Data Networking/Spring 2015/Group5
The Team
[edit | edit source]Raghavan Rajagopalan (rajagopalan.ra@husky.neu.edu )
Jingfeng Chen (chen.jingf@husky.neu.edu)
Niraj Beri (beri.n@husky.neu.edu)
Shashank Katlaparthi (katlaparthi.s@husky.neu.edu)
Objective
[edit | edit source]The mission here is to create a network which includes a Webserver with Firewall upgraded with SSL, a Recursive DNS server along with a cache, a DHCP server with PXE boot, an NFS server, an NTP server, a VPN server, Access lists for restricting the user activity in the network, an FTP server for file sharing and encryption for files and backup for the network information.
The network is designed to accommodate new users, secure them and include them in the network operation. The new user is assigned an IP address dynamically by the DHCP server, next the DNS server will answer the queries of the user by translating the domain names to its respective IP addresses. The access to the Webserver by the users is determined by the Firewall. The DNS server used here is recursive, therefore, it reduces the unnecessary traffic flow to the root servers and cache the data in the local server for faster replies and efficient use of network bandwidth. Once the connectivity is established, the file sharing in the network is done through the employment of NFS and FTP servers for in and out-bound requests for file sharing. The data in the network is backed-up by the backup server and secured using encryption. An NTP server is setup so that all the servers in the network are synced with an accurate time. The access to a user from a remote network can be achieved with VPN server, through VPN server the user should be able to access all the information and be a part of the network though he is technically not in the network. This completes the whole setup and we can now accommodate new users!
DHCP
[edit | edit source]Dynamic Host Configuration Protocol is a protocol wherein a dedicated server is used to assign IP addresses to all hosts in a network. It also manages which hosts are there in the network and their lease time for a particular IP address. The IP addresses assigned to the hosts are dynamic.
INSTALLATION
[edit | edit source]The below mentioned command is used to install DHCP server in Ubuntu. Sudo apt-get install isc-dhcp-server
CONFIGURATION
[edit | edit source]The following procedure is followed to configure the DHCP parameters for this network.
- 1. Edit /etc/dhcp/dhcpd.conf file as follows
- • subnet 192.168.137.0 netmask 255.255.255.0
- • range 192.168.137.10 192.168.137.50;
- • option domain-name-servers 192.168.137.100
- • option routers 192.168.137.1
- • Default-lease-time 600;
- • Max-lease-time 7200;
- 2. The fixed addresses for the servers are configured as below
- • DNS server is configured with an IP address of 192.168.137.100
- • Firewall is configured with an IP address of 192.168.137.5
- 3. Edit /etc/network/interfaces as follows
- • auto eth0
- • iface eth0 inet static
- • address 192.168.137.2
- • netmask 255.255.255.0
- • network 192.168.137.0
- • broadcast 192.168.137.255
- • gateway 192.168.137.1
- • dns-nameservers 182.168.137.100
- 4. Edit /etc/default/isc-dhcp-server file as follows
- • Add eth0 to interfaces
- 5. Then restart the dhcp server using following command:
sudo /etc/init.d/isc-dhcp-server restart
TESTING
[edit | edit source]The DHCP can be tested by connecting it to the network and giving a command called ipconfig in the Terminal. The DHCP server will allocate an IP address from its pool.
PXE BOOT
[edit | edit source]CONFIGURATION
[edit | edit source]- 1. Edit /etc/inetd.conf,
- • Add the following line to the file
tftpdgrm udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd –s /var/lib/tftpboot
- 2. Enable bootservice by using the following command:
sudo update-inetd --enable boot
- 3. Start the following services
sudo /etc/init.d/openbsd-inetd restart sudo /etc/init.d/tftpd-hpa restart 4. Setup permissions using the following command sudo chmod -r 664 /var/lib/tftpboot/*
WEB SERVER
[edit | edit source]DESCRIPTION
[edit | edit source]The main function of a web server is providing HTTP services for the clients. There are all kinds of web servers. One of the most popular web servers is Apache and it is used to serve more than half of all active websites. We choose Apache 2 as our web server in Ubuntu.
INSTALLATION
[edit | edit source]TFTP has to be installed prior to installation of PXE through the following command.
sudo apt-get install tftpd-hpa openbsd-inetd lftp
Sudo apt-get install apache2 — Install apache2 server into Linux System
ifconfig — get IP address of localhost, in order to help DNS gain the hostname
CONFIGURATION
[edit | edit source]Add the source html code to index.html
TESTING
[edit | edit source]When we input the domain name that DNS server assigns to my host IP address, we can successfully log on the website I created in the web server.
DNS SERVER
[edit | edit source]For our server, we are using Bind version 9.5 installed on Ubuntu 14.04 which in turn is installed as a virtual machine on windows 7. Assuming that Ubuntu is already set up and working, we followed through following steps to install and configure Bind DNS server.
- 1) To make sure Ubuntu is up to date, please run following command.
sudo apt-get update
- 2) Installation: the below command needs to be run in order to download and install Bind. Open a terminal and run the following command with elevated privileges using sudo.
sudo apt-get install bind9 In the process it will ask for Y/N for installation, press Y to continue installation After installation, you will see following files in the Bind directory.
CONFIGURATION
[edit | edit source]- 1. To start we need to define a local domain which will be the web address of our server. Copy the db.local and create a new file with it using your server name.
cp db.local db.apple
- 2. Edit the newly created file db.apple and add the hostname vs IP entries to make this server authoritative.
- 3. Now this database file which contains the hostname to IP mapping needs to be included in the zone file. We will create a custom zone file using the format of default zone file using the following command
cp named.conf.default-zones named.conf.custom-zones
- 4. Edit the newly created file named.conf.custom-zones to include the db.apple file as follows:
- 5. With the above step, our custom zone has been created which contains database file (which in turn contains hostname to IP address mapping). Now its time to include that custom zone in named.conf file. Edit the named.conf file as below.
- 6. This completes the forward zone configuration. Similarly, we need to configure the reverse zone as below and then restart the Bind service using below command.
Service bind9 restart
- 7. Verification of the DNS server
To verify if the DNS server is working, we can use the dig command and verify if we are getting the correct mapping of hostname to IP address. Here the web server is configured on IP 192.168.137.5 which is what we are getting using the dig command.
FIREWALL
[edit | edit source]DESCRIPTION OF IP TABLES
[edit | edit source]IP tables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Net filter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; ip tables applies to IPv4, ip6tables to IPv6, arp tables to ARP, and eb tables to Ethernet frames.
CONFIGURATION
[edit | edit source]sudo iptables -F - Flush to old firewall setting sudo iptables -L - check the list of ip tables sudo iptables -A INPUT -i eth0 -s 192.168.137.7 -p tcp —dport 80 -m state —state NEW -j DROP sudo iptables -A INPUT -i eth0 -s 192.168.137.7 -p tcp —dport 334 -m state —state NEW -j DROP - block the client ip from accessing to http and https port of the web server
TESTING
[edit | edit source]After setting up the firewall, all the clients are able to access the website except one specific client with the IP address of 192.168.137.7
ADD-ONs
[edit | edit source]Recursive DNS with Cache
[edit | edit source]- 1) Recursion – This server can be configured as a recursive server which means in addition to replying to DNS queries for the hosted website, if a host requests a DNS query for website hosted outside this network (like google, yahoo), the DNS will go to root / TLD servers and resolve and fetch the IP for these hostnames and send it back to the hosts. To make it as a recursive server, either delete or comment the “recursion no” line in the file named.conf.options.
- 2. Access list implementation to avoid our DNS server being used for DNS amplification attacks. This is done by denying recursion access to hosts outside our local network. The access list is implemented by adding below code to named.conf.options file.
- 3. Cached server
This DNS server also acts like a cached server which means it caches the hostname to IP mappings being requested by hosts so that next time the same hostname is queried, it won’t have to go out of the network and fetch the IP address. Since the server has the mapping in its cache, it will just reply back to the host with the IP. This can be demonstrated using Wireshark. During the 1st / initial access to google.com, the Wireshark trace on DNS server shows DNS queries going out to root and TLD servers, however when the same hostname DNS query comes to DNS server, Wireshark won’t show any packets going out to root / TLD servers.
BACKUP
[edit | edit source]Automatic backup of the server configuration can be done using the following ways:
- 1. Cron Tab:
Cron Tab can be used when we need to execute a particular command within certain interval (daily, weekly, fortnightly, or monthly). By using Crontab, the backup command is executed every day to take backup of the server.
Cron Tab can be installed using the following command: sudo apt-get install gnome-schedule
Command to create a Cron Tab Crontab –e
The following command is used to run the backup file every day at 10 am. 0 10 * * * bash – /home/pu/backup.sh
- 2. Déjà Dup:
Ubuntu offers an application named Backup which can also be used to create backup of specific folders. This will take backup every day and store the backup file in the path mentioned under the storage tab.
VPN
[edit | edit source]Virtual Private Networking (VPN) allows access to a private network through a public network. OpenVPN has been implemented for demonstrational purposes.
INSTALLATION AND KEY GENERATION
[edit | edit source]- 1. Enter the following command to install OpenVPN through terminal
sudo apt-get install openvpn easy-rsa
- 2. Enter the following command to setup certificates
mkdir /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
- 3. Edit /etc/openvpn/easy-rsa/vars to setup parameters.
- 4. Enter the following commands to generate master Certificate Authority
cd /etc/openvpn/easy-rsa/ source ./vars ./clean-all ./build-ca
- 5. Enter the following command to generate Certificate and private key for server
./build-key-server server myservername
- 6. Enter the following command to generate Diffie Hellman parameters
./build-dh
- 7. Enter the following command to copy keys and certificate files to /etc/openvpn
cd keys/ cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/
CONFIGURING VPN SERVER
[edit | edit source]- 1. Enter the following commands to copy and unpack server.conf.gz to /etc/openvpn/server.conf
• sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ • sudo gzip -d /etc/openvpn/server.conf.gz
- 2. Edit /etc/openvpn/server.conf
• ca ca.crt • cert myservername.crt • key myservername.key • dh dh2048.pem
- 3. Edit /etc/sysctl.conf and remove # in front of the following line
net.ipv4.ip_forward = 1
- 4. Reload sudo sysctl -p /etc/sysctl.conf
- 5. Enter service openvpn start to start OpenVPN service.
- 6. Enter ifconfig tun0 to check whether OpenVPN has been correctly configured
VPN - CLIENT SIDE
[edit | edit source]CONFIGURATION
[edit | edit source]sudo apt-get install openvpn The files that need to be securely copied to the client's /etc/openvpn directory are: /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client). /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client). Copy those files over using a tool like scp from the server to the client. If the server doesn't have direct access to the client, just put them on a flash drive and copy from there. sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn sudo nano /etc/openvpn/client.conf dev tap remote 192.168.137.2 1194 cert hostname.crt key hostname.key tls-auth ta.key 1 sudo service openvpn start ifconfig tun0
TESTING
[edit | edit source]After setting up the VPN for both server and client, the client can successfully ping server’s virtual IP address — 10.8.0.1
NTP SERVER
[edit | edit source]NTP stands for Network Time Protocol. NTP is employed for synchronizing the time on our Linux system with a centralized NTP server. With the NTP server set-up all the servers in the network can be in sync with an accurate time.
INSTALLATION
[edit | edit source]For the server installation we use the following command: sudo apt-get install ntp The packages are installed for setting up the NTP Server
CONFIGURATION
[edit | edit source]We need to edit the configuration files and add the following: server ntp.ubuntu.com server pool.ntp.org We edit the configurations, save the file and test the working of the NTP Server.
TEST PLAN
[edit | edit source]We can test if the NTP Server is set up by entering the following commands: pgrep ntpd After this command we get a plain old process ID numbers. Now we enter the following commands to update and check for the system information: ntpdate –u 192.168.137.1 ntpdc –c sysinfo We get the updated date and time along with the server information.
FTP SERVER
[edit | edit source]FTP Server is a file transfer protocol which uses the ports 20 and 21. It is used to download and upload files to the server. Here we configure vsftpd (Very Secure File Transfer Protocol Daemon) in Linux for functionality.
INSTALLATION
[edit | edit source]To install the FTP server we use the following command sudo apt-get install vsftpd
CONFIGURATION
[edit | edit source]We need to edit the configuration files for the server to set up the server. We can edit the files through this command sudo nano /etc/vsftpd.conf We now make the configurations for file upload capability, then set-up the home page for the server, next we enable the authentication for the users and restrict the authentication to some files. Now we restart the FTP Daemon sudo restart vsfptd We then configure local file permission on ftp directories. We use the following commands to change the user, group and ownership. sudo chmod sudo chown sudo chgrp
TEST PLAN
[edit | edit source]We now test the working of FTP Server by logging in ftp katlaparthi
Then we provide the passphrase and user name (either admin or anonymous), then we enter the commands for listing the files and accessing them. We should be able to access and restrict the files depending on the user.
ENCRYPTFS (ENCYPTION)
[edit | edit source]To make our system more secure we use Encryptfs for encryption.
INSTALLATION
[edit | edit source]To install the encyptfs we need to enter the following command: ecryptfs-setup-private Next it will ask for a password, we set up the password and confirm it.
CONFIGURATION
[edit | edit source]We need to configure the files, create a folder and change its authority. mkdir /root/tPrivate chmod 700 /root/tPrivate Next we use ecrypt to encrypt the folder. mount -t ecryptfs /root/tPrivate /root/tPrivate
It will display the encrypted file along with its attributes.
SECURE SOCKET LAYER
[edit | edit source]DESCRIPTION
[edit | edit source]SSL stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites, allowing you to transmit private data online. Sites secured with SSL display a padlock in the browsers URL and possibly a green address bar if secured by an EV Certificate.
CONFIGURATION
[edit | edit source]sudo a2enmod ssl sudo service apache2 restart sudo mkdir /etc/apache2/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:abc Organizational Unit Name (eg, section) []:dn project Common Name (e.g. server FQDN or YOUR name) []:192.168.2.5 Email Address []:370117709@qq.com sudo nano /etc/apache2/sites-available/default-ssl.conf <IfModule mod_ssl.c>
<VirtualHost _default_:443> ServerAdmin 370117709@qq.com ServerName 192.168.137.5 ServerAlias apple.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>
</IfModule> sudo a2ensite default-ssl.conf sudo service apache2 restart
TESTING
[edit | edit source]By putting “https://” in front of our domain name, it shows the website. We can conclude that the SSL certification is protecting the website.
NETWORK FILE SYSTEM (NFS)
[edit | edit source]DESCRIPTION
[edit | edit source]It is a method by which file sharing is achieved between hosts in the network.
INSTALLATION-SERVER
[edit | edit source]sudo apt-get install nfs-kernel-server — install NFS server into Linux System
CONFIGURATION-SERVER
[edit | edit source]Edit /etc/exports as per the following configuration sudo service nfs-kernel-server start — start the nfs service
INSTALLATION-CLIENT
[edit | edit source]sudo apt-get install nfs-common — install NFS client into Linux System
CONFIGURATION-SERVER
[edit | edit source]Create a new file /home/nfs-share as a shared file from server.
TESTING
[edit | edit source]mount 192.168.137
References
[edit | edit source]- apachectl - Apache HTTP Server Control Interface
http://httpd.apache.org/docs/2.2/programs/apachectl.html
- How To Configure the Apache Web Server on an Ubuntu or Debian VPS | DigitalOcean
- How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu | DigitalOcean
https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps http://searchsecurity.techtarget.com/definition/firewall