Jump to content

Data Networking/Spring 2015/Group 7

From Wikiversity

Introduction

[edit | edit source]

In this project, we are configuring a LAN environment by implementing DHCP, DNS and Web server. Also, implemented firewall to prevent unauthorized access.

Understanding the Protocol

[edit | edit source]

Functionality of DNS:

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates domain names, which can be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide. The Domain Name System is an essential component of the functionality of most Internet services because it is the Internet's primary directory service. In an internet based system, the DNS sends a query to the internet which is further processed to extract the IP address using following processes:

   Recursive Process.
   Iterative Process.

Depending on the query forwarded by the client, the DNS can perform two functions:

   Forward DNS Query – Hostname to IP address.
   Reverse DNS Query – IP address to Hostname.

There are three classes of DN servers.

   Root DNS servers
   TLD- top level domain DNS servers
   Authoritative DNS servers

BIND is an acronym for Berkley Internet Name Domain.Version 9 was developed by Nominum, Inc.The BIND 9 software distribution contains both a name server and a resolver library.

   DNSSEC (DNS Security Extension) 
   TSIG (Transaction Signature)
   IPv6 – Resolves IPv6 addresses as well.
   RNDC (remote name daemon control),  
   Multiprocessor support, and
   Improved portability architecture.

The basic terms used in Bind9 are given as below

Domains and Domain Name

The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree is called a domain.

Zones

A zone consists of some parts of the domain tree for which name server has complete information. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones.

Authoritative Name Servers

Each zone is served by at least one authoritative name server, which contains the complete data for the zone. The authoritative servers can be classified into three types:

   i. The Primary Master:

The authoritative server where the master copy of the zone data is maintained is called the primary master server.

   ii. Slave Servers:

The slave servers loads the zone contents from another server using a replication process known as a zone transfer


Name Servers in Multiple Roles

The BIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for a set of local clients. The server in our configuration is primary as well as the caching server which helps in resolving query at the local level.

When a client tries to open a website, say www.wikiversity.com, we can get the data from this website if we reach the webserver of the website. but this webserver can be reached or identified by its gloabal IP address. Now the DNS ( Domain Name Server) plays the important role of converting the website name to its corresponding IP addresss and vice versa. This query of conversion is sent to the local DNS servers and so forth and the matching IP is returned back. The host of the corresponding IP is now accessible by the web browser on the host. Here, a BIND9 server with caching has been used. When a DNS request response is cached, the time required to fetch it and display the page the next time the page is requested is reduced by thousands of milliseconds.

Functionality of DHCP:

The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. With DHCP, computers request IP addresses and networking parameters automatically from a DHCP server, reducing the need for a network administrator or a user to configure these settings manually.

The communication between the Client and the DHCP Server can be given as below:

• When a client (device) is connected to the Network, it sends DHCP-DISCOVER message to DHCP server. Since no network configuration is there, so source address is 0.0.0.0 and destination is 255.255.255.255. If server is in local subnet, it directly receives the message else a relay agent is used to pass request to DHCP server • When DHCP server receives DHCPDISCOVER, it replies with DHCP-OFFER providing all network configurations required to the client. • To indicate that client wants to accept the configuration sent in DHCPOFFER, it sends back DHCP-REQUEST message to server. If there were multiple DHCP servers that that received DHCPDISCOVER, then client would receive multiple DHCPOFFER but the client replies to only one of messages. • Once the server receives DHCPREQUEST, it sends back DHCP-ACK which indicates that client can use IP address assigned to it. And along with it the lease for IP address starts.

Functionality of Webserver

[edit | edit source]

A web server is an information technology that processes requests via HTTP, the basic network protocol used to distribute information on the World Wide Web. The term can refer either to the entire computer system, an appliance, or specifically to the software that accepts and supervises the HTTP requests

The HTTP connection can be of three types.

Non Persistent HTTP: In this type of connection, the session breaks after transfer of data and needs to perform the handshake once again to do the data transfer. Persistent HTTP: In persistent HTTP connection, the session continues to be going on even after data has been transferred and thus no new HTTP connection is required for multiple times data transfer. Persistent with Pipelining: This is a special case of Persistent HTTP connection. In this connection, multiple objects can received in a fixed time interval. Thus the benefit of this type of connection is to save time and have more data transfer.


Apache2:

Apache2 is an HTTP Web server.Apache2 supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).


Firewall:

A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. The name firewall comes from a common architectural practice of placing a brick wall between two structures, to prevent a fire in one from spreading to the other.

The National Institute of Standards and Technology (NIST) 800-10 divides firewalls into three basic types: • Packet Filters • Stateful inspection • Proxys

Firewalls act as a platform for network security policy enforcement and network traffic inspection. They are defined by following attributes: Standard capabilities: Packet filtering, Stateful protocol inspection, network address translation(NAT), VPN connectivity. Truly integrated intrusion connection: Support for vulnerability-facing and threat-facing signatures and suggesting rules based on IPS activity. Full stack visibility and application identification: Ability to enforce policy at the application layer Extra firewall intelligence: ability to take information from external sources and make improved decisions. Adaptability to modern threat landscapes: Supports upgrade paths for integration of new information feeds and new techniques to address future threats. In-line support with minimum performance degradation or disruption to network service

The Requirements

[edit | edit source]

We will need any Linux based OS. In this project we have used Ubuntu 12.04 LTS. We also require bind9 which is used to configure DNS server, apache2 to implement a webserver, dhcp-server in order to implement a DHCP server.

Steps to perform the setup / installation

[edit | edit source]

Installation of Domain Name System (DNS):

Step 1 : Change the interface accordingly (eth0 or wlan0)
Command:

                 sudo nano /etc/network/interfaces 
#Change lo to either eth0 or wlan0 and loopback to static
auto eth0
iface eth0 inet static address 192.168.2.4 netmask 255.255.255.0 gateway 192.168.2.3 network 192.168.2.0 broadcast 192.168.2.255 dns-domain-nameserver 192.168.2.1 dns-domain-search "projectlinuxnash.com"

Step 2: Restart the network
Command:

                sudo /etc/init.d/networking restart 

Step 3 : Install bind9
Command:

                 sudo apt-get install bind9

Step 4 : Remove the comments from the forwarders
Command:

                 sudo nano /etc/bind/named.conf.options 
Remove "//" sign to uncomment and add forwarders. Used DNS IP address 192.168.2.4

Step 5 : Define the entries for Forward and Reverse lookup zones
Command:

                 sudo nano /etc/bind/named.conf.local 

In the forward lookup zone write the following commands:

                 zone "projectlinuxnash.com" {                           zone "projectlinuxnash.com" { 
type master; type slave;
file "/etc/bind/db.projectlinuxnash.com"; masters { IP of master; };
allow-transfer { IP of slave; }; file "/var/cache/bind/db.projectlinuxnash.com";
}; };

In the reverse lookup zone write the following commands

                 zone "2.168.192.in-addr.arpa" {                         zone "2.168.192.in-addr.arpa" { 
type master; type slave; allow-transfer {IP of slave; }; masters { IP of master; };
file "/etc/bind/db.192"; file "/var/cache/bind/db.192";
}; };

Step 6 : Create these files when bind9 starts
Command: We need to copy these files to named.conf.local

                 sudo cp /etc/bind/db.local /etc/bind/db.projectlinuxnash.com 

Step 7 : Edit the forward lookup zone
Command:

                 sudo nano /etc/bind/db.projectlinuxnash.com 
                 $TTL 604800
@ IN SOA projectlinuxnash.com. root.projectlinuxnash.com. (
2; This is the serial number
604800; Refresh rate
86400; Retry
2419200; Expire
604800); Negative Cache TTL
@ IN NS ubuntu.projectlinuxnash.com.
@ IN A 192.168.2.1
@ IN AAAA fe80::be77:37ff:fe7d:dc2d
#A records
abcd IN A 192.168.2.54
ubuntu IN A 192.168.2.68
ubuntu1 IN A 192.168.2.92
ubuntu2 IN A 192.168.2.74
# MX record
mail MX 10 mailhost.projectlinuxnash.com. #CNAME records
server2013 IN CNAME ubuntu.projectlinuxnash.com.
server2014 IN CNAME ubuntu1.projectlinuxnash.com.
www IN CNAME ubuntu.projectlinuxnash.com.

Step 8 : Edit the reverse lookup zones for both IPv4 and IPv6
Command:

                 Reverse bind file for IPv4
$TTL 604800
@ IN SOA projectlinuxnash.com. root.projectlinuxnash.com. (
1; Serial
604800; Refresh
86400; Retry
2419200; Expire
604800 ) ; Negative Cache TTL
@ IN NS ubuntu.projectlinuxnash.com.
54 IN PTR abcd.projectlinuxnash.com.
68 IN PTR ubuntu.projectlinuxnash.com.
92 IN PTR ubuntu1.projectlinuxnash.com.
74 IN PTR ubuntu.projectlinuxnash.com.
Reverse bind file for IPv6
$TTL 604800
@ IN SOA projectlinuxnash.com. root.ubuntu.projectlinuxnash.com. (
1; Serial
604800; Refresh
86400; Retry
2419200; Expire
604800 ) ; Negative Cache TTL

Step 9 : Restart bind9 service in order for the changes to be effective
Command:

                 sudo /etc/init.d/bind9 restart

Step 10: Edit the resolv.conf file
Command:

                 sudo nano /etc/resolv.conf 
nameserver 192.168.2.1 nameserver 127.0.1.1 search projectlinuxnash.com example.org

Dynamic Host Control Protocol (DHCP):(For IPv4)
Step 1 : Install dhcp server
Command:

                 sudo apt-get install isc-dhcp-server 

Step 2 : Set static ip address
Command:

                 sudo nano /etc/network/interfaces 
Change lo to either eth0 or wlan0 and loopback to static
auto eth0
iface eth0 inet static
address 192.168.2.10
netmask 255.255.255.0
gateway 192.168.2.3
network 192.168.2.0
broadcast 192.168.2.255
dns-domain-nameserver 192.168.2.1 dns-domain-search projectlinuxnash.com

Step 3 : Restart the network
Command:

                sudo nano /etc/init.d/networking restart 

Step 4 : Configure the DHCP server
Command:

                sudo nano /etc/dhcp/dhcpd.conf
ddns-update-style none; option domain-name-servers 192.168.2.1; option domain-name "projectlinuxnash.com"; default-lease-time 600; max-lease-time 7200; authoritative; subnet 192.168.2.0 netmask 255.255.255.0{ range 192.168.2.10 192.168.0.100; option broadcast-address 192.168.2.255; option domain-name-servers 192.168.2.1; }

Step 5 : Edit the resolv.conf file
Command:

                sudo nano /etc/resolv.conf 
nameserver 192.168.2.1

Step 6 : Restart the dhcp service
Command:

                sudo service isc-dhcp-server restart 

Web Server:

Step 1: Install apache2
Command:

                sudo apt-get install apache2 

Step 2: To check whether the web server is listening on port 80
Command:

                netstat -a | more 

Step 3: Restart the web server
Command:

                sudo /etc/init.d/apache2 stop  # When you do netstat now, 
                then the computer is not shown as listening 
sudo /etc/init.d/apache2 start

Step 4: To put a webpage for the server
Command:

                cd/var/www  # var is root
sudo nano index.html

Firewall:
Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.

1. In order to block ICMP requests write the following command:

               sudo iptables -A INPUT -d <IP address of the destination> -p icmp -icmp -type 0 -j DROP 

2. In order to prevent SSH login, write the following command:

               sudo iptables -A INPUT -s <IP address of the source> 
               -d <IP address of the destination> -p tcp -dport ssh - j DROP 

3. In order to block FTP ports, write the following command:

               sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 20 –j DROP 
sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 21 –j DROP

4. To block the port used by Telnet, write the following command:

               sudo iptables –A INPUT –d 192.168.2.11 –p tcp –dport 23 –j DROP 

5. To block webpage write the following command:

               sudo iptables –A INPUT –d 192.168.2.90 –s 192.168.2.99 –p tcp –dport –j DROP 

Backup:
In order to do backup, we have used a software called crontab.
Step 1: Extract public and private key so that the public key can be first shared to that computer where we can automatically send the files that are backed up.
Commands:

                 ssh-keygen-t rsa #Create a pair of rsa keys 
                 ssh root@192.168.0.254 mkdir –p .ssh
                 cat .ssh/id_rsa.pub | ssh root@192.168.0.254 ‘cat >>.ssh/authorized_keys’ 

Step 2: We first need to create a script file (.sh file).
Command:

                sudo nano /home/dell/backup/backup.sh
               
                cd /var/www/
                cp index.html /home/dell/backup/ ;copy the file of webpage 
                cd /home/dell/backup
                tar czf /home/dell/backup/backup.tar.gz ds1.fw index.html
                sleep 1s
                sync:sync
                sleep 1s
                scp backup.tar.gz root@192.168.0.254:/home/root/
                sleep 1s
                sync:sync 

Step 3: In order to extract the backup file automatically write the following command:

                cd /home/root/
                sudo nano backup.sh
                cd /home/root/
                tar xzf backup.tar.gz
                0 12 * * * bash /home/root/backup.sh 

NFS
Commands to configure NFS:
For server follow these steps:
Step 1:
Install NFS
Command:

                sudo apt-get install nfs-kernel-server 

Step 2:
Edit the exports file
Command:

                sudo nano /etc/exports
                /home/wenrui/nfsroot *(rw,sync,no_root_squash) 
                (“rw” means client has read and write authority. “sync” means synchronize, 
               “no_root_squash” means the client has no authority to change root’s file)

Step 3:
Make a directory called nfsroot using the command: mkdir /home/wenrui/nfsroot
Step 4:
Restart the NFS server for the changes to be effective

                sudo service nfs-kernel-server restart 

Restart portmap service

                sudo /etc/init.d/portmap restart 
Cd /home/wenrui/nsfroot/ touch me #Create a field named me sudo nano me //write anything you want and this will become visible for the client

Step 5: For Client NFS
Install nfs-common
Command:

                sudo apt-get install nfs-common 

Step 6:
Check the path of the shared folder
Command:

                sudo showmount –e <IP address of the NFS Server> 

Step 7:

 Link the 2 directories and the mount the file to the server 
Command: sudo mount –t nfs <IP of NFS server>:/home/wenrui/nfsroot /home/wenrui/nfs

VPN Step 1:
Install pptpd which is a package used to configure VPN
Command:

               sudo apt-get install pptpd 

Step 2:
Edit the files in /etc/pptpd.conf and make the following changes

               localip <IP of VPN server>
               remoteip <Range of IPs of VPN clients>

Step 3:
Edit /etc/ppp/pptpd-options file:

              ms-dns 192.168.0.254 

Step 4:
Set userid and password
Command:

              sudo nano /etc/ppp/chap-secrets 
wenrui pptpd 123456 * # wenrui is the user name, pptpd is the VPN server name, 123456 is the password and * indicates for all IPs that fall in the VPN client range.

NIS:
Step 1: Install nis portmap

               sudo apt-get install nis portmap 

Step 2:
Edit the domain name NISServer when installed

               sudo nano /etc/default/nis 
set nisserver=master // set the computer as the nis master server sudo nano /etc/yp.conf domain NISServer server ubuntu // set the domain name as NISServer set the server name as Ubuntu sudo nano /etc/ypserv.securenets change the “0.0.0.0 0.0.0.0”line into “255.255.255.0 192.168.0.*” sudo /usr/lib/yp/ypinit –m //refresh the database of the server

Step 3:For NIS Client

               sudo apt-get install portmap nis

Step 4:Edit the domain name NISServer

               sudo nano /etc/passwd 

Step 5:

            Add a line +::::::  #hash record 
sudo nano /etc/group Add a line +::: sudo nano /etc/shadow Add a line +:::::::: sudo nano /etc/yp.conf Set the ypserver’s ip address


Then update the database in the server.
And we can test the NIS service on the client using yptest ypswitch and ypcat –x
We can also login the uses on the server to test.


FTP:
Step 1: sudo apt-get install vsftpd

Step 2:
sudo vi /etc/vsftpd.conf make the following changes in file: anonymous=yes

  1. write_enable=yes .....remove the "#" sign

'Step 3:
sudo restart vsftpdt

Step 4:
cd /srv/ftp sudo touch file1 file2 file3 sudo chmod 777 file1 file2 file3

SAMBA:
Step 1: sudo apt-get install samba

Step 2:
Edit the configuration file sudo gedit /etc/samba/smb.conf & Add the folder you need to share here ".srv" directory is used to put the shared files

Step 3:
sudo mkdir -p /srv/samba/share

Step 4:
To change the ownership to nobody sudo chown nobody.nogroup /src/samba/share

Step 5:
Edit NetBIOS name server configuration sudo gedit /etc/init/nmbd.conf &

Step 6:
Restart samba and NetBIOS sudo restart smbd

Step 7:
Create a file in the share directory sudo touch /srv/samba/share/test.txt

Testing

[edit | edit source]

Test Plan
Trying to test the DNS server
Trying to test forward zone entries
Trying to test reverse zone entries
Trying to test CNAME entries
Trying to ping different entries


Test Tools
Following commands were used to test DNS server:
-nslookup
-dig
Using the command netstat -uap we tested DHCP server.
For testing firewall we used the following commands:
-ping= To check whether the IP addresses are blocked correctly.
-ssh = To check whether ssh login is prevented for unauthorized users.


Test Cases
Problems faced:
1. Problem faced while installing bind9.
Solution: sudo apt-get update #Update ubuntu
Update ubuntu by writing the above command and then install bind9.
2. Problem faced while trying to restart the network interface using the command sudo /etc/init.d/networking restart
Common Error messages shown were :
Failed to bring up eth0/wlan0 interface
Ignoring unknown interface eth0=eth0 (wlan0=wlan0)
Solution: Use the command sudo service network-manager restart and then use sudo /etc/init.d/networking restart
3. Other servers viz. DHCP and Webserver were not able to use the command dig projectlinuxnash.com or nslookup projectlinuxnash.com(Host name as written in the DNS server)
Status shown: Access denied
Reason: Loopback address 127.0.0.1 was mentioned in the /etc/bind/db.home.raj file instead of the DNS server's IP address.
4. Server Status was SERVFAIL when tried to dig projectlinuxnash.com
Reason: The file /etc/bind/named.conf.local was not configured properly.
5. Server Cannot be found error
Solution: Wrong configuration of the file /etc/resolv.conf
6. Only webserver is able to access the webpage.
7. Not able to bridge VMware workstation with Windows.

Testing DNS:
For testing we use the following commands:
1) Dig
Dig stands for Domain Information Groper and is a flexible used to interrogate DNS name servers. It performs the function of DNS lookups and returns the answers as provided by the name servers.

2) Nslookup (Name Server Lookup)
nslookup is a command used to query DNS servers. There are two modes of nslookup, viz. Interactive mode and non-interactive mode. Interactive mode allows the user to query the name servers in order to obtain information about hosts and domains or to just print a list of hosts in a particular domain. 7 Non-interactive mode is used to print only the name and information that is requested for a particular host or domain.

3) Ping
Ping command is used to check network layer status of the server.

4) Host
Host command is used to perform DNS lookups. It is used to convert names to IP addresses and vice versa.

Testing DHCP:
Whenever a client is connected to the network he will get an IPv4 and IPv6 address automatically within the range of address mentioned in the DHCP server. This can be verified using ifconfig/ipconfig command.
sudo dhclient –r - This command does refreshing
cat /var/lib/dhcp/dhcpd.leases - This command can view the lease provided by the DHCP server to a particular client

Testing Web Server:
Open any web browser and test it by entering either the host name or the IP address. If both works then the web server is working fine. If they don’t then there is some problem with your DNS server.

Testing Firewall:
One can test by sitting on the client and trying to ping the servers which are blocked. The result will be request timed out since the client is blocked by the firewall.
Also the client will not gain access to the webpage since it is forbidden for the client to use it. The client will not be able to open the webpage when he types the host name or the IP address.

Testing Backup:
We can test backup by going to the particular directory where the files are sent and type the command ls to check whether the files are received or not.

Future Prospects

[edit | edit source]

Future Improvements:
1.Enhanced security for the DNS servers. Digital signatures, Cache-poisoning, DNS wrapper, authentication, symmetric key encryption and spoofing are the areas to be concentrated on.
2. DNS has a restrictive, centralized model for entering names into a naming database. System admins at different locations may manipulate this and this might not be updated at all locations. This leads to inconsistency.
3. DNS dynamic updates to update dynamic records of hosts with dynamic IP addresses. Hosts can keep the same domain name.
4. Replication architecture for the DNS allows websites to dynamically wander and replicate them without having to change their URLs. This is possible as a single DNS server is made to have the entire database of all the DNS servers. DNS look up time is reduced and web pages load faster.
5. Nowadays DHCP server usually provides IP addresses for multiple subnets and the DHCP Relay makes it possible for a DHCP Server to assign IP addresses for terminals in a subnet which the server does not reside in.
6. LDAP is a service that creates and maintains directories. This service can also be invoked from within Linux to add easier maintenance.