Data Networking/Fall 2016/SAPS

Team Members
1. Akshay Mahajan 2. Praveen Prakash 3. Sagar Raikar 4. Siddesh Shenoy

Objective
To create a secure, reliable and dynamic network that can support multiple hosts.

Domain Name System
DNS(Domain name system) server also called as name server, which implements network services for providing responses to queries against directory services i.e. It translates user supplied host name (web site) to IP addresses and vice versa and which contains a databases of network names and IP address. DNS process flow: DNS client running on the user host, request a server page, at first it needs a IP address of that web server which is processed by the DNS Server. 1)First the client sends a query with the given hostname to the DNS server 2)The DNS server receives the query from the client and maps it with the IP address 3)The DNS server sends the IP address to the DNS client operating at the user machine 4)Once the Host user receives the IP address, it can access the web server.

Dynamic Host Configuration Protocol
DHCP referred to as Dynamic host configuration protocol. It is a client server protocol which assigns host with an IP address through a DHCP server. In general, DHCP automatically assigns IP address to new devices or to devices when moved from one subnet to another. DHCP server has as a pool of IP address and leases an address when it start up in the network and also has TCP/IP configuration parameters for all hosts on the network,that received IP address Assigning IP addresses to the networking component can be done in the following ways. Types of DHCP Allocation: 1)	Automatic allocation - DHCP server assign permanent IP address to the client. 2)	Dynamic allocation -DHCP server assigns IP address to the client only for a limited period of time. Automatic reuse of IP address is allowed. 3)	Manual allocation -IP address Assigned by the network administrator and DHCP is used simply to convey the messages to the client.

Webserver & Firewall
A Web server is a software responsible for accepting HTTP request from the client, which are know as web browser and serving them the HTTP responses We are using apache 2 webserver to host our website, we are using a firewall for providing security to the website. Algorithm of web server. 1) Client obtain server IP address from the DNS Server. 2) Client initiate a TCP connection to the server on port 80. 3) Server responds with the SYN-ACK message, thereby opening the port to request information. 4) Client sends an ACK message and request for HTML page.

Backup
Backup is done to the webserver file to add redundancy to the fle and make it robust. All the files in the webserver are sent to the backup in a zipped format at a scheduled time Backup for the webserver data is achieved by using rsync and ssh protocols. Rsync is used to synchronize files between the webserver and the backup. Therefore whenever changes are made at the webserver the backup gets updated at the scheduled time. Ssh provides a secure channel to send and receive files by using end to end encryption and decryption. .

DNS
Step 1: Update the package list( Command:                sudo apt-get update

Step 2: Install Bind9 for DNS server configuration Command: sudo apt-get install bind9 Step 3: Make virtual machine interface as static Command: sudo nano /etc/network/interfaces Add For IPv4 configuraiton auto eth0 iface eth0 inet static address 192.168.77.5 netmask 255.255.255.0 broadcast 192.168.77.255 gateway 192.168.77.1 dns-nameservers 192.168.77.5 dns-nameservers 192.168.77.6 For IPv6 configuration face eth0 inet6 static address 2001:aaaa:1000:0000:0000:0000:0000:0007 netmask 64 gateway 2001:aaaa:1000:0000:0000:0000:0000:0001 dns-nameservers 2001:aaaa:1000:0000:0000:0000:0000:0007 dns-nameservers 2001:aaaa:1000:0000:0000:0000:0000:0008

Step 4: Configuring the forwarding addresses Command: sudo nano /etc/bind/named.conf.options Add forwarders { # Local DNS and Google DNS 192.168.77.5               192.168.77.6                2001:aaaa:1000:0000:0000:0000:0000:0007 2001:aaaa:1000:0000:0000:0000:0000:0008 8.8.8.8;                8.8.4.4;   };

Step 5: Add ZONES TO THE ROOT FILES OF bind9 Command: sudo nano /etc/bind/named.conf.local Step 6: Creating DNS forward Zone file Command: sudo nano /etc/bind/db.siddesh.lanr

Step 7: Creating DNS reverse zone file Command: sudo nano /etc/bind/db.192

Step 8: Adding name server in resolv.conf file Command: sudo nano /etc/resolv.conf

Step 9: Adding server addresses in hosts file Command: sudo nano /etc/hosts

Step 10: Commands to start/ restart/stop the DNS server Command: Start: sudo /etc/init.d/bind9 start Restart: sudo /etc/init.d/bind9 restart Stop: sudo /etc/init.d/bind9 stop

Step 11: Configuring named.conf.local file on slave Command: sudo nano /etc/bind/named.conf.options

Step 12: Adding server addresses in hosts file for slave Command: sudo nano /etc/hosts

DHCP
Step1: Install ISC-DHCP server for DHCP configuration Command: sudo apt-get install isc-dhcp-server Step2: Configuring static address for IPv4 DHCP Command: sudo nano /etc/network/interfaces

Step3: Setting range for IPv4 Command: sudo nano /etc/dhcp/dhcpd.conf

Step4: Setting up the interface Command: sudo nano /etc/default/isc-dhcp-server Step4: Restart to set the configuration Command: sudo service networking restart sudo service isc-dhcp-server restart sudo ifdown eth0 sudo ifup eth0 Step5: Setting static IP address for IPv6 Command: sudo nano /etc/network/interfaces

Step6: Setting range for IPv6 address Command: sudo nano /etc/dhcp/dhcpd6.conf

Step7: Creating empty dhcpd6.lease file Command: sudo nano/var/lib/dhcp/dhcpd6.leases

Step8: Verifying the configuration Command: /usr/sbin/dhcpd -6 –d –cf /etc/dhcp/dhcpd6.conf eth0

Step9: Restarting to set the configuration Command: sudo service networking restart sudo service isc-dhcp-server restart sudo ifdown eth0 sudo ifup eth0

Webserver
Step 1: Install Apache2 Webserver Command: sudo apt-get install apache2 Step 2: To create a HTML page for the Web server Command: sudo chmod 755 /var/www/ Sudo chown -R $ user:$user /var/www/html/ Sudo nano   /var/www/html/index.html Step 3: Restart the web server Command: sudo /etc/init.d/apache2 restart Step 4: To test web server Command: http://localhost

Firewall
Step 1: Install firewall: Command: sudo apt-get install ufw Step 2Enabiling the firewall: Command: Ufw enable Step 3Checking the status Command: Ufw status Step 4To allow and deny or deny specific port. Command: ufw deny proto tcp from 192.168.77.13 to any port 80 ufw allow 80 ufw allow 22

Backup
Step 1: Install rsync on both web server and backup machine Command: sudo apt-get install rsync Step 2: Copy files from webserver to backup machine Command: rsync -avzhe ssh @:/var/www Step 3: Generate a public and a private key for security Command: ssh-keygen -trsa Step 4: Share the private and public key with the backup machine Command: ssh-copy-id -l /root/.ssh/id_rsa.pub  vm3@192.168.77.135 Step 5: Zipping the .HTML file and sending the file automatically using crontab Command: crontab –e ***** sudo tar –cvpzf /home/dnspraveen/finalbackup1234.tar.gz /var/www/html/index.html ***** rsync –azvp --delete –e ssh /home/dnspraveen/finalbackup1234.tar.gz /vm3@192.168.77.135:/home/vm3/finalb/

VPN configuration
Step 1: Install Strongswan on both the machines Command: sudo apt-get install ipsec-tools strongswan-starter Step 2: Configure ipsec.conf file in Machine 1 Command: sudo nano /etc/ipsec.conf 1. authby=secret this specifies authentication by accepting values secret 2. auto=route this specifies that automatically at startup "route" is lodaded into the between left and right ip addresses and connection is established 3. keyexchange=ike this specifies th the method of keyexchange and which protocol should be used to iniitalise the conection. ike reates to accepting both protocol ikev1 and ikev2 left=192.168.77.5 right=192.168.77.1 these are the end parameters specifing the ip address of the two endpoints for a VPN connection 4. type=transport this specifies the type of connection to be done. the type "transport" specifies that a transport mode is host-to-host 5. esp=aes128gcm16! esp aloright is defined and exclimation mark(!) at the end spcifies that responder to accept a specific cipher suite only Step 3: Configure ipsec.secrets file in Machine 1 Command: sudo nano /etc/ipsec.secrets Step 4: Restart IPsec Command: ipsec restart Step 5: Checking IPsec status Command: ipsec statusall This specifies a tunnel is established. Step 6: Configure ipsec.conf file in Machine 2 Command: sudo nano /etc/ipsec.conf Step 7: Configure ipsec.secrets file in Machine 2 Command: sudo nano /etc/ipsec.secrets Step 8: Checking IPsec status on Machine 2 Command: watch ipsec statusall Step 9: Testing the Tunnel Command: ping -s 4048 192.168.7.1 Since we are able to observe ESP packets above going from 192.168.77.5 interface we can conclude that IPsec has been applied and VPN tunnel is established

NFS
Server Side (192.168.77.135): Step 1: Install nfs for server: Command: sudo apt-get install nfs-kernel-server Step 2: Create a directory path Command: sudo mkdir /export/project Step 3: Add in details in /etc/exports Command: sudo nano /etc/exports Step 4: Provide the permission Command: sudo chown nobody:nogroup /export/project Step 5: Export the Directory Command: sudo exportfs -a Step 6: Restarting Command: sudo /etc/init.d/nfs-kernel-server start

Receiver Side (192.168.77.30): Step 1: Install nfs for client Command: sudo apt-get update sudo apt-get install nfs-common Step 2: Create a directory path to access the file from server Command: mkdir –p /mnt/nfs/export/project Step 3: Execute the mount command Command: sudo mount 192.168.77.135:/export/project /mnt/nfs/export/project/ Step 4: Verify by using df -h Command: df -h

ARP
Scapy is a python script used to get the MAC address of the victim and the gateway it performs ARP spoofing followed by ARP poisoning. It the allows a malicious attacker to construct a man in the middle attack.

DNS Test
DNS can be tested using the following commands nslookup nslookup is used to query DNS server.

DHCP Test
A device entering a network gets an IP address, which is allocated by the DHCP server. IP address can be verified using. /var/lib/dhcp/dhcpd.leases   - This command is used to view the lease provided by the DHCP server to a particular device === Webserver Test === Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.

Firewall Test
A client Can try to ping the servers which are blocked. If the response is request timed-out then, the firewall has blocked the client and it is working properly. The client won't gain access to the webpage because it is forbidden.

Future Improvement
i. In this project WEB server can be made more secured by implimentng ssh security against DDOS attacks ii. The concept of Dynamic DNS can be implemented. iii. Provision of Multiple and automatic back-up for DNS, DHCP.

Conclusion
We have created a secure, reliable and dynamic network which can support multiple hosts, Provides DHCP and DNS functionalities and a back-up server for a secured web server.