Data Networking/Fall 2015/Kavya Ramaraju

Objective of the Project
To design and implement a robust, secure, dynamic and intelligent network that supports Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Web Server, Firewall and Backup system in the Linux Operating System.

Project Team

 * Deepika Venugopalsamy Ranganathan


 * Kavya Ramaraju


 * Neha Inampudi


 * Rashmi Reddy

Elements of the Network
The main elements in the network are:


 * Dynamic Host Configuration Protocol (DHCP)


 * Domain Name System (DNS)


 * Webserver and Firewall


 * Backup

Dynamic Host Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol allows a host on a network to receive configuration parameters including an IP address at boot time for communication. It can provide a complete set of TCP/IP configuration parameters and allows the dynamic assignment of IP addresses for a fixed lease. DHCP offers the following advantages as a network administrator:
 * An IP address can be assigned to a client for only as long as the client remains connected to the network.
 * It allows a limited pool of IP addresses to be shared among a number of clients that do not require permanent IP addresses.
 * Addresses become automatically available again at the expiration of a period of time, without requiring you to take any action.

Behavior of the protocol
DHCP is an application layer protocol that uses the services of UDP to dynamically allocate IP addresses to the hosts. The port number is 67.

Signalling

 * 1) When a client enters the network, it broadcasts a DHCPdiscover message to all the DHCP servers.
 * 2) The DHCP server on receiving the discover message, unicasts an offer message to the client.
 * 3) The client accepts the offer and responds with a request message for the IP address.
 * 4) The server responds back with an acknowledgement message.

Steps to configure DHCP server
IPV4:

Step 1: Update all packages sudo apt-get update sudo apt-get install isc-dhcp-server sudo apt-get install radvd Step 2: Configure DHCP sudo nano /etc/dhcp/dhcpd.conf Step 3: Modify the interfaces file sudo nano -w etc/network/interfaces Step 4: Modify the interfaces file sudo nano –w /etc/default/isc-dhcp-server

Similar to the IPv4 configuration, the IPv6 configuration is done as given below IPV6:

Step 1: sudo nano /etc/dhcp/dhcpd6.conf Step 2: nano -w etc/network/interfaces Step 3: sudo nano -w etc/dhcp/radvd.conf Step 4: sudo nano -w /etc/sysctl.conf

Client: sudo nano -w etc/network/interfaces

After configuring and saving the dhcp file we need to start the dhcp server using below commands.

Testing
DHCP is tested successfully by checking if the DHCP server assigns IP address to the connected client in the communication network from a given range of IP addresses. Output takes a IP range for IPV4 as 192.168.1.168 which is from the range 192.168.1.110 to 192.168.1.200 given in dhcp.conf file and similarly with IPV6 is assigned as 2003:db8:0:2:a12b:8f4c:b6d9:8863/64 from given range in dhcpd6.conf file.

Domain Name System (DNS)
The Domain Name System (DNS) is a service of the internet that translates hostnames into the corresponding IP addresses. DNS serves as the phonebook for the internet. It is a distributed database that is implemented in a hierarchy of DNS servers. It is an application layer protocol that allows the hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53.

Behavior of the protocol
When a host requests for a particular URL, the browser extracts the hostname from the URL and passes it to the client side of DNS application. The DNS client sends a query containing the hostname to the DNS server. The client will eventually receive a reply that contains the IP address for the hostname requested. Thus, the hostname to IP address mapping is done by DNS.

DNS Server
The DNS servers are in distributed database that have hierarchical servers starting from the Root DNS server, Top-Level Domain servers (TLDs) and Authoritative servers. The records of the authoritative servers are uploaded into DNS by registrars who are certified by Internet Cooperation for Assigned Names and Numbers (ICANN).

Signalling
1. The client will first contact the local DNS server with the DNS query containing the hostname.

2. The local DNS server forwards the query to the root DNS server. The root DNS server sends a reply to the local DNS with a list of the possible TLD servers.

3. The local DNS server sends its query message to one of the TLD servers.

4. The TLD server responds back with the IP address of the authoritative name server to the local DNS server.

5. The local DNS server then sends its query to the authoritative DNS server which responds back with the IP address for the queried hostname.

Configuration of DNS
The configuration of DNS can be done by using various software, namely:


 * BIND


 * POSADIS


 * POWER DNS

For configuring the DNS server we use BIND (Berkley Internet Name Domain) version 9 as it provides a robust architecture and it is used by a large variety of name server on the internet. BIND also supports important features like DNS security and multiprocessor support.

Steps to configure DNS
Step 1: Update the repositories

sudo apt-get update

Step 2: Install bind9

sudo apt-get install bind9

Step 3: Assign a static IP address

sudo gedit /etc/network/interfaces

Step 4: Edit the hosts file

sudo gedit /etc/hosts Step 5: Edit the hostname file

sudo gedit /etc/hostname

Step 6: Manage name server information

sudo gedit /etc/resolvconf/resolv.conf.d/head

Step 7: Define forward and reverse lookup zones

sudo gedit /etc/bind/named.conf.local Step 8: Caching nameserver

sudo gedit /etc/bind/named.conf.options

Step 9: Edit the forward lookup file

sudo gedit /etc/bind/db.dknr.com

Step 10: Edit the reverse lookup file

sudo gedit /etc/bind/db.192

Once the master is done, the slave is configured in a different virtual machine and different forward and reverse lookup zones are defined.

Testing
We basically use nslookup command to test DNS. Try nslookup from all PCs in the network and it should show the translated IP. Also test reverse lookup. Apart from nslookup we can also use dig, host commands to test DNS.

Webserver
Server is used to store the data and retrieve the information when required. When a client requests for an IP address, the webserver fetches the information and displays the corresponding HTML page. Since requests can occur at anytime, the server is made to be always on where the client communicates at any time.

Behavior of the protocol
The HTTP protocol is used to access the web content by the client. HTTP is an application layer protocol which is implemented at port 80 using the services of reliable TCP. Before requesting for the web page, a three way handshake TCP connection is initiated by the client with the web server. After the connection is established the web page is requested by the client. The server then fetches the HTML page and replies to the client using TCP. A persistent or non persistent TCP connection may be established between the client and the server.

Configuration of webserver
The webserver can be configured using one of the following:
 * Apache2 HTTP server
 * NGINX
 * Windows webserver

In the given scenario, since a small number of websites are required to be hosted for a small network, Apache 2 will be configured and implemented as speed is not a major concern. The Apache web server is the most well known method for serving web content on the web. It represents more than half of every single dynamic site on the web and is greatly capable and adaptable. The fundamental unit that portrays an individual site or area is known as a virtual host.

Signalling
The client initiates a TCP connection with the web server IP provider. The connection involves a 3 way handshake mechanism. First, the clients sends a SYN message requesting TCP connection to the browser at port 80. The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information. The client responds with the ACK message and also sends a request for the HTML page.

Steps to configure webserver
Step 1: Install Apache2 on the server. sudo apt-get update sudo apt-get install apache2

Step 2: Creating the directory structure sudo mkdir -p /var/www/dknr.com/public_html

Step 3: To grant permissions sudo chown -r $USER:$USER /var/www/dknr.com/public_html

Step 4: To modify permissions sudo chmod -R 755/var/www

Step 5: Creating demo page on virtual host. The page is created to test the virtual host configuration. nano /var/www/dknr.com/public_html/index.html

Step 6: Creating new virtual host files sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/dknr.com.conf

Further steps in opening new file with root privileges:

sudo nano /etc/apache2/sites-available/dknr.com.conf

The file looks like below:  ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined 

We will be customizing few of the commands and add few directories so that this virtual hosts section matches any request that are made on port 80(default HTTP port)


 * ServerAdmin is changed to admin@dknr.com
 * ‘ServerName dknr.com’ is added as it establishes the base domain that matches for the virtual host definition
 * ‘ServerAlias www.dknr.com’ is added which defines the name that are to be matched if they had the same base name.
 * DocumentRoot is being changed to /var/www/dknr.com/public_html (We are changing the location of the document root for this domain)

Finally the virtual host file after modification should be:

 ServerAdmin admin@dknr.com ServerName dknr.com ServerAlias www.dknr.com DocumentRoot /var/www/dknr.com/public_html ErrorLog %{APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined 

Step 7: Enabling the new virtual host file sudo a2ensite dknr.com.conf

After executing the command restart Apache for the changes made to take effect: sudo service apache2 restart.

Step 8: Setting up local hosts file sudo nano /etc/hosts

The details we should be adding are the public IP address and the domain of VPS server. Thus the file looks like

127.0.0.1     localhost 127.0.1.1     ubuntu 192.168.1.10  dknr.com 192.168.1.10  www.dknr.com

This directs the requests for dknr.com on the system and sends it to the server at 192.169.1.10. Save and close the file.

Testing

 * Before configuration of web page opening the browser by typing localhost or 127.0.0.1 or IP address of the web server in the address bar displays the default web page of apache server.
 * After configuration, to test the results go to the web browser and type IP address of the webserver or type local host, configured webpage is displayed
 * If the HTML page is created in a different directory and localhost is entered in the address bar of web browser the webpage says “FORBIDDEN |Cannot view the contents of the page”
 * If the HTML page is created at different directory and if the path is defined in /var/apache2/sites-enabled/000-default.conf, configured web page is displayed.

Firewall
A firewall is a framework utilized for keeping unapproved access to or from a system. It could either be an equipment or a product. Firewall gives security to any system (private system) from different systems or unintended client. The usefulness of the firewall is to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

Configuring commands on any Linux terminal machine (web server/DNS server/DHCP server) and set of standards are connected with the goal that it will drop certain packets and permit the rest.

Packages used
IP tables are used to modify the set of rules to restrict or allow the packets.

Steps to configure firewall
Step 1: Install or update iptables package sudo apt-get install iptables Step 2: Enable telnet sudo apt-get install telnetd Step 3: Enable ssh login sudo apt-get install openssh-server Step 4: Policy Chain Default Behavior iptables -L |grep policy Step 5: Change the behavior of the chain iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT Step 6: Allowing and blocking specific connections iptables -A INPUT -s 192.168.1.110 -j DROP Step 7: Allowing and blocking SSH connections iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -j DROP Step 8: Connection States iptables -A INPUT -p tcp --dport ssh -s 192.168.1.110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 192.168.1.110 -m state --state ESTABLISHED -j ACCEPT Step 9: Block ICMP sudo iptables -A INPUT -s 192.168.1.110 -p icmp --icmp-type echo-request -j DROP Step 10: Block FTP sudo iptables -A INPUT -p tcp --destination-port 21 -j DROP Step 11: Block Telnet sudo iptables -A INPUT -p tcp -s 192.168.1.110 --dport telnet -j DROP

Saving the configuration of IP tables
To save all the changes we made in the configuration. sudo /sbin/iptables-save

Testing
To list all the rules configured in the firewall sudo iptables -L


 * After configuring the firewall rules restart the server.
 * Before configuration client in the network should be able to ping, telnet and access the web page from webserver.
 * After configuring the firewall no client will be able to ping and telnet the webserver and client with IP address 192.168.1.110 is not able to access web page.

Backup
Backup is the process of saving data in another location which can be recovered from in case of any data loss. In case the web server loses the data or in case of extra load on web server we can use this backup data to retrieve information. We sync the data with another server which keeps track of information in the directory. Hence it uses dynamic updating by copying files which are modified. Thus we use Remote Sync (RSync) in ubuntu. In this project a backup of webserver in made in the DNS Server and backup is scheduled every 1 hour which implies that the data of web server is copied to backup location every hour. In case of any failure a copy of data is saved at the destined location.

Steps to configure backup
Since we are taking back up in DNS server we run apache on both the machines which will make it run like a web server in another linux machine. After installing apache server in both machines we follow these steps for setting up backup.

Step 1: Installing Apache in backup server

sudo apt-get install apache2

Step 2: Install Rsync in both the webserver and backup server

sudo- apt-get install rsync

Step 3: Backup within another directory

sudo rsync -avz --progress /var/www/ /path of backup directory/ Step 4: Install the SSH Rsync (In webserver and backup server)

sudo apt-get install ssh rsync

Step 5: To put backup in another server (Executed in backup server)

sudo rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/path of backup directory/ Step 6: Schedule backup every 5 minutes

sudo crontab -e 60 00 *** rsync -avz -progress -e ssh admin@192.168.1.15 /var/www/ /path of backup directory/

Testing
After executing commands in the backup server and the copy of web server, file was successfully transferred to the path mentioned in the backup server. When a change was made to the file and after execution of the scheduling command in the backup server, noted that the new file was transferred to the specified backup location.

Algorithm
1. Client attempts to join the network : dknr


 * If the client is valid


 * Successfully connect to dknr


 * Else


 * Restart connection or contact network administrator for troubleshooting

2. Client needs to acquire IP address from the DHCP server
 * Check if wlan interface is set to static or to automatic (DHCP)


 * If static


 * Change to automatic (DHCP)


 * Else (DHCP discover)


 * Contact DHCP server to get the IP address, gateway IP address, DHCP server details, DNS server details.


 * If DHCP allocation is successful


 * Server replies with an IP address to be allocated


 * Else


 * DHCP server replies with a request failed response


 * Then


 * Restart the connection or contact the network administrator for troubleshooting

3. After DHCP request is successful, the client attempts to connect to the network and access www.dknr.com via web browser 4. If DNS request was successfully resolved, the client requests the web page from the web server
 * Client sends HTTP request to server


 * If HTTP request is successful


 * Webpage is displayed


 * Else


 * Webpage is not loaded

VPN Configuration
VPN is a service that broadens the private system over an open system i.e. it approves us to get to a private system from outside. A client from outside can get to the private system with same needs as are given to a root client in a private system. The VPN is setup when the remote customer when it enters the SSID and the secret word of the entrance system. Along these lines, we can say that VPN is accessed with a secured association.

Steps to configure VPN
Step 1: Install package to configure VPN sudo apt-get install pptpd

Step 2: Edit the files sudo nano /etc/pptpd.conf localip 192.168.1.11 (IP address of VPN server) remoteip 192.168.1.15 192.168.1.30

Step 3: Edit the /etc/ppp/pptpd-options file sudo nano /etc/ppp/pptpd-options ms-dns 192.168.1.254

Step 4: Create userid and password sudo nano /etc/ppp/chap-secrets user pptpd password *

Step 5: Restart the pptpd server sudo /etc/init.d/pptpd restart

Mail Server
A mail server is a program, also by expansion of the PC on which it runs, which is responsible for receiving, sorting and distribution of message from one PC onto the next electronics mail. It is against the mail customer ( mail client operators ) present on the machine rather than the end client.

The default mail transfer agent in ubuntu is Postfix and the framework on linux is called mailer daemon.

Steps to configure Mail Server
Step 1: Install postfix

sudo apt-get install postfix

Step 2: Configuring postfix

sudo dpkg-reconfigure postfix

Step 3: Configuration of mailbox format for Maildir

sudo postconf -e ‘home_mailbox = Maildir/’ sudo postconf -e ‘mailbox_command =’

Step 4: Configure Postfix for SMTP AUTH using SASL

sudo postconf -e ‘smtpd_sasl_local_domain =’ sudo postconf -e ‘smtpd_sasl_auth_enable = yes’ sudo postconf -e ‘smtpd_sasl_security_options = noanonymous’ sudo postconf -e ‘broken_sasl_auth_clients = yes’ sudo postconf -e ‘smtpd_recepient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination’ sudo postconf -e ‘inet_interfaces = all’ Certificates are generated which are to be used for TLS encryption or/and certificate authentication.

touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 >smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt #has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -outcacert.pem -days 3650 #hasprompts

sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cakey.pem /etc/ssl/certs/

Step 5: Configuration of Postfix to do TLS encryption for incoming and outgoing mails.

sudo postconf -e ‘smtp_tls_security_level = may’

Step 6: Restart postfix daemon

sudo /etc/init.d/postfix restart

Network File System(NFS)
NFS allows one to share a directory that is located on one of the devices in a network to other devices in the same network much like accessing a local storage. A server is a device on which directory is located and clients are devices connecting to this server, Client should mount the shared directory to make it a part of their own directory.

Steps to configure NFS Server
Step 1: Update repository

sudo apt-get update

Step 2: Install NSF package

sudo apt-get install nfs-kernel-server

Step 3: Create directory to share

sudo mkdir/shome

Step 4: Configuring /etc/exports for NFS

sudo nano /etc/exports /shome 192.168.1.0/24 (rw,sync,no_root_squash)

Step 5: Start the service

sudo /etc/init.d/nfs-kernel-server start

Step 6: Check the status of the NFS share status

sudo exportfs -u

Step 7: Restart the server

sudo service nfs-kernel-server restart

Steps to configure NFS Client
Step 1: Install NFS for client and its dependencies

sudo apt-get update sudo apt-get install nfs-common rpcbind

Step 2: Create a directory

sudo mkdir/rhome

Step 3: Mounting the remote share /shome on local directory /rhome

sudo mount 192.168.10.42:/shome/rhome 192.168.1.42:/shome/rhome nfs rw,sync,hard, int 0 0 #(adding to permanent mount in /etc/fstab file)

Step 4: Checking the mounted share directory using mount command

mount

Future Improvements

 * Adding additional rules in Firewall to improve security for protection from malicious attacks.


 * Increase the number of DNS servers for purposes of backup, load distribution and decentralization.


 * IPv6 and IPv4 should be supported simultaneously


 * Extend the server abilities to oblige numerous more uses utilizing in the meantime.


 * Integrating so as to include security for mail server classification, respectability and more confirmation choices by utilizing strategies, for example, RSA, DES, MD5, including authentications and so forth.