Data Networking/Fall 2015/Dfjz

DNS server

 * Get a domain name for the start-up


 * Assign a set of IPV4 and IPV6 that have to be used for this project


 * Configure name servers to handle queries for the domain


 * Document the details for the future users


 * Assign one of the DNS server from BIND9, POSADIS or PowerDNS


 * Create any 5 DNS records


 * Create reverse domains in in-addr.arpa and ipv6.arpa


 * Configure a Master DNS server and Slave server


 * Test plan and implementation with example

DHCP server

 * Assign a set of IPV4 and IPV6 that have to be used for this project


 * Dynamic allocation of network address


 * The Client-Server protocol


 * Test plan and implementation with example

Web Server & Firewall

 * Use only one command line tools and package


 * Provide all the commands with a brief description


 * Provide the changes you have made to the files/folders for configuring the webserver as well as the firewall. Create the basic page to be server by this webserver


 * Make this page accessible to the clients in your network using the webserver


 * Make your server the most secured one in all possible ways

Back up

 * Automate the process of backing up the data


 * The backup file should be zipped and sent to a different server


 * Describe briefly about how you backup automatically and how file transfer is made.


 * Provide the command and configuration for sending the zipped file to a different location


 * Mention which protocol you are using to complete this task

Functionality of DNS [1]:
The Domain Name System (DNS) is basically a large database which resides on various computers and it contains the names and IP addresses of various hosts on the internet and various domains. The Domain Name System is used to provide information to the Domain Name Service to use when queries are made. The service is the act of querying the database, and the system is the data structure and data itself.

The Domain Name System is an essential component of the functionality of most Internet services because it is the Internet's primary directory service. In an internet based system, the DNS sends a query to the internet which is further processed to extract the IP address using following processes: Depending on the query forwarded by the client, the DNS can perform two functions: There are three classes of DN servers.
 * Recursive Process.
 * Iterative Process.
 * Forward DNS Query – Hostname to IP address.
 * Reverse DNS Query – IP address to Hostname.
 * Root DNS servers
 * TLD- top level domain DNS servers
 * Authoritative DNS servers

Functionality of BIND [2]:
BIND is an acronym for Berkley Internet Name Domain. Version 9 was developed by Nominum, Inc.The BIND 9 software distribution contains both a name server and a resolver library.

The BIND software distribution has three parts:
 * 1) Domain Name Resolver A resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. (Many operating system distributions use the BIND resolver library.) The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name.
 * 2) Domain Name Authority server An authoritative DNS server answers requests from resolvers, using information about the domain names it is authoritative for.  You can provide DNS services on the Internet by installing this software on a server and giving it information about your domain names.
 * 3) Tools We include a number of diagnostic and operational tools. Some of them, such as the popular DIG tool, are not specific to BIND and can be used with any DNS server.

Zones
A zone consists of some parts of the domain tree for which name server has complete information. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones.

Authoritative Name Servers [3]:
There are two types of Authoritative Name Servers:
 * 1) 	Master server (primary name server) – A master server stores the original master copies of all zone records. A host master only makes changes to master server zone records. Each slave server gets updates via special automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master records.
 * 2) 	Slave server (secondary name server) – A slave server is exact replica of master server. It is used to share DNS server load and to improve DNS zone availability in case master server fails. It is recommended that you should at least have 2 slave servers and one master server for each domain name.

DHCP [4]:
The Dynamic Host Configuration Protocol (DHCP) is a network protocol used to assign IP addresses and provide configuration information to devices such as servers, desktops, or mobile devices, so they can communicate on a network using the Internet Protocol (IP). ISC DHCP is a collection of software that implements all aspects of the DHCP (Dynamic Host Configuration Protocol) suite. It includes:
 * A DHCP server, which receives clients’ requests and replies to them.
 * A DHCP client, which can be bundled with the operating system of a client computer or other IP capable device and which sends configuration requests to the server. Most devices and operating systems already have DHCP clients included.
 * A DHCP relay agent, which passes DHCP requests from one LAN to another so that there need not be a DHCP server on every LAN.

Apache [5]:
Apache is probably the most popular Linux-based Web server application in use. Apache2 supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).

Firewall [6]:
Firewalls are computer security systems that protect your office/home PCs or your network from intruders, hackers & malicious code. Firewalls protect you from offensive software that may come to reside on your systems or from prying hackers. In a day and age when online security concerns are the top priority of the computer users, Firewalls provide you with the necessary safety and protection.

ufw - Uncomplicated Firewall [7]
The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. ufw by default is initially disabled. From the ufw man page:

Back up:
Backup refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event.

VPN:
VPN stands for Virtual Private Network. It is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider.

NFS [8]:
Network file system (NFS) is based on the Remote procedure call which allows the client to automatically mount remote file systems and therefore transparently provide an access to it as if the file system is local. It is a client/server application that lets a computer user view and optionally store and update file on a remote computer as though they were on the user's own computer. The user's system needs to have an NFS client and the other computer needs the NFS server. Both of them require that you also have TCP/IP installed since the NFS server and client use TCP/IP as the program that sends the files and updates back and forth.

DNS Server
Install DNS on local machine by using Ubuntu and Bind9 Step 1 : Change the interface accordingly (eth0 or wlan0) Command: sudo nano /etc/network/interfaces #Change lo to either eth0 or wlan0 and loopback to static auto eth0 iface eth0 inet static address 10.10.10.5 netmask 255.255.255.0 gateway 10.10.10.1 network 10.10.10.0 broadcast 10.10.10.255 dns-domain-nameserver 10.10.10.5 dns-domain-search "dfjz.com"

Step 2: Restart the network Command: sudo /etc/init.d/networking restart

Step 3 : Install bind9 Command: sudo apt-get install bind9

Step 4 : Remove the comments from the forwarders Command: sudo nano /etc/bind/named.conf.options Step 5 : Define the entries for Forward and Reverse lookup zones

sudo nano /etc/bind/named.conf.local
 * Master DNS:

Forward zone: zone "dfjz.com" { type master; file "/etc/bind/db.dfjz.com"; allow-transfer { IP of slave; }; };

Reverse zone: zone "10.10.10.in-addr.arpa" { type master; allow-transfer {IP of slave; }; file "/etc/bind/db.192";                  };

Forward zone: zone "projectlinuxnash.com" { type slave; masters { IP of master; }; file "/var/cache/bind/db.projectlinuxnash.com"; };
 * Slave zone

Reverse zone: zone "2.168.192.in-addr.arpa" { type slave; masters { IP of master; }; file "/var/cache/bind/db.192"; };

Step 6 : Create these files when bind9 starts Command: We need to copy these files to named.conf.local sudo cp /etc/bind/db.local /etc/bind/db.projectlinuxnash.com

Step 7 : Edit the forward lookup zone Command: sudo nano /etc/bind/db.dfjz.com $TTL 604800 @ IN SOA dfjz.com. root.dfjz.com. (                 2;       This is the serial number                  604800;  Refresh rate                  86400;   Retry                  2419200; Expire                 604800); Negative Cache TTL @ IN NS ubuntu.dfjz.com. @ IN A   10.10.10.5 @ IN AAAA fe80::be77:37ff:fe7d:dc2d #A record ubuntu    IN A    10.10.10.5 ubuntu1  IN A    10.10.10.6 wp           IN A    10.10.10.10 mail         MX 10        mail.dfjz.com. www       IN CNAME dfjz.com

DHCP Server
Install DHCP server in IPv4 on local machine Step 1 : Install dhcp server Command: sudo apt-get install isc-dhcp-server

Step 2 : configure dhcp server Command: sudo nano /etc/dhcp/dhcpd.conf subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.11 10.10.10.50; option domain-name-servers 10.10.10.5,10.10.10.6; option domain-name "dfjz.com"; option routers 10.10.10.1; option broadcast-address 10.10.10.255; default-lease-time 600; max-lease-time 7200; }

Step 3 : assign fixed IP for webserver, master DNS and slave DNS, backup server, mail server Command: For webserver: host web0{ hardware ethernet 00:0c:29:3e:ca:69; fixed-address 10.10.10.10; }

For master DNS and slave DNS: host dnsmaster0{ hardware ethernet 00:0c:29:4c:8d:77; fixed-address 10.10.10.5; }

host dnsslave0{ hardware ethernet 00:0c:29:56:40:8c; fixed-address 10.10.10.6; } for backup server: host backup0{ hardware ethernet 00:0c:29:23:6b:90; fixed-address 10.10.10.7; }

for mail server: host mailserver0{ hardware ethernet 00:0c:29:56:0d:d1; fixed-address 10.10.10.8; }

Step 4 : start the dhcp service Command: sudo /etc/init.d/isc-dhcp-server start

DHCP server in IPv6 on local machine Step 1 : Install radvd Command: sudo apt-get install radvd

Step 2 : configure radvd.conf Command: sudo nano /etc/radvd.conf interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2001:0db8:0100:f101::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };               };

Step 3 : modify sysctl.conf Command: sudo nano /etc/sysctl.conf remove the “#” in front of ‘net.ipv6.conf.all.forwarding=1’ sysctl –w net.ipv6.conf.all.forwarding=1

Step 4 : start radvd service Command: Service radvd start

Web Server
Install Web server on local machine by using Apache as the web server. Step 1: Install apache2 Command: sudo apt-get install apache2

Step 2: To check whether the web server is listening on port 80 Command: netstat -a | more

Step 3: Restart the web server Command: sudo /etc/init.d/apache2 stop # When you do netstat now, then the computer is not shown as listening sudo /etc/init.d/apache2 start

Step 4: To edit the webpage for the server

Firewall
Use ufw to set Firewall. It is built in along the Ubuntu system. Firewall is an application program which allows the system admin to configure the tables provided by the Linux kernel firewall.

Step 1: In order to block ICMP requests write the following command: sudo iptables -A INPUT -d  -p icmp -icmp -type 0 -j DROP

Step 2: In order to prevent SSH login, write the following command: sudo iptables -A INPUT -s  -d  -p tcp -dport ssh - j DROP

Step 3: In order to block FTP ports, write the following command: sudo iptables –A INPUT –d  –p tcp –dport 20 –j DROP sudo iptables –A INPUT –d  –p tcp –dport 21 –j DROP

Step 4: To block the port used by Telnet, write the following command: sudo iptables –A INPUT –d  –p tcp –dport 23 –j DROP

Step 5: To block webpage write the following command: sudo iptables –A INPUT –d  –s  –p tcp –dport –j DROP

Step 6: To start the firewall, write the following command: sudo ufw enable

Step 7: To shut dowm the firewall, write the following command: sudo ufw disable

Step 8: To block a certain ip access sudo ufw allow proto tcp from  to any port 22

Step 9: to unblock a certain ip access sudo ufw deny proto tcp from  to any port 22

Back Up
Step 1: Install ssh Command: sudo apt-get install openssh-server
 * Server side

Client side: Step 1: authorize client(web server) to backup server Command: ssh xunpeng@10.10.10.7

Step 2: use ssh-keygen to create an encryption key pair public and private key Command /home/xunpeng/.ssh/id_rsa  	#create directory Step 3: exit server

Step 4: copy id_rsa from server to client Command: cd .ssh scp xunpeng@10.10.10.7:.ssh/id_rsa. chmod 600 id_rsa ssh 10.10.10.7 rsync –avz –e ssh /home/xunpeng/backup/ xunpeng@10.10.10.7:/home/xunpeng/backup/

Step 6: automatic backup Command: rsync –avz –e ssh /home/xunpeng/backup/ xunpeng@10.10.10.7:/home/xunpeng/backup/

VPN
Step 1: Install pptpd which is a package used to configure VPN Command: sudo apt-get install pptpd

Step 2: Edit the files in /etc/pptpd.conf and make the following changes localip  remoteip 

Step 3: Edit /etc/ppp/pptpd-options file: ms-dns 8.8.8.8 ms-dns 8.8.4.4 (Google DNS)

Step 4: Restart the pptpd service Command sudo service pptpd restart

Step 5: Set user id and password Command: sudo nano /etc/ppp/chap-secrets zhu pptpd 2500 *   # zhu is the user name, pptpd is the VPN server name, 2500 is the password and * indicates for all IPs that fall in the VPN client range.

Step 6: Edit /etc/sysctl.conf file and reset sysctl net.ipv4.net_forward=1 sudo sysctl -p

Step 7: Firewall setting: iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE iptables --table nat --append POSTROUTING --out-interface ppp0 –j MASQUERADE iptables –I INPUT –s 10.0.0.0/8 –i ppp0 –j ACCEPT iptables --append FORWARD --i-interface eth0 –j ACCEPT iptables-save > firewall iptables-restore > firewall

NIS
Step 1: Install nis portmap sudo apt-get install nis portmap

Step 2: Edit the domain name NISServer when installed sudo nano /etc/default/nis set nisserver=master // set the computer as the nis master server sudo nano /etc/yp.conf domain NISServer server ubuntu // set the domain name as NISServer set the server name as Ubuntu sudo nano /etc/ypserv.securenets change the “0.0.0.0  0.0.0.0”line into “255.255.255.0   192.168.0.*” sudo /usr/lib/yp/ypinit –m //refresh the database of the server

Step 3: For NIS Client sudo apt-get install portmap nis

Step 4: Edit the domain name NISServer sudo nano /etc/passwd

Step 5: Add a line +:::::: #hash record sudo nano /etc/group Add a line +::: sudo nano /etc/shadow Add a line +:::::::: sudo nano /etc/yp.conf Set the ypserver’s ip address

NFS
Commands to configure NFS:

For server follow these steps: Step 1:Install NFS Command: sudo apt-get install nfs-kernel-server

Step 2:Edit the exports file Command: sudo nano /etc/exports /home/project/nfsroot *(rw,sync,no_root_squash)

Step 3:Make a directory called nfsroot: sudo mkdir /home sudo mkdir /home/project sudo mkdir /home/project/nfsroot

Step 4: Restart the NFS server sudo service nfs-kernel-server start

Create a file under folder nsfroot

cd /home/project/nsfroot/ sudo touch test #Create a field named test sudo nano test #write information you want and this will become visible for the client ctrl + x - -> exit nano mode

Step 5: For Client NFS install nfs-common Command: sudo apt-get install nfs-common

Step 6: Create directory file named nfs sudo mkdir -p /home/project sudo mkdir -p /home/project/nfs

Mount file sudo mkdir -p /mnt/export/home sudo mkdir -p /mnt/export/home/project

Step 7: Link the 2 directories and the mount the file to the server Command: sudo mount –t nfs 10.x.x.x:/home/project/nfsroot /home/project/nfs

Check the path of the shared folder Command: sudo showmount –e 10.x.x.x #server ip

NTP
Network Time Protocol is used for synchronization between computer systems.

Step 1: Installation

sudo apt-get install ntp

Step 2: configuration sudo nano /etc/ntp.conf change the following line: server ntp.ubuntu.com server pool.ntp.org

Mail Server
Step1: Mail sever is configured using Postfix and dovecot Install postfix and dovecot using the following commands: sudo apt-get install postfix sudo apt-get install dovecot

Step 2: assign hostname in /etc/hostname For our mail server, we have assigned mail.dfjz.com

Step 3: add a host in /etc/hosts The host with IP address is listed in this file 10.10.10.8    mail.dfjz.com

Step 4: configure postfix for SMTP-AUTH in /etc/postfix/main.cf             Home_mailbox = Maildir/ Smtpd_sasl_type = dovecot Smtpd_sasl_path = private/auth Smtpd_sasl_local_domain = Smtpd_sasl_security_options = noanonymous

Step 5: Generate a digital certificate for tls: Openssl genrsa –des3 –out server.key 2048 Openssl rsa –in server.key –out server.key.insecure Mv server.key server.key.secure Mv server.key.insecure server.key

Step 6: Configure certificate path Sudo postconf –e ‘smtpd_tls_key_file = /etc/ssl/private/server.key’ Sudo postconf –e ‘smtpd_tls_cert_file = /etc/ssl/certs/server.key’

Step 7: uncomment smtps and submission lines from /etc/postfix/master.cf file

Step 8: add smtp auth for /etc/dovecot/conf.d/10-master.conf file

Step 9: In the /etc/dovecot/conf.d/10-auth.conf, add auth_mechanisms = plain login

Step 10: sudo service postfix restart sudo service dovecot restart

Step-by-step procedure to implement the project

 * 1) Implement DHCP server to distribute addresses dynamically to a client part of the network
 * 2) Assign network address and all its requirements
 * 3) Implement DNS server with at least five records using Bind9
 * 4) Implement Forward and reverse zones in the DNS
 * 5) Test Master and Slave DNS individually
 * 6) Test slave when master DNS is turned off
 * 7) Implement web Server using Apache
 * 8) Implement Firewall using above stated configuration
 * 9) Implement backup for the network
 * 10) In order to create a network, all the servers and clients must be connected to the same medium. This can be done using a switch or ad-hoc Network. For our project, we have chosen an ad-hoc network
 * 11) A hotspot is created to connect all the servers and clients
 * 12) Test the working of all the servers and the firewall and Backup

Testing Plan

 * 1) Test the network
 * 2) * Ping to every server successfully
 * 3) Test DNS Server
 * 4) * use command ‘nslookup’
 * 5) * Type in domain name to see the IP address is mapped
 * 6) * Type in IPV4 address to see the domain name is mapped
 * 7) * Type in IPV6 address to see the domain name is mapped
 * 8) Test DHCP Server
 * 9) * Use ‘ifconfig’ to see the client or server can get the IP address (IPV4 and IPV6)
 * 10) Test Web Server
 * 11) * Open the web browser, type localhost to see it can access the website
 * 12) Test MySQL
 * 13) * Type the command MySQL –uroot –ppassword to login the MySQL Database
 * 14) * Type the command show database to see it can get the table of database
 * 15) Test Backup
 * 16) * Check the backup file in the backup server.
 * 17) Test VPN, NFS and etc.
 * 18) * Connect to the VPN Server to see it can get successfully
 * 19) * Type the command mount to get the NFS Server exported file, edit the file to see the server can get the latest edited file.
 * 20) Test Firewall
 * 21) * Access the website after enable and shut down the firewall.

Working with an example (Integration)

 * DHCP Server:
 * 1) Test of DHCP from VMware. The VMware host can get IP address and default router from the DHCP server.
 * 2) Test for DNS from Client2 IPv4, IPv6, Reverse DNS
 * 3) Test PXE from Client3


 * DNS Server
 * 1) Firstly, the master DNS is set up and tested if the mapping is done accurately
 * 2) The slave DNS is then set up and the transfer of zones is verified
 * 3) Ping from either DNS is tested using two separate VM’s on VMware

Future improvements

 * 1) More add-ons can be implemented such as VLAN, encryption, etc.
 * 2) Security can be configured by implementing alerts to the network admin, whenever a user attempts to perform an action as the root user
 * 3) Implementation of LDAP