Data Networking/Fall 2015/Janane Suresh

Team
Janane Suresh Sunaina Selvaraj Dharanish Kedarisetti Rahul Kasanagottu

Motivation
Linux Operating system has developed into a force in almost each and every networking application, which gives us the much required motivation to play around with the OS. Linux is one of the powerful open-source operating system. Linux OS is a key skill-set to possess for a successful career in networking. Hoping to develop a good proficiency in Linux, we have decided to approach this project.

Domain Name System
The main understanding involved in DNS is that it is used to resolve host name into IP address. When a particular website is typed in the address bar of the browser, DNS server finds out the corresponding IP address of the website and returns it to the user. Initially, a DNS query is made to the servers and the server replies back with a response about the IP address of the website. After the IP address is obtained, the host can be reachable to retrieve data from them. In order to reduce the latency, BIND9 server with caching can be used. The main advantage is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is considerably reduced, thereby decreasing the waiting time of the user to obtain the data from the webpage.

Dynamic Host Configuration Protocol
Assigning IP addresses to the networking component can be done in the following ways. i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator. ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network. iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.

Webserver & Firewall
In order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network). Requirements The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.

Backup Server
We automated the backup process. To do that the backup server and web server should be able to establish a secure connection using SSH. To send back up automatically without any human intervention we need to establish the connection without any password authentication.

The Requirements
• Linux Based OS (We have used Ubuntu 14.04.1) • Bind9 server to configure DNS. • Isc-dhcp-server to configure DHCP. • Apache2 to configure our web server. • RSync tool for web backup server.

DNS Configuration
The following are the steps to be followed in order to configure BIND9 which is the DNS Software and check for the availability of Primary Name Server, Webserver, Secondary Name server.

Primary Nameserver		 ns1.mylinuxproject.com		192.168.1.8 Secondary Nameserver          ns2.mylinuxproject.com		192.168.1.9 Webserver 		         www.mylinuxproject.com                192.168.1.3

1.	To give a hostname .Here it is ns2

sudo nano /etc/hostname

2.	 To check the hosts by using cat /etc/hosts

3.	To check for IP address of DNS server use ifconfig and set manually to 192.168.1.9 as shown manually ifconfig command is used to check for the IP address and clearly, It is observed that in this case the IP address is set to static 192.168.1.9 4.	Installation of Bind : sudo apt-get install bind9 5.	To define forward lookupzone and Reverse lookupzone.

sudo nano /etc/bind/named.conf.local is command used to edit named.conf.local file and apply the changes as below where forward and Reverse files are defined. 6.	 Configure named.conf.options sudo nano /etc/bind/named.conf.options Add forwarders { 192.168.1.1;
 * 1) ISP DNS IP’s

8.8.8.8; 8.8.4.4 };

7.	Create two database files in a zone. – db.mylinuxproject.com and db.192. sudo mkdir /etc/bind/zones

8.	Create Forward Zone File sudo nano /etc/bind/zones/db.mylinuxproject.com.

command is used to edit mylinuxproject.com.com file with using the commands below the forward zone file is created. 9.	Create Reverse Zone File sudo nano /etc/bind/zones/db.192

command used to edit db.192.168.1 file and following below commands then Reverse Zone file is created.

10.	 STARTING BIND:

sudo /etc/init.d/bind9 start

Command is used to start the domain name service

DNS IPV6
1. Do nslookup for domain name. nslookup -type=AAAA mylinuxproject.com

This gives the IPV6 address fd01:db8:0:1::3

Master & Slave DNS
Step 1: Edit /etc/hosts Command: sudo nano /etc/hosts

Add 127.0.0.1  localhost 192.168.1.8    ns1.mylinuxproject.com    ns1 192.168.1.9    ns2.mylinuxproject.com    ns2

The above image shows the ifconfig details of the Slave DNS server.

Step 2: Edit /etc/bind/named.conf.local on the master virtual machine Command: sudo nano /etc/bind/named.conf.local

Edit # Forward zone zone "mylinuxproject.com" { type master; allow-transfer{192.168.1.9;}; file "/etc/bind/zones/db.mylinuxproject.com"; };

# Reverse Zone zone "1.168.192.in-addr.arpa" { type master; allow-transfer{192.168.1.9;}; file "/etc/bind/zones/db.192"; };

Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine Command: sudo nano /etc/bind/named.conf.local

Edit # Forward zone zone "mylinuxproject.com" { type slave; masters{192.168.1.8; }; file "/etc/bind/zones/db.mylinuxproject.com"; };

# Reverse Zone zone "1.168.192.in-addr.arpa" { type slave; masters{192.168.1.8; }; file "/etc/bind/zones/db.192"; };

DHCP Server
1. Install DHCP Server

sudo apt-get install isc-dhcp-server

2. Set the static Ip address of the DHCP server

sudo nano /etc/network/interfaces

Change lo to either eth0 or wlan0 and loopback to static

auto eth0 iface eth0 inet static address 192.168.1.3 netmask 255.255.255.0 gateway 192.168.1.1 network 192.168.0.0 broadcast 192.168.1.255 dns-domain-nameserver 192.168.1.2 dns-domain-search fourtex.com

3. Configure the DHCP server

sudo nano /etc/dhcp/dhcpd.conf

authoritative; subnet 192.168.1.0 netmask 255.255.255.0{ range 192.168.1.10 192.168.10.100;              option routers 192.168.1.1 option domain-name-servers 192.168.1.8 192.168.1.9; option broadcast-address 192.168.1.255; option domain-name "mylinuxproject.com"; default-lease-time 600; max-lease-time 7200; }

4. Restart the dhcp server

sudo service isc-dhcp-server restart 

DHCP IPV6
Step 1

copy the ISC-DHCP server file sudo cp /etc/init.d/isc-dhcp-server /etc/init.d/isc-dhcp6-server copy the dhcpd.conf file to dhcpd6.conf sudo cp /etc/dhcp/dhcpd.conf  /etc/dhcp/dhcpd6.conf Make modifications to the isc-dhcp6-server so that it support ipv6 1. add -6 option whenever the dhcp process is called 2. change the “dhcp.leases: to “dhcp6.leases 3. Change the DHCPDIP variable to    “/var/run/dhcp-server/dhcpd6.pid" 4. Modify the /etc/apparmor.d/usr.sbin.dhcpd” file to include the following lines   network inet6 raw,   @{PROC/[0-9]*/net/ifinet6 r,   /var/lib/dhcp/dhcpd6.leases* lrw,   /var/run/dhcp-server/dhcpd6,pid w,

restart the apparmor /etc/init.d/isc-dhcp6-server restart

Step 2 Configuring ISC-DHCP6 sever - dhcpd6.conf

The ISC-DHCP server configuration file is dhcpd.conf and can be accessed using the following command sudo nano /etc/dhcp/dhcpd6.conf This command will allow to make changes in the dhcp configuration file "dhcpd.conf" which is at specified path. We are required to do the following modifications in dhcpd.conf file: default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 fd01:db8:0:1::/64 { Range for clients range6 fd01:db8:0:1::A fd01:db8:0:1::64; }

Step 3 Securing DHCP server The following modifications are done to configuration file to secure the DHCP server ddns-update-style none; deny declines; deny bootp; The DoS attack on DHCP server can be avoided by denying the DHCP decline messages and can deny supporting old bootp clients Step 4 Restart ISC-DHCP server

Now that the isc-dhcp-server configuration is complete, we need to reload the dhcp server, so that the new configurations can be implemented sudo service isc-dhcp6-server restart sudo service isc-dhcp6-server start sudo service isc-dhcp6-server stop

Step 5 Verifying.. Inorder to check the leases of the IP addresses assigned by the DHCP cd /var/lib/dhcp/ ls -l cat dhcpd6.leases

APACHE2 Web Server Configuration
Following are the steps and commands to be followed to configure a web server.

STEP 1: Install Apache2 Web Server Initially update the Ubuntu 14.04 and later download apache2. Update Linux files on Ubuntu 14.04 after entering into the root mode. sudo su apt-get update

Installing Apache2 apt-get install apache2

We can check if apache2 is installed perfectly or not by typing https://localhost or 127.0.0.1 in web browser. In brief the following message is displayed.

It works! This is the default web page for this server. The web server software is running but no content has been added, yet.

STEP 2: Create directories We need to create the directory which contains the html page of our web server in www folder. The folder is to be modified to make it readable by web server. mkdir /var/www/mylinuxproject.com/ chmod 755 /var/www/ chown $USER:$USER /var/www/mylinuxproject.com/

Now we create the html page of our web server in the above created directory. nano /var/www/neunetworks.com/sample.html

STEP 3: Configuring apache2 files

apache2.conf is the main configuration file for the web-server. It contains default configuration details. It is the primary access point for the web-server to read details of the configuration.

nano /etc/apache2/apache2.conf

vim Editor opens the file in editing mode. If we scroll down the file we can find a number of statements where add the following to the file.

 Options Indexes FollowSymLinks AllowOverride None Require all granted 

The directory contains definitions of how the web server handles various directories. By default there are not many restrictions set. And those apply to the root directory. By mentioning the path we define the directory We can add some additional interesting features such as TIMEOUT, KEEPALIVE, MaxKeepAllowRequests, KeepAliveTimeout to establish and handle http persistent connections by editing the global configuration section of this file.

AllowOverride is used when we need a file should be able to override the settings in the content directory.

Configuring dir.conf

We need to modify properties of html file so that it can be accessed by the web server. nano /etc/apache2/mods-available/dir.conf Scroll down and modify as following.         DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm sample.html  Configuring 000-default.conf nano /etc/apache2/sites-available/000-default.conf

We need to change the server name and path of the directory to be accessed..

ServerAdmin webmaster@localhost ServerName mylinuxproject.com DocumentRoot /var/www/mylinuxproject.com

We need to restart apache2 to save the changes. service Apache2 restart We can test if our web-server is working or not by typing https://localhost or 127.0.0.1 in web browser

Backup Configuration
Step 1: Installing SSH We need to install SSH on web server and client server sudo su apt-get install ssh

Step 2: Generating key pair We need to log into the web server and generate a pair of public and private keys. private key must not be shared with any device. Public key is shared with other devices to establish a SSH connection ssh -keygen -t rsa Step 3: Copying public key to backup server Public key that is id_rsa.pub is in the SSH directory. We need to securely copy it to the backup server 192.168.1.101 is IP of the backup server. cd .ssh scp id_rsa.pub 192.168.1.101:/tmp/ Step 4: Creating tar file of the contents the need to be backed up   tar -cvpzf minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html

Step 5: Authorizing the public key On the backup server we need to copy the public key into authorized_keys to authorize the connection between the web server and backup server without authentication.

cat /tmp/id_rsa.pub > .ssh/authorized_keys

Step 6: Automating Backup To automate and send backup every minute, we need to to edit crontab file. crontab -e * * * * * tar -cvpzf /home/rahulsankrut/minutebackup.tar.gz /var/www/mylinuxproject.com/sample.html * * * * *scp /home/rahulsankrut/minutebackup.tar.gz 192.168.1.101:/home/ravi

Firewall
Initially we need to install iptables. sudo su  apt-get install iptables We have three kinds of iptable targets ACCEPT DROP and REJECT. REJECT drops the packet with a message. Accepting loopback iptables -A INPUT -i lo -j ACCEPT Accepting a HTTP request from particular network 192.168.1.0/24 through port 80 iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT Accepting a SSH request from particular network 192.168.1.0/24 through port 22 iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT Accepting an echo reply from particular network 192.168.1.0/24 iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT Rejecting an echo request from particular network 192.168.1.0/24 with a message iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with tcmp-host-unreachable Rejecting TELNET request from particular network 192.168.1.0/24 through port 23 iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 23 -j DROP

We can remove all the rules uploaded into the kernel by the following command iptables flush We can remove individual rules by following commands Firstly we need to obtain the number of the rule that needs to be deleted. iptables -L --numbers Now we can delete a specific rule with a number # by using this command iptables -D INPUT #

VPN
a) PPTPD Server:

1) install pptpd server using apt-get   # sudo apt-get install pptpd

2) Then we need to configure the pptpd.  # sudo nano /etc/pptpd.conf

Add server IP and client IP at the end of the file. You can add like below: localip 192.168.1.6 remoteip 192.168.1.10-100

Configure DNS servers to use when clients connect to this PPTP server Here the Localip is the IP address of the Server and the remote IP is the range of the DHCP

3) Configure DNS servers to use when clients connect to this PPTP server # sudo nano /etc/ppp/pptpd-options

Uncomment the ms-dns and add the IP addresses of the DNS used in the project ms-dns 192.168.1.8 ms-dns 192.168.1.9

4) Now add a VPN user in /etc/ppp/chap-secrets file.   # sudo nano /etc/ppp/chap-secrets

# client  server  secret  IP addresses username * myPassword *

5) Finally start your server   # /etc/init.d/pptpd restart

6) To enable IPv4 forward. Change /etc/sysctl.conf file, add forward rule below.  # sudo nano /etc/sysctl.conf

Uncomment the line

net.ipv4.ip_forward=1

b)	Client side:

1) We need to go for the VPN Connections-Configure VPN-Add a connection. 2) Choose a connection type: PPTP- Point to Point tunneling protocol. 3) Create a VPN connection by choosing a name for the VPN connection, Gateway, Username and Password (which we had given for the PPTPD server) 4) After giving all this we need to choose the Advanced options and check box the MPPE (Point to Point Encryption) and save the above changes. 5) Finally we need to enable the VPN connection which we have created which will show a success message: VPN connection has been successfully established.

Mail Server
Install the postfix package sudo apt-get install postfix Configure step by step: sudo dpkg-reconfigure postfix 1.  	General Mail configuration: Internet Site 2.  	System mail name: mylinuxproject.com 3.  	Root recipient: 4.  	Other destinations for mail: server1.mylinuxproject, mylinuxproject.com,              localhost.mylinuxproject.com, localhost 5.  	Force synchronous updates on mail queue?: No 6.   	Local networks: 127.0.0.0/8 7.  	Mailbox size limit (bytes): 0 8.  	Local address extension character: + 9.      Internet protocols to use: all

3) Configure mailbox format for Maildir sudo postconf -e 'home_mailbox = Maildir/'b  sudo postconf -e 'mailbox_command =' 4)   Edit /etc/postfix/sasl/smtpd.conf as follow: pwcheck_method: saslauthd mech_list: plain login 5) Generate Certificates for TLS encryption: touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/ 6) Configure postfix and TLS for both incoming and outgoing mails: sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = server1.example.com' 7) Restart the postfix service: sudo /etc/init.d/postfix restart

DNS TESTING
1.	Forward lookup Zone File nslookup ns2.mylinuxproject.com.

2.	Reverse lookup – using arpa Zone File nslookup 192.168.1.9 3.	Dig – Using dig command – for Forward lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File dig ns2.mylinuxproject.com

4.	Dig command – For reverse lookup. It shows the DNS query message, DNS answer, and Authority and Additional messages. Zone File dig 192.168.1.9

DHCP TESTING
1. Start the ISC- DHCP server

sudo /etc/init.d/isc-dhcp-server restart 2. Start the ISC-DHCP6 server sudo /etc/init.d/isc-dhcp6-server restart

Future Prospects
DHCP

•	Create a superscope to solve the problem of dwindling IP addresses. If the Boston organization is growing faster than you can supply IP addresses, when we run short of IP addrsses. This is when a superscope comes into picture. A superscope is a versatile, cost-effective, and easy-to-use solution when you are running out of IP addresses on a network.

DNS •	Support for IPv6 addressing ensures that DNS servers will be able to support present and future DNS clients that are designed to take advantage of the benefits of IPv6 addresses. DNS servers can now return both IPv4 host (A) resource records and IPv6 host (AAAA) resource records in response to queries

SECURITY •	Increase overall security of the network by installing IPS and IDS to monitor the traffic flow between the network

Books
•	Computer Networking A TopDown Approach - KUROSE | ROSS