protocol operates in the link layer of the internet model and is responsible for address auto configuration of nodes , discovery of other nodes on the link , determining the address of other nodes , finding available routers and DNS servers .
Scope : The entire range for the DHCPv6 assignment is fd37:f7e3:802b:be94::/64
Address Pool : The address pool from which the IPv6 addresses will be assigned is fd37:f7e3:802b:be94::10 to fd37:f7e3:802b:be94::254
Exclusion range and reservation : The name server in dhcpv6 is given as fd37:f7e3:802b:be94::1
Webserver & Firewall
[edit | edit source]The Apache web server is the most popular way of serving web content on the internet. It accounts for more than half of all active websites on the internet and is extremely powerful and flexible.Apache breaks its functionality and components into individual units that can be customized and configured independently. The basic unit that describes an individual site or domain is called a virtual host.Each domain that is configured will direct the visitor to a specific directory holding that site's information, never indicating that the same server is also responsible for other sites. This scheme is expandable without any software limit as long as your server can handle the load.In our project Apache2 web server is hosted and the webpage is written in the HTML script.
In computing , a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network such as the internet, that is assumed not to be trusted or secure. Firewalls can be hardware based or software based.Uncomplicated firewall or UFW is default firewall configuration tool for Ubuntu which is developed to ease iptables firewall configuration .UFW provides a user friendly way to create IPv4 and IPv6 host based firewalls
Installation Steps
[edit | edit source]DNS
[edit | edit source]For server1: PurpleKush (Master)
Step 1: Login as root user and Install bind9
Command:
apt-get install bind9
Step 2: Restart the networking daemon
Command:
service networking restart
Step 3: Create a hostname
Command:
vi etc/hostname
PurpleKush
Step 4: Create a domain-name by editing /etc/hosts
Command:
vi etc/hosts
Add
127.0.0.1 localhost
127.0.1.1 PurpleKush
#The following lines are desirable for IPv6 capable hosts
::1 ip-6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.5.8 stranger1.LinuxProject.jaap.edu stranger1
192.168.5.8 stranger1.LinuxProject.jaap.edu
192.168.5.9 stranger2.LinuxProject.jaap.edu
192.168.5.9 stranger2
192.168.5.8 LinuxProject.jaap.edu
# v6
fd37:f7e3:802b:be94:0:0:0:1 stranger1
fd37:f7e3:802b:be94::1 LinuxProject.jaap.edu
Step 5: Configure named.conf.options
Command:
vi /etc/bind/named.conf.options
Add
// Trusted range configuration for recursive query
acl "trusted" {
192.168.5.0/24;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.5.8; };
allow-transfer { none; };
forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Step 6: Configure named.conf.local
Command:
vi /etc/bind/named.conf.local
Edit
zone "LinuxProject.jaap.edu" {
type master;
file "/etc/bind/zones/db.LinuxProject.jaap.edu";
allow-transfer { 192.168.5.9; };
};
zone "5.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.5";
allow-transfer { 192.168.5.9; };
};
// fd37:f7e3:802b:be94::/64
zone "9.4.e.b.b.2.0.8.3.e.7.f.7.3.d.f.ip6.arpa" {
type master;
file "/etc/bind/zones/db.v6.1";
allow-transfer { 192.168.5.9; };
};
Step 7: Create two database files db.LinuxProject.jaap.edu and db.192.168.5 in zones folder
Command:
Make the directory etc/bind/zones
mkdir /etc/bind/zones
Copy db.local to db.LinuxProject.jaap.edu
cd /etc/bind/zones
cp /etc/bind/db.local /etc/bind/zones/db.LinuxProject.jaap.edu
Open db.LinuxProject.jaap.edu file
vi db.LinuxProject.jaap.edu
Edit the file
$TTL 604800
@ IN SOA stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
30 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Name Server NS Records
IN NS stranger1.LinuxProject.jaap.edu.
IN NS stranger2.LinuxProject.jaap.edu.
;
; NS A Records
stranger1.LinuxProject.jaap.edu. IN A 192.168.5.8
IN AAAA fd37:f7e3:802b:be94::1
www IN CNAME stranger1.LinuxProject.jaap.edu.
stranger2.LinuxProject.jaap.edu. IN A 192.168.5.9
;
; Webserver record - Type A
known.LinuxProject.jaap.edu. IN A 192.168.5.3
IN AAAA fd37:f7e3:802b:be94::3
www.known. IN CNAME known.LinuxProject.jaap.edu.
ftp IN CNAME stranger2.LinuxProject.jaap.edu.
;smtp IN CNAME mail.LinuxProject.jaap.edu.
smtp IN MX 5 mx1.LinuxProject.jaap.edu.
mx1.LinuxProject.jaap.edu. IN A 192.168.5.6
Step 8: Edit two database files db.192.168.5 and db.v6.1 (for IPv6) in zones folder
Command:
Open db.192.168.5 file
vi /etc/bind/zones/db.192.168.5
Edit the file
$TTL 604800
@ IN SOA stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
9 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; NS Records
IN NS stranger1.LinuxProject.jaap.edu.
IN NS stranger2.LinuxProject.jaap.edu.
;
; PTR Records
8 IN PTR stranger1.LinuxProject.jaap.edu. ; 192.168.5.8
9 IN PTR stranger2.LinuxProject.jaap.edu. ; 192.168.5.9
3 IN PTR known.LinuxProject.jaap.edu. ; 192.168.5.3
Open db.v6.1 file
vi /etc/bind/zones/db.v6.1
Edit the file
$TTL 604800
@ IN SOA stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
6 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; NS Records
IN NS stranger1.LinuxProject.jaap.edu.
IN NS stranger2.LinuxProject.jaap.edu.
;
; PTR Records
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR stranger1.LinuxProject.jaap.edu.; fd37:f7e3:802b:be94::1
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR known.LinuxProject.jaap.edu. ; fd37:f7e3:802b:be94::3
Step 9: Configure resolv.conf
Command:
vi /etc/resolv.conf
Edit
nameserver 192.168.5.8
nameserver 192.168.5.9
search LinuxProject.jaap.edu
DHCP
[edit | edit source]Step1: Login as root and Install DHCP server package
Command:
apt-get install isc-dhcp-server
Step2: Edit the isc-dhcp-server file
Command:
vi /etc/default/isc-dhcp-server
#On line 11 change:
INTERFACES=”ens33”
#Save and Exit
Step3: Editing file /etc/dhcp/dhcpd.conf
Command:
vi /etc/dhcp/dhcpd.conf
default-lease-time 6000; max-lease-time 72000; option subnet-mask 255.255.255.0; option broadcast-address 192.168.5.255; option routers 192.168.5.254; option netbios-name-servers 192.168.5.8; option domain-name-servers 192.168.5.8, 192.168.5.9; option domain-name "LinuxProject.jaap.edu";
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.10 192.168.5.100;
}
ddns-update-style none;
deny declines;
deny bootp;
Step4: Restart the DHCP server
Command:
service isc-dhcp-server restart
Webserver
[edit | edit source]Step 1: Login as root and Install Apache2 Webserver
Command:
apt-get install apache2
Step 2: Check whether the web server is able to listen on port 80
Command:
netstat -a | more
Step 3: Restart the web server
Command:
/etc/init.d/apache2 stop
/etc/init.d/apache2 start
Step 4: Develop a webpage for the server
Command:
cd /var/www/html/public_html
vi index.html
Firewall and Security
[edit | edit source]Firewall allows the system administrator to alter the incoming policy.
Install the package as root user
Command:
apt-get install ufw
1. In order to block FTP requests:
ufw deny from any port 20 to any port 20 proto tcp
ufw deny from any port 21 to any port 21 proto tcp
2. In order to block telnet requests:
ufw deny from any port 23 to any port 23 proto tcp
SSH port number is changed from port 22 to 2222 to avoid daemon and default attacks.
Root login is disabled for ssh.
DNS is made secure by configuring acl "trusted" for recursion. This configuration is done on named.conf.options.
DHCP has the following denied for security in the file /etc/dhcp/dhcpd.conf,
ddns-update-style none;
deny declines;
deny bootp;
Additional Features
[edit | edit source]VPN
[edit | edit source]IPSec protocol’s objective is to provide security for IP packets by creating a Virtual Private network and establishing a tunnel connection between two hosts. The tunnel is established between a private network (192.168.11.8 – 192.168.11.9) from a public network with IP addresses 192.168.5.8 and 192.168.5.9. It is a PC-to-PC tunnel.
With the tunnel mode, the entire original IP packet is encrypted and a new IP header is added and is sent to the other side of the tunnel. Tunneling is done to prevent eavesdropping as it creates a secure path for transmission.
Step 1:Install strongswan package used to configure VPN
Command:
apt-get install strongswan strongswan-plugin-xauth-generic
Step 2:Edit the files in /etc/ipsec.secrets
Replace default with the server’s public IP address:
192.11.0.8 192.11.0.9 : PSK " #key gets generated here "
Step 3:Restart Strongswan service
Command:
service strongswan restart
NFS
[edit | edit source]Network File System is an application that allows one host to view, access and update the files and directories which were originally present on the other host computer. These files can be accessed only after the administrator mounts the files onto the second host computer.
Step 1:Configuring the NFS-server
Command:
sudo apt-get install nfs-kernel-server
Edit the file
vi /etc/exports
On the last line
/nico/f2 192.168.5.0/24(rw,sync,no_root_squash,no_subtree_check)
/nico/f2 192.11.0.0/24(rw,sync,no_root_squash,no_subtree_check)
Restart the server
sudo service nfs-kernel-server restart
Step 2:Configuring the NFS-client
Command:
sudo apt-get install nfs-common
Make directory in /nico/f2 (client path)
mount serverip:/serverpath /clientpath
Backup
[edit | edit source]Unprecedented technical errors can occur any time. To prevent loss of important data, backup is required. The two servers namely, PurpleKush and GrapeFruit are automatically backed up at 00.00 by using SSH protocol. The data from PurpleKush gets backed up onto GrapeFruit and data from GrapeFruit gets backed up on PurpleKush.
All the files to be backed up are ‘tarred’ and a secure remote copy is created and sent via FTP
Step 1: Install rsync
sudo apt-get install rsync
Step 2: Install ssh
sudo apt-get install openssh-server
Step 3: Create a public and a private key for security
ssh-keygen -t rsa
Step 4: Copy this into the web server
ssh-copy-id -i /root/.ssh/id_rsa.pub root@GrapeFruit
Step 5: Edit crontab
crontab –e
Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync
0 0 * * * /home/jibs/Documents/backupApp.sh >/home/jibs/Documents/backupApp.log 2>&1
Conclusion
[edit | edit source]A robust , intelligent and secured corporate network architecture is implemented which consists of DNS servers (Master and Slave ) , DHCP servers (2 Master Servers) , Web Server, Virtual Private Networks, Network File System, Firewalls, and Backup directories and also Malicious Web Server was implemented to demonstrate ARP Spoofing using Scapy Script.
References
[edit | edit source]Websites Referred:
1. https://help.ubuntu.com/community/BIND9ServerHowto
2. https://help.ubuntu.com/community/Postfix
3. https://help.ubuntu.com/community/isc-dhcp-server
4. http://www.bind9.net
5. http://net.tutsplus.com/tutorials/other/the-linux-firewall
6. https://help.ubuntu.com/community/OpenVPN
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross