Data Networking/Fall 2016/Ad Hoc Network in Linux

LINUX PROJECT 1. Akshay Tandel 2. Vinay Nambiar 3. Kalpesh Shardul 4. Aditya Kadam

Motivation
Most network operating systems are based on some variation of Linux. Linux influences every aspect of network administration, hence a network engineer should know Linux. The range and scope of networking technologies that use Linux is vast and growing. So for a successful career as a network engineer, knowing Linux is necessary. This project helped us to implement our networking concepts and skills and it gave us idea of Linux's flexibility and usefulness.

DNS
For humans, remembering websites by name is much easier than remembering their IP addresses. DNS is a service that allows us to do so. Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to each other. In this way, DNS mitigates the need to remember IP addresses. It is even possible to associate multiple names to the same device to update the multiple available services. Computers that run DNS are called 'name servers'. The basic task of DNS server is to map the IP address of the query made by the user. It It also caches the query and its response for further use. This reduces time required to load the cached page.

DHCP
DHCP stands for Dynamic Host Configuration Protocol. A DHCP server automatically assigns settings to hosts on network as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user.

Important services provided by DHCP server to DHCP clients are: 1. IP address and netmask 2. IP address of the default-gateway to use 3. IP addresses of the DNS servers to use

The advantage of using DHCP is that changes common to the all hosts on the network, need to be configured only at the DHCP server, and all network hosts will be reconfigured. It is also easier to add new computers into the network, as there is no need to check for the availability of an IP address.

DHCP clients can get configured by DHCP server in following fashions: 1. Manual allocation (MAC address) 2. Dynamic allocation (address pool) 3. Automatic allocation

Webserver
Web server is a computer system dedicated to accept HTTP requests from clients' Web browsers (Applications such as Firefox, chrome, Internet Explorer, Safari etc.), and serving them with HTTP responses along with web pages and objects. We have implemented Apache2. Apache is a popular Web server used on Linux systems.

Firewall
A firewall is a security feature that filters the incoming and outgoing traffic in the network. IP tables is an extremely useful firewall utility built for Linux operating systems. We can manipulate the network traffic using IP tables by configuring chains and rules, connection specific responses.

Backup
The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.

Requirements
Operating system: Ubuntu 14.04 DNS: BIND (Berkley Internet Naming Daemon DHCP: dhcpd (dynamic host configuration protocol daemon) Webserver: Apache2

DNS Master Server
Step 1: Install Bind9 Command: sudo apt-get install bind9 Step 2: Restart the networking daemon Command: sudo /etc/init.d/networking restart Step 3: Add a DNS zone to BIND9 Command: edit /etc/bind/named.conf.local # Forward zone zone "home.zzz" { type master; file "/etc/bind/db.home.zzz"; allow-transfer { 192.168.1.90; }; also-notify { 192.168.1.90; }; };                 # Reverse Zone zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/rdb.home.zzz"; allow-transfer { 192.168.1.90; }; also-notify { 192.168.1.90; }; }; 	        zone "2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa" { type master; notify no; file "/etc/bind/2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa"; };

Step 4: use an existing zone file as a template to create the /etc/bind/db.home.zzz file Command: sudo cp /etc/bind/db.local /etc/bind/db.home.zzz Edit db.linux.abc file as follows: $TTL   604800 home.zzz. IN SOA ns1.home.zzz. server.home.zzz. (                       12              ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL home.zzz. IN NS ns1.home.zzz. home.zzz. IN NS ns2.home.zzz. ns1.home.zzz. IN A 192.168.1.89 IN AAAA 2000:2001:2002:2003::89 ns2.home.zzz. IN A 192.168.1.90 IN AAAA 2000:2001:2002:2003::90 example IN A 192.168.1.89 www.example IN CNAME example.home.zzz. example IN AAAA 2000:2001:2002:2003::89 bostonbeast IN CNAME example test   IN A 192.168.1.89 www.test IN CNAME test.home.zzz. test   IN AAAA 2000:2001:2002:2003::89 bostonbaba IN CNAME test.home.zzz. dn IN A 192.168.1.20 dn IN AAAA 2000:2001:2002:2003::20

Now restart the BIND9: sudo service bind9 restart

Step 5: Setup reverse zone Command: sudo cp /etc/bind/db.127 /etc/bind/rdb.home.zzz Now edit the rdb.home.zzz file as follows:

$TTL   604800 @      IN      SOA     home.zzz. server.home.zzz. (                       10              ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;  @       IN      NS      ns1.home.zzz. @      IN      NS      ns2.home.zzz. 89     IN      PTR     ns1.home.zzz. 90     IN      PTR     ns2.home.zzz. 89     IN      PTR     example.home.zzz. 89     IN      PTR     test.home.zzz. 20     IN      PTR     dn.home.zzz.

Now restart BIND9 sudo service bind9 restart Zone for ipv6 $ORIGIN 2.0.0.2.1.0.0.2.0.0.0.2.ip6.arpa. ;  $TTL    604800 @      IN      SOA     home.zzz. server.home.zzz. (                       5               ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;  @       IN      NS      ns1.home.zzz. @      IN      NS      ns2.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN     PTR     ns1.home.zzz. 0.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN     PTR     ns2.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN     PTR     example.home.zzz. 9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN     PTR     test.home.zzz. 0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.2 IN     PTR     dn.home.zzz.

slave DNS Server
Edit the /etc/bind/named.conf.local: # Forward zone zone "linux.abc" { type slave; file "/var/cache/bind/db.linux.abc"; masters { 192.168.1.10; }; };            # Reverse Zone zone "1.168.192.in-addr.arpa" { type slave; file "/var/cache/bind/db.192"; masters { 192.168.1.10; }; };

Now restart BIND9 sudo service bind9 restart

DHCP
1. Install DHCP Server

sudo apt-get install isc-dhcp-server

2. Install radvd package

apt-get install radvd

3. Set the static IP address of the DHCP server

sudo nano /etc/network/interfaces auto lo   iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.91 netmask 255.255.255.0 gateway 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255 dns-domain-nameserver 192.168.1.89 dns-domain-search home.zzz

iface eth0 inet6 static address 2000:2001:2002:2003::91 netmask 64 gateway 2000:2001:2002:2003::1

4. Configure the IPv6 and IPv4 forwarding nano /etc/sysctl.conf

net.ipv4.conf.default.rp_filter=1 net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

5. Make eth0 as the default interface nano /etc/default/isc-dhcp-server

INTERFACES="eth0"

6. Configure the DHCP server for ipv4 nano /etc/dhcp/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.150; option domain-name-servers 192.168.1.89,192.168.1.90; option domain-name "home.zzz"; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; }

7. Edit the resolv.conf file sudo nano /etc/resolv.conf nameserver 192.168.1.89

8. Configure the DHCP server for ipv6 nano /etc/dhcp/dhcpd6.conf default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2000:2001:2002:2003::/64 { default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2001:db8:0:1::/64 { # Range for clients range6 2000:2001:2002:2003::100 2000:2001:2002:2003::150;

# Range for clients requesting a temporary address range6 2000:2001:2002:2003::/64 temporary; } 9. Configuration of the radvd module nano /etc/radvd.conf

interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2000:2001:2002:2003::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };  };

10. Reboot the System

Sudo init 6

11.    Sudo service isc-dhcp-server

12. Restart the DHCP server Sudo service networking restart

Webserver
1. Install apache2 install apt-get install apache2 2. Make directories sudo mkdir -p /var/www/example.home.zzz/public_html sudo mkdir -p /var/www/test.home.zzz/public_html 3. Create Webpages for Each Host: open up an index.html nano /var/www/example.home.zzz/public_html/index.html 4. Create a HTML document that indicates the site it is connected to. Save and close the file when you are finished. 5. Do same procedure for test.home.zzz 6. Create New Virtual Host Files. Create the First Virtual Host File Start by copying the file for the first domain:

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.zzz.conf Open the new file in nano editor with root privileges:

sudo nano /etc/apache2/sites-available/example.com.conf

Virtualhost file should look like this:

 ServerAdmin admin@example.home.zzz ServerName example.home.zzz ServerAlias www.example.home.zzz DocumentRoot /var/www/example.home.zzz/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined  Save and close the file.

Copy First Virtual Host and Customize for Second Domain

sudo cp /etc/apache2/sites-available/example.home.zzz.conf /etc/apache2/sites-available/test.home.zzz.conf

Open the new file in nano editor with root privileges: sudo nano /etc/apache2/sites-available/test.home.zzz.conf It should look like this:  ServerAdmin admin@test.home.zzz ServerName test.home.zzz ServerAlias www.test.home.zzz DocumentRoot /var/www/test.home.zzz/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined  Save and close the file when you are finished.

7. Enable the New Virtual Host Files

sudo a2ensite example.home.zzz.conf sudo a2ensite test.home.zzz.conf 8. Restart Apache to make these changes take effect:

sudo service apache2 restart

9. Set Up Local Hosts File (Optional)

sudo nano /etc/hosts It should look like this: 127.0.0.1  localhost 127.0.1.1  ubuntu 192.168.1.89 example.home.zzz 192.168.1.89 test.home.zzz

Save and close the file.

10. Test your Results In web-browser:

http://example.home.zzz http://test.home.zzz

Firewall
1. only 192.168.1.90 IP can telnet to webserver. iptables -I INPUT 1 -s 192.168.1.90 -p tcp -m tcp --dport 23 -j ACCEPT

2. The below command will block all telnet access. iptables -A INPUT -p tcp -m tcp --dport 23 -i eth0 -j REJECT

3. The below commands will block FTP. iptables -A INPUT -p tcp -m tcp --dport 21 -i eth0 -j REJECT iptables -A INPUT -p tcp -m tcp --dport 20 -i eth0 -j REJECT

4. To save IP tables use following commands: sudo apt-get install iptables-persistent sudo invoke-rc.d iptables-persistent save

Backup
Step : Command:

1. Install ssh server sudo apt-get install openssh-server

2. Install ssh client on another VM   sudo apt-get install openssh-client

3. Generate public and private keys in the client sudo ssh-keygen -t rsa

4. Copy the public key to ssh server cp .ssh/id_rsa.pub authorized_keys ssh-copy-id akshay@192.168.1.90(Backup server)

5. For creating tar file and securely sending to backup server. tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/ 6. For executing automatic backup sudo crontab –e 0 12 * * * /bin/tar -P -cjvf /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz /var/www/example.com /var/www/test.com; scp /home/tandel/backup/`date '+%H%h%m%d%y'`backup.tbz akshay@192.168.1.90:/home/akshay/backup/backups/

ARP cache poisoning
ARP is The Address Resolution Protocol a telecommunication protocol used for resolution	of Internet layer addresses into link layer addresses, a critical function in	computer networks. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. We have created a Python script using Scapy for poisoning the ARP Cache of a client system. Step : We have three different systems in our network. 1.Attacker 2.Victim 3.Web Server. Web server acts as a host for viewing the webpage. Victim can see the webpage hosted by the Webserver. Then we executed a Scapy script which floods the ARP Cache of the victim with its own MAC address. Thus, whenever the client send request at port 80 it will see the HACKED webpage hosted by the Attacker. Command: Python commands

IPsec VPN tunnels
IPSec works at the network layer.We have implemented IPsec to protect data through internet. IPSec provides data security by encrypting and authenticating data, protection against masquerading and manipulation. When two machines want to make a VPN connection between them, they agree on certain settings and parameters. Eg. what type of authentication and encryption will be used within the VPN tunnel. This is generally called VPN negotiation. We have created transport IPsec VPN between two different systems. Step : Two different independent systems in the Virtual Machine can have encrypted communications. We have used Strongswan for having encrypted communications between them. Command: 1.apt-get install ipsec-tools strongswan-starter 2.nano /etc/ipsec.conf 3.conn red-to-blue authby=secret auto=route keyexchange=ike left= right= type=transport esp=aes128gcm16! 4.nano /etc/ipsec.secrets 5.  : PSK "Your password here!" 6.ipsec restart 7.ipsec statusall The same configuration needs to be done in the other system. Then, we can check the tunnel using ping command from the one side and then checking the ping through tcpdump esp

NFS
Network File system allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. The commonly used data can be stored on a single machine and other machines over the network can access it. Home directories are configured on NFS server and are applied over machines on network. Storage devices can be used by other machines on the network. This may reduce the number of removable media drives throughout the network. Step 1:Configuring the NFS-Host Command: sudo apt-get install nfs-kernel-server Create the Share Directory on the Host Server sudo mkdir /var/nfs Configure the NFS Exports on the Host Server sudo nano /etc/exports On the last line append ==> /home      (rw,sync,no_root_squash,no_subtree_check) /var/nfs   (rw,sync,no_subtree_check) create the NFS table that holds the exports of the shares sudo exportfs -a Start NFS service sudo service nfs-kernel-server start Step 2:Configuring the NFS-client Install a package called nfs-common on NFS client sudo apt-get install nfs-common Create the Mount Points on the Client Server create each directory, and the necessary parent directories sudo mkdir -p /mnt/nfs/home sudo mkdir -p /mnt/nfs/var/nfs Create the mount remote shares on NFS client sudo mount 1.2.3.4:/home /mnt/nfs/home sudo mount 1.2.3.4:/var/nfs /mnt/nfs/var/nfs