Data Networking/Fall 2015/MeeraSudhakar

Motivation
This project builds a deeper understanding of basic Networking fundamentals through practical implementation. The concepts that are part of the Data Networking class (TELE5330) became clearer through the implementation of this project.

Understanding the Protocol
DHCP: This is a client/server protocol that automatically assigns IP-addresses to hosts in a network. It also provides related configuration information like the subnet mask and default gateway. DHCP supports static as well as dynamic IP addressing. This is a plug and play protocol. IP addresses are assigned automatically within the network, as opposed to being assigned manually by a network admin, which is cumbersome.

DNS: The Domain Name System runs transparently in the background. It converts human readable website names into computer-readable numerical IP-addresses. In this project, a master DNS server is being configured, and a slave DNS server is being configured as well to serve as a backup. These are authoritative DNS servers and provide high performance as they do not resolve recursive requests from clients.

Web Server: The Apache webserver is a popular way of serving web content on the Internet. More than one site can be hosted by a single Virtual Private Server (VPS). If multiple domains are configured on the same server, the visitor is directed to the specific directory for the domain he requested. There will be no indication at all that the server is responsible for other sites as well.

Firewall: A firewall is a network security system. It can be software-based or hardware based. It controls network traffic based on a set of rules. The Uncomplicated Firewall (ufw) is a part of the ubuntu package. It is an interface to the iptables. As part of this project, two clients have joined the network, and the web server has been configured to have a firewall against one of them.

Backup: System backup provides security to the network by retaining compressed versions of the filesystems of various nodes in the network. In the event of system crash, corruption or failure, the filesystem can be restored from the backup that was stored beforehand. Systems backups are taken as frequently as desired.

The Requirements

 * Implement a DHCP server that assigns IP addresses to the clients in the network
 * Implement a web server that hosts one or more web page
 * Implement a master DNS server and a slave DNS server
 * Ensure that the clients in the network can access the web pages in the server by getting the name-to-IP address resolved by the DNS server
 * Create backups of the client in the backup server and send them back to the client when required

Configuration
Assign a static IP to the etho interface of the DHCP server. sudo vi /etc/network/interfaces The IPv4 address 192.168.64.130 and the IPv6 address fe60::20c:29ff:fe5a:e3d0 have been assigned to the eth0 interface of the DHCP server. Reboot the DHCP server in order for these changes to take effect. Install the isc-DHCP-server on the VM by executing the command sudo apt-get install isc-dhcp-server Now, add the subnet, pools, fixed IP-addresses, lease time and excluded IP addresses to /etc/dhcp/dhcpd.conf for the IPv4 addresses: sudo vi /etc/dhcp/dhcpd.conf subnet 192.168.64.0 netmask 255.255.255.0 { range 192.168.64.20 192.168.64.129; range 192.168.64.151 192.168.64.200; option routers 192.168.64.254; option domain-name-servers 192.168.64.133, 192.168.64.135; default-lease-time 600; max-lease-time 7200; pool { max-lease-time 300; range 192.168.64.230 192.168.64.253; allow unknown-clients; } } host hostname { hardware ethernet 00:0c:29:5a:e3:d0; fixed-address 192.168.64.130; } host ns1 { hardware ethernet 00:0c:29:19:2e:ba; fixed-address 192.168.64.133; } host ns2 { hardware ethernet 00:0c:29:61:83:8d; fixed-address 192.168.64.135; } host hostnameWS { hardware ethernet 00:0c:29:2f:9f:53; fixed-address 192.168.64.134; } host BackupServer { hardware ethernet 00:0c:29:2c:08:38; fixed-address 192.168.64.136; } Then add the same to /etc/dhcp/dhcpd6.conf for IPv6 addresses: subnet6 fe60::20c:29ff:fe5a:0/112 { range6 fe60::20c:29ff:fe5a:129 fe60::20c:29ff:fe5a:254; default-lease-time 600; max-lease-time 7200; option dhcp6.name-servers fe60::20c:29ff:fe5a:e3d1, fe60::20c:29ff:fe5a:e3d2; } host hostname { hardware ethernet 00:0c:29:5a:e3:d0; fixed-address6 fe60::20c:29ff:fe5a:e3d0; } host ns1 { hardware ethernet 00:0c:29:19:2e:ba; fixed-address6 fe60::20c:29ff:fe5a:e3d1; } host ns2 { hardware ethernet 00:0c:29:61:83:8d; fixed-address6 fe60::20c:29ff:fe5a:e3d2; } host hostnameWS { hardware ethernet 00:0c:29:2f:9f:53; fixed-address6 fe60::20c:29ff:fe5a:e3d3; } Restart the dhcp daemon: sudo /etc/init.d/isc-dhcp-server restart Manually start the server for v6: sudo /usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf eth0 On the client, Client_1, edit the file /etc/network/interfaces so that the eth0 interface gets its IP address from the DHCP server. sudo vi /etc/network/interfaces iface eth0 inet dhcp iface eth0 inet6 dhcp

Testing
Check if the client obtained its IP address from the DHCP by executing the following command: ifconfig Also, check the logs on the client for DHCP messages: grep -i dhcp /var/log/syslog

DNS
Below is the configuration for IPv4. IPv6 is configured in the same way.

Configuration
Before the configuration, ensure that the hostname is configured properly on the master and slave servers: Master DNS Server: sudo vi /etc/hosts 192.168.64.133 ns1.examplemeera.com ns1 sudo vi /etc/hostname ns1 Read the file to modify the system sudo hostname -F /etc/hostname

Slave DNS Server: sudo vi /etc/hosts 192.168.64.135 ns2.examplemeera.com ns2 sudo vi /etc/hostname ns2 Read the file to modify the system sudo hostname -F /etc/hostname

Install BIND on both the master and slave DNS servers: sudo apt-get update sudo apt-get install bind9 bind9utils bind9-doc

Master DNS Server Configuration: sudo vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; allow-transfer { none; };

dnssec-validation auto;

auth-nxdomain no;   # conform to RFC1035 listen-on-v6 { any; }; }; sudo vi sudo nano /etc/bind/named.conf.local zone "examplemeera.com" { type master; file "/etc/bind/zones/db.examplemeera.com"; allow-transfer { 192.168.64.135; }; }; zone "64.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.192.168.64"; }; Create the forward zone file: sudo mkdir /etc/bind/zones We can use the pre-existing zone file as a template for this: sudo cp /etc/bind/db.local /etc/bind/zones/db.examplemeera.com sudo cp /etc/bind/db.127 /etc/bind/zones/db.192.168.64 Edit the zone files: sudo vi /etc/bind/zones/db.examplemeera.com @	IN	SOA	ns1.examplemeera.com. admin.examplemeera.com. (		      20151127  	; Serial			 604800		; Refresh			  86400		; Retry			2419200		; Expire			 604800 )	; Negative Cache TTL examplemeera.com. IN     NS      ns1.examplemeera.com. examplemeera.com. IN     NS      ns2.examplemeera.com.
 * Name servers
 * Name servers

ns1            IN      A       192.168.64.133 ns2            IN      A       192.168.64.135
 * A records for name servers

@              IN      A       192.168.64.134 www            IN      A       192.168.64.134 sudo vi /etc/bind/zones/db.192.168.64.134 @	IN	SOA	examplemeera.com. admin.examplemeera.com. (		      20151127		; Serial			 604800		; Refresh			  86400		; Retry			2419200		; Expire			 604800 )	; Negative Cache TTL IN     NS      ns1.examplemeera.com. IN     NS      ns2.examplemeera.com.
 * Other A records
 * Name servers
 * Name servers

1      IN      PTR      ns1.examplemeera.com. 2      IN      PTR      ns2.examplemeera.com. 3      IN      PTR      www.examplemeera.com. Now, test the syntax of the modified files by executing the following command: sudo named-checkconf Check the individual zones files by executing the following commands: sudo named-checkzone examplemeera.com /etc/bind/zones/db.examplemeera.com sudo named-checkzone 134.64.168.192.in-addr.arpa /etc/bind/zones/db.192.168.64.134 If everything is fine, restart the BIND sudo service bind9 restart Also, check the log file for messages: tail -f /var/log/syslog
 * PTR records

Slave DNS Server Configuration: sudo vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; recursion no; allow-transfer { none; };

dnssec-validation auto;

auth-nxdomain no;   # conform to RFC1035 listen-on-v6 { any; }; }; sudo vi /etc/bind/named.conf.local zone "examplemeera.com" { type slave; file "db.examplemeera.com"; masters { 192.168.64.133; }; }; zone "64.168.192.in-addr.arpa" { type slave; file "db.192.168.64"; masters { 192.168.64.133; }; }; Check the syntax of the modified files: sudo named-checkconf Restart the BIND service: sudo service bind9 restart Check the log files for messages: tail -f /var/log/syslog

Testing
Execute the following commands on the client. "nslookup" is used to query the DNS to obtain name to IP address mapping or any specific DNS record. "dig" is a networking tool that can query DNS servers for information. It uses the operating system's local Domain Name System resolver library to perform its queries. nslookup examplemeera.com dig examplemeera.com

Configuration
Install Apache on the server: sudo apt-get update sudo apt-get install apache2 Note that the two domains being created are examplemeera.com and testmeera.com. Create directories for these domains under /var/www/ sudo mkdir -p /var/www/examplemeera.com/public_html sudo mkdir -p /var/www/testmeera.com/public_html These directories are owned by the root user. Grant permissions to the regular user to access these directories: sudo chown -R $USER:$USER /var/www/examplemeera.com/public_html sudo chown -R $USER:$USER /var/www/testmeera.com/public_html Modify permissions so that read access is permitted to the web directory. sudo chmod -R 755 /var/www These permissions are required because the server must be able to serve content and the user must be able to create content within the folders. Next, create pages for each of the virtual hosts: sudo vi /var/www/examplemeera.com/public_html/index.html Paste the following content in the file: Welcome to Examplemeera.com! Success! The examplemeera.com virtual host is working! Similarly, create /var/www/testmeera.com/public_html/index.html Next, create virtual host files. These files specify the actual configuration of the virtual hosts and determines how the webserver will respond to various domain requests. The files for this project are being created by copying Apache's default file 000-default.conf. sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/examplemeera.com.conf sudo vi /etc/apache2/sites-available/examplemeera.com.conf The file content should be modified as shown below:  ServerAdmin admin@examplemeera.com ServerName examplemeera.com ServerAlias www.examplemeera.com DocumentRoot /var/www/examplemeera.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined  Repeat the same for the second domain: sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/testmeera.com.conf sudo vi /etc/apache2/sites-available/testmeera.com.conf The file content should be modified as shown below:  ServerAdmin admin@testmeera.com ServerName testmeera.com ServerAlias www.testmeera.com DocumentRoot /var/www/testmeera.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined  Enable the new virtual host files: sudo a2ensite examplemeera.com.conf sudo a2ensite testmeera.com.conf Finally, restart Apache to take the changes into effect: sudo service apache2 restart

Testing
This can be tested locally (if the DNS server has not yet been set up) by modifying the /etc/hosts file on the client sudo vi /etc/hosts 192.168.64.134 examplemeera.com 192.168.64.134 testmeera.com Now, open access these domains from a browser on the client. If everything is working fine, the browser should display the content of the created html file.

Configuration
Check the status of the firewall on the webserver sudo ufw status verbose Add a firewall rule to block the IP of one of the clients in the network, and allow another one sudo ufw deny from 192.168.64.129 sudo ufw allow from 192.168.64.159 Enable the firewall sudo ufw enable Reload the firewall sudo ufw reload Check the status of the firewall sudo ufw status verbose Check if the iptables have been updated accordingly sudo iptables -L

Testing
Access the web server from the client that is not blocked (192.168.64.159). Notice that the web server can be accessed. Now, access the web server from the client that is blocked (192.168.64.129). Notice that the web server cannot be accessed. Also, check the file /var/log/apache2/access.log on the web server. Observe the status 404 for the blocked client, and the status 200 for the unblocked client.

Configuration
Edit the file /etc/crontab on the client to schedule the backup of the filesystem: sudo vi /etc/crontab 00 1   * * *   root    /home/msudhakar/Projects/Project_3/createSystemBackup.sh >  /home/msudhakar/Projects/Project_3/backup_output_log 2>&1 0 2    * * *   root    find /home/msudhakar/Projects/Project_3/Backup/* -mtime +1 -type f -delete The backups can sent back to the client via scp: scp SystemBackup.tgz msudhakar@192.168.64.135 :

Testing
Check the backup server for filesystem backups taken at the time scheduled in the crontab. ls -lrt /home/msudhakar/Projects/Project_3/Backup

Integrated Testing
The procedure to test the entire system is below:


 * 1) Ensure that the DHCP server, Master DNS server, Slave DNS server are up and running.
 * 2) Check the IP address of the client using the command ipconfig. The IP address must be obtained from the range specified in the DHCP server
 * 3) Execute the command nslookup examplemeera.com on the client. Ensure that the DNS server is accessible by the client.
 * 4) Check the firewall on the webserver. Notice which client is blocked by the firewall
 * 5) Access the webserver from both the clients. One client displays the webpage, while it is blocked on the other client
 * 6) Check system time and modify the crontab accordingly on the client. Ensure that the filesystem is taken and copied to the backup server

Future Prospects
Security and Robustness of the project can be improved by adding features like VPN, NIS, NFS, NTP etc.