Data Networking/Fall 2014/SRKT

Group Candidates
1. Rohit Gomashe 2. Pratyusha Keerthi K R 3. Sahil Jain 4. Tushar Shinde

Purpose of Project
As in today’s world we use linux in most of the industries on switches, routers and all workstations because it is the open source Operating System and it is also customisable. That is the reason why we are working on this project because it will be useful to us in industrial experience.

Protocols
DNS:

DNS stands for Domain Name Server, which resolves URL into an IP address. DNS in an intranet, such as our network, can resolve only hostnames and IP addresses mentioned in its files. Whereas in internet DNS maps domain name to IP address by assigning Authoritative servers to each domain. DNS uses UDP to fetch IP address of a hostname, which includes following processes to forward packets: Recursive Process Iterative Process Hostname to IP address mapping is known as Forward DNS query and IP address to hostname mapping is known as Reverse DNS query. We configured BIND9 according to our project requirements. BIND stands for Berkley Internet Name Domain, which contains both name server and resolver library.

DHCP:

DHCP (Dynamic  Host  Configuration  Protocol)  is  used  on  layer  three  protocol  (Internet Protocol  to  assign  IP  addresses  to  the  devices  connected  in  the  same  network.  There  are three methods by which DHCP server allocates IP address: Dynamic Allocation:    Devices connected to the network are dynamically allocated with IP addresses when the network is initialized. Static Allocation:     Every device requesting for a IP address is permanently assigned withan IP address. Automatic Allocation:   DHCP allocates IP addresses based on the pre defined, MAC address IP address mapping.

IP allocation is done in four phases, which includes discover, offer, request, acknowledge. DHCP Server Discovery:  Client broadcasts a DHCP discover message with source address as 0.0.0.0 DHCP Server Offer:  DHCP Server responds with an offer message, which includes Transcation ID, Processs ID, Subnet mask, and IP address lease time. DHCP Request:  Client sends a DHCP Request message in response to the DHCP Offer message, which indicates that client is ready to accept the Configuration information involved in the Offer message. Unlike Discovery message, client includes its MAC address in the Request message. DHCP ACK:  DHCP server sends ACK message in response to the DHCP Request message, which includes the information client has requested for.

The Requirements
LINUX OS BIND9 UBUNTU 14.04 APACHE 2 to Implement web server ISC-DHCP-SERVER for DHCP Implememtation

Steps to perform the setup / installation
Installation of Domain Name System (DNS): For static interfaces:

auto eth0 iface eth0 inet static address 192.168.3.254 netmask 255.255.255.0 network 192.168.3.0 broadcast 192.168.3.255 gateway 192.168.3.1 dns-domain-nameserver 192.168.3.254 dns-domain-search dnlab.net

For named.conf.local:

#Forward zone "dnlab.net" { type master; file "/etc/bind/db.dnlab.net"; };

#Reverse zone "3.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; };

For Forward lookup table: $TTL   86400 @      IN      SOA     dnlab.net. root.dnlab.net. (                                                       1         ; Serial                                                   604800         ; Refresh                                                    86400         ; Retry                                                  2419200         ; Expire                                                    86400 )       ; Negative Cache TTL ;                         @       IN      NS      dnlab.net. IN     A       192.162.3.254 a1     IN      A       192.168.3.201 a2     IN      A       192.168.3.202 a3     IN      A       192.168.3.203 c1     IN      A       192.168.3.204 mail   IN      A       192.168.3.210 IN     MX 10   mail.dnlab.net. www    IN      CNAME   c1.dnlab.net.

For Reverse lookup table:

$TTL   86400 @      IN      SOA     dnlab.net. root.dnlab.net. (                             1         ; Serial                         604800         ; Refresh                          86400         ; Retry                                                  2419200         ; Expire                          86400 )       ; Negative Cache TTL ;                         @       IN      NS      dnlab.net. 201    IN      PTR     a1.dnlab.net. 202    IN      PTR     a2.dnlab.net. 203    IN      PTR     a3.dnlab.net. 204    IN      PTR     c1.dnlab.net. 210    IN      PTR     mail.dnlab.net.

For Master Zone Files:

# Forward zone "dnlab.net" { type master; file "/etc/bind/db.dnlab.net"; allow-transfer { 192.168.3.253; }; };

# Reverse zone "3.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer { 192.168.3.253; }; };

Commands used in installing DHCP on linux: 

DHCP (IPV4) Steps 

1) To install DHCP server:                           sudo apt-get install isc-dhcp-server

2) DHCP file Configuration:                           sudo gedit /etc/default/isc-dhcp-server                           Interfaces= “eth0” is to be set.                           sudo gedit /etc/dhcp/dhcpd.conf                           subnet 192.168.3.0 netmask 255.255.255.0 {                           range 192.168.3.100 192.168.3.150;                           option domain-name-servers 192.168.3.254;                           option domain-name "dnlab.org";                           option broadcast-address 192.168.3.255;                           default-lease-time 600;                           max-lease-time 7200;                           }

3) Command to edit network interfaces file:                           sudo gedit /etc/network/interfaces                           auto lo                           iface lo inet loopback                           auto eth0                           iface eth0 inet static                           address 192.168.3.2                           netmask 255.255.255.0                           broadcast 192.168.3.255                            gateway 192.168.3.1                           dns-nameserver 192.168.3.254                           dns-search tsm

4) DHCP Server restart:                           sudo /etc/init.d/isc-dhcp-server restart

DHCP log:  sudo tail –f /var/log/syslog

DHCP (IPV6) Steps: 

1) Command used to install IPV6 server:                           sudo apt-get install ravdv

2) Command to edit the configuration file of radvd:                           sudo gedit /etc/radvd.conf                           interface eth0 {                           MinRtrAdvInterval 3;                           MaxRtrAdvInterval 10;                           AdvLinkMTU 1280;                           AdvSendAdvert on;                           prefix A1B8:1111:1234:F110::/64 {                           AdvOnLink on;                           AdvAutonomous on;                           AdvValidLifetime 86400;                           AdvPreferredLifetime 86400;                           AdvRouterAddr on;                           };                           };

3) Command to edit dhcpv6 configuration:                           sudo gedit /etc/dchp/dhcpd6.conf                           default-lease-time 6800;                           max-lease-time 72000;                           log-facility local7;                           subnet6 A1B8:1111:1234:F110::/64 {                           range6 A1B8:1111:1234:F110::100                           A1B8:1111:1234:F110::150;

4) Command to restart the radvd:                           sudo service radvd restart

5) Command to restart dhcp6 :                           sudo service isc-dhcp-server restart

Web Server:

A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol (HTTP), serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests).

Every computer on the Internet that contains a Web site must have a Web server program. Two leading Web servers are Apache, the most widely-installed Web server, and Microsoft's Internet Information Server (IIS).

Web servers often come as part of a larger package of Internet- and intranet-related programs for serving e-mail, downloading requests for File Transfer Protocol (FTP) files, and building and publishing Web pages.

Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix environments, the Apache Web server has been ported to Windows and other network operating systems. The Apache Web server provides a full range of Web server features, including CGI, SSL, and virtual domains.

Installation Steps:

Apache:  sudo apt-get install apache2 sudo /etc/init.d/apache2 restart echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn

PHP modules (Server side scripting):  sudo apt-get install php5 libapache2-mod-php5 sudo touch /var/www/test.php sudo nano /var/www/test.php 

PHPadmin and MySql Installation:  sudo apt-get install mysql-server sudo apt-get install libapache2-mod-auth-mysql php5–mysql phpmyadmin

Firewall:

A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

The name firewall comes from a common architectural practice of placing a brick wall between two structures, to prevent a fire in one from spreading to the other.

The National Institute of Standards and Technology (NIST) 800-10 divides firewalls into three basic types: 

-Packet Filters -Stateful inspection -Proxys

'''Firewalls act as a platform for network security policy enforcement and network traffic inspection. They are defined by following attributes: ''' Standard capabilities:  Packet filtering, Stateful protocol inspection, network address translation(NAT), VPN connectivity. Truly integrated intrusion connection:  Support for vulnerability-facing and threat-facing signatures and suggesting rules based on IPS activity. Full stack visibility and application identification:  Ability to enforce policy at the application layer. Extra firewall intelligence:  ability to take information from external sources and make improved decisions. Adaptability to modern threat landscapes:  Supports upgrade paths for integration of new information feeds and new techniques to address future threats. In-line support :  with minimum performance degradation or disruption to network service.

The following are the configuration commands and relevant functionalities: 

iptables -L

iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall.

sudo iptables –A INPUT –m conntrack –ctstate ESTABLISHED,RELATED –j ACCEPT

-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option. --ctstate - Define the list of states for the rule to match on. Valid states are:

-NEW - The connection has not yet been seen. -RELATED - The connection is new, but is related to another connection already permitted. -ESTABLISHED - The connection is already established. -INVALID - The traffic couldn't be identified for some reason.

Sudo iptables –A INPUT –j ACCEPT –p tcp –destination-port 22 Sudo iptables –A INPUT –j ACCEPT –p tcp –destination-port 80 Sudo iptables –A INPUT –j DROP –p tcp –destination-port 20 Sudo iptables –A INPUT –j DROP –p tcp –destination-port 21 Sudo iptables –A INPUT –j DROP –p tcp –destination-port 23

Commands to allow and deny access to ssh, http, ftp-data, ftp-control, telnet by port address.

sudo iptables –A INPUT –p icmp –icmp-type echo-reply –j ACCEPT

Allows icmp ping at input chain

sudo iptables –A OUTPUT –p icmp –icmp-type echo-request –j ACCEPT

Allows icmp ping at output chain

sudo iptables-save /etc/iptables.test.rules sudo gedit /etc/iptables.test.rules

Save the configured file in a table

iptables-save > /etc/iptables.up.rules pre-up iptables-restore < /etc/iptables.up.rules

Restore the configured file in a table

NFS

NFS allows a system (NFS server) to share files with the systems connected to it in the same network.This helps in reducing the storage of files on each and every system in the network, instead can have access to all the files stores on server using NFS.

Steps involved in configuration of NFS server and client includes the following commands

NFS at Server:

1) Command to install NFS server: sudo apt-get install nfs-kernel-server                          2) Command to create a file on server: mkdir file 3) Command to edit export file: sudo gedit /etc/exports                          4) Restart NFS server: sudo service nfs-kernel-server restart

NFS at Client:

1) Command to install NFS at client: sudo apt-get install nfs-common                          2) Command to create file at client: mkdir /mnt/nfs/file 3) Command to mount the file: sudo mount 192.168.3.2:/file /mnt/nfs/file

Backup Server:

1) Command to Install rsync –

sudo apt-get install rsync

2) Command to change the configuration of rsync client and server

i. To generate key : ssh-keygen -t rsa ii. To send public key :scpid_rsa_pubroot@192.168.3.20:/root/.ssh/authorized_keys iii. To generate a key for client: ssh-keygen -t rsa iv. Send the public key to server: scpid_rsa_pubroot@192.168.3.3:/root/.ssh/authorized_keys

3) Command to create a shell script to finish the backup–

touch autobackup.sh

4) Command to edit the shell script –

vim autobackup.sh                          # ! /bin/sh rm /var/www.zip zip -r /var/www.zip /var/www rsync -zvr /var/www.zip root@192.168.3.20:/home/www_$(date +%Y%m%d-%H%M%).zip

5) Command to give the privilege to execute shell script –

chmod +x autobackup.sh

6) Command to add shell script to the task table to execute–

crontab -e

7) Command to execute the shell script –

chmod +x autobackup.sh* * */1 * * /home/autobackup.sh

VPN VPN stands for Virtual Private Network, which enables two devices on private network to connect over public network. In VPN the device in private network communicates as though it is connected to a public network, VPN ensures security. VPN is a point to point connection between two private networks through a dedicated network followed by encryption of data that can be sent over public network. VPN in our project is enabled by creating a VPN connection with SSID and password.

For server: 

1) Command to Install pptd –                 sudo apt-get install pptd

2) Command to edit the file configuration of pptd –

sudo gedit /etc/pptpd.conf local ip 192.168.3.2 remoteip 192.168.3.100-150 ms-dns 192.168.3.254

3) Change the configuration file for VPN's username and password –

sudo gedit /etc/ppp/chap-secrets

Secrets for authentication using CHAP

client                  server secret              IP addresses dnlab                   pptpd                      dnlab.net *

4) Restart the server –                sudo service pptpd restart

NIS: NIS stands for Network Information System, which is a directory protocol for distributing data or information with the systems in same network. Data distributed by NIS database includes login names, passwords, group names, hostnames and IP addresses. For example if NIS data such as password is recorded in NIS database, the systems in the same network with NIS client configured on it, could be able to access with same login credentials. NIS implemented in our project has a record of password and username mapping, client can only read the records.

NIS Server configuration: 

1) Command to install NIS:

sudo apt-get nisportmap (nis.dnlab.net)

2) Command to edit configuration:

sudo gedit /etc/yp.conf

3) Command to initiate database:

usr/lib/yp/ypinit –n

NIS Client configuration: 

1) Command to install on NIS client:                 sudo apt-get install nisportmap

2) Command to edit the configuration:                 sudo gedit /etc/yp.conf

3) Command to add on /etc/passed, /etc/group, /etc/shadow respectively:

sudo gedit /etc/passwd sudo gedit /etc/group sudo gedit /etc/shadow

PXE Boot and RARP:

Testing
Test Plan DNS server Testing of following entries 1. Forward zone 2. Reverse zone 3. CNAME 4. A Name 5. Ping

Testing DNS:

Dig Nslookup (Name Server Lookup) Ping

Testing DHCP: Ifconfig cat /var/lib/dhcp/dhcpd.leases sudo dhclient

Testing Web Server: By entering the webpage name www.dnlab.net in the client we were able to fetch a web page from the web server.

Testing Firewall: When client whose IP address is blocked tries to ping the server then the result will be “request time out” and “server not reachable”.

Testing Backup: Backup Testing was performed by synchronising the files to a fixed directory. We can confirm the presence of file by using ls command.

Future Prospects
Future Scope:  1. We could have implemented light weight directory access protocol for maintenance of directory. 2. We could have implemented cloud server and bit torrent server. 3. We could have implemented modularity in network. 4. We could have implemented VLAN,s.