Data Networking/Spring 2015/Group5


 * TELE 5330 GROUP5

The Team
Raghavan Rajagopalan (rajagopalan.ra@husky.neu.edu )

Jingfeng Chen (chen.jingf@husky.neu.edu)

Niraj Beri (beri.n@husky.neu.edu)

Shashank Katlaparthi (katlaparthi.s@husky.neu.edu)

Objective
The mission here is to create a network which includes a Webserver with Firewall upgraded with SSL, a Recursive DNS server along with a cache, a DHCP server with PXE boot, an NFS server, an NTP server, a VPN server, Access lists for restricting the user activity in the network, an FTP server for file sharing and encryption for files and backup for the network information.

The network is designed to accommodate new users, secure them and include them in the network operation. The new user is assigned an IP address dynamically by the DHCP server, next the DNS server will answer the queries of the user by translating the domain names to its respective IP addresses. The access to the Webserver by the users is determined by the Firewall. The DNS server used here is recursive, therefore, it reduces the unnecessary traffic flow to the root servers and cache the data in the local server for faster replies and efficient use of network bandwidth. Once the connectivity is established, the file sharing in the network is done through the employment of NFS and FTP servers for in and out-bound requests for file sharing. The data in the network is backed-up by the backup server and secured using encryption. An NTP server is setup so that all the servers in the network are synced with an accurate time. The access to a user from a remote network can be achieved with VPN server, through VPN server the user should be able to access all the information and be a part of the network though he is technically not in the network. This completes the whole setup and we can now accommodate new users!

DHCP
Dynamic Host Configuration Protocol is a protocol wherein a dedicated server is used to assign IP addresses to all hosts in a network. It also manages which hosts are there in the network and their lease time for a particular IP address. The IP addresses assigned to the hosts are dynamic.

INSTALLATION
The below mentioned command is used to install DHCP server in Ubuntu. Sudo apt-get install isc-dhcp-server

CONFIGURATION
The following procedure is followed to configure the DHCP parameters for this network.
 * 1) 1. Edit /etc/dhcp/dhcpd.conf file as follows
 * •	subnet 192.168.137.0 netmask 255.255.255.0
 * •	range 192.168.137.10 192.168.137.50;
 * •	option domain-name-servers 192.168.137.100
 * •	option routers 192.168.137.1
 * •	Default-lease-time 600;
 * •	Max-lease-time 7200;


 * 1) 2. The fixed addresses for the servers are configured as below
 * •	DNS server is configured with an IP address of 192.168.137.100
 * •	Firewall is configured with an IP address of 192.168.137.5
 * 1) 3. Edit /etc/network/interfaces as follows
 * •	auto eth0
 * •	iface eth0 inet static
 * •	address 192.168.137.2
 * •	netmask 255.255.255.0
 * •	network 192.168.137.0
 * •	broadcast 192.168.137.255
 * •	gateway 192.168.137.1
 * •	dns-nameservers 182.168.137.100


 * 1) 4. Edit /etc/default/isc-dhcp-server file as follows
 * •	Add eth0 to interfaces

sudo /etc/init.d/isc-dhcp-server restart
 * 1) 5. Then restart the dhcp server using following command:

TESTING
The DHCP can be tested by connecting it to the network and giving a command called ipconfig in the Terminal. The DHCP server will allocate an IP address from its pool.

CONFIGURATION
tftpdgrm udp wait root  /usr/sbin/in.tftpd  /usr/sbin/in.tftpd –s /var/lib/tftpboot sudo update-inetd --enable boot
 * 1) 1. Edit /etc/inetd.conf,
 * •	Add the following line to the file
 * 1) 2. Enable bootservice by using the following command:

sudo /etc/init.d/openbsd-inetd restart sudo /etc/init.d/tftpd-hpa restart 4. Setup permissions using the following command sudo chmod -r 664 /var/lib/tftpboot/*
 * 1) 3. Start the following services

DESCRIPTION
The main function of a web server is providing HTTP services for the clients. There are all kinds of web servers. One of the most popular web servers is Apache and it is used to serve more than half of all active websites. We choose Apache 2 as our web server in Ubuntu.

INSTALLATION
TFTP has to be installed prior to installation of PXE through the following command. sudo apt-get install tftpd-hpa openbsd-inetd lftp Sudo apt-get install apache2 — Install apache2 server into Linux System

ifconfig — get IP address of localhost, in order to help DNS gain the hostname

CONFIGURATION
Add the source html code to index.html

TESTING
When we input the domain name that DNS server assigns to my host IP address, we can successfully log on the website I created in the web server.

DNS SERVER
For our server, we are using Bind version 9.5 installed on Ubuntu 14.04 which in turn is installed as a virtual machine on windows 7. Assuming that Ubuntu is already set up and working, we followed through following steps to install and configure Bind DNS server.

sudo apt-get update
 * 1) 1)	To make sure Ubuntu is up to date, please run following command.

sudo apt-get install bind9 In the process it will ask for Y/N for installation, press Y to continue installation After installation, you will see following files in the Bind directory.
 * 1) 2)	Installation: the below command needs to be run in order to download and install Bind. Open a terminal and run the following command with elevated privileges using sudo.

CONFIGURATION
cp db.local db.apple
 * 1) 1.	To start we need to define a local domain which will be the web address of our server. Copy the db.local and create a new file with it using your server name.
 * 1) 2.	Edit the newly created file db.apple and add the hostname vs IP entries to make this server authoritative.

cp named.conf.default-zones named.conf.custom-zones
 * 1) 3.	Now this database file which contains the hostname to IP mapping needs to be included in the zone file. We will create a custom zone file using the format of default zone file using the following command


 * 1) 4.	Edit the newly created file named.conf.custom-zones to include the db.apple file as follows:


 * 1) 5.	With the above step, our custom zone has been created which contains database file (which in turn contains hostname to IP address mapping). Now its time to include that custom zone in named.conf file. Edit the named.conf file as below.

Service bind9 restart
 * 1) 6.	This completes the forward zone configuration. Similarly, we need to configure the reverse zone as below and then restart the Bind service using below command.

To verify if the DNS server is working, we can use the dig command and verify if we are getting the correct mapping of hostname to IP address. Here the web server is configured on IP 192.168.137.5 which is what we are getting using the dig command.
 * 1) 7.	Verification of the DNS server

DESCRIPTION OF IP TABLES
IP tables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Net filter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; ip tables applies to IPv4, ip6tables to IPv6, arp tables to ARP, and eb tables to Ethernet frames.

CONFIGURATION
sudo iptables -F	- Flush to old firewall setting sudo iptables -L		- check the list of ip tables sudo iptables -A INPUT -i eth0 -s 192.168.137.7 -p tcp —dport 80 -m state —state NEW -j DROP sudo iptables -A INPUT -i eth0 -s 192.168.137.7 -p tcp —dport 334 -m state —state NEW -j DROP - block the client ip from accessing to http and https port of the web server

TESTING
After setting up the firewall, all the clients are able to access the website except one specific client with the IP address of 192.168.137.7

Recursive DNS with Cache
This DNS server also acts like a cached server which means it caches the hostname to IP mappings being requested by hosts so that next time the same hostname is queried, it won’t have to go out of the network and fetch the IP address. Since the server has the mapping in its cache, it will just reply back to the host with the IP. This can be demonstrated using Wireshark. During the 1st / initial access to google.com, the Wireshark trace on DNS server shows DNS queries going out to root and TLD servers, however when the same hostname DNS query comes to DNS server, Wireshark won’t show any packets going out to root / TLD servers.
 * 1) 1)	Recursion – This server can be configured as a recursive server which means in addition to replying to DNS queries for the hosted website, if a host requests a DNS query for website hosted outside this network (like google, yahoo), the DNS will go to root / TLD servers and resolve and fetch the IP for these hostnames and send it back to the hosts. To make it as a recursive server, either delete or comment the “recursion no” line in the file named.conf.options.
 * 2) 2. Access list implementation to avoid our DNS server being used for DNS amplification attacks. This is done by denying recursion access to hosts outside our local network. The access list is implemented by adding below code to named.conf.options file.
 * 3) 3. Cached server

BACKUP
Automatic backup of the server configuration can be done using the following ways: Cron Tab can be used when we need to execute a particular command within certain interval (daily, weekly, fortnightly, or monthly). By using Crontab, the backup command is executed every day to take backup of the server.
 * 1) 1.	Cron Tab:

Cron Tab can be installed using the following command: sudo apt-get install gnome-schedule

Command to create a Cron Tab Crontab –e

The following command is used to run the backup file every day at 10 am. 0 10 * * * bash – /home/pu/backup.sh Ubuntu offers an application named Backup which can also be used to create backup of specific folders. This will take backup every day and store the backup file in the path mentioned under the storage tab.
 * 1) 2.	Déjà Dup:

VPN
Virtual Private Networking (VPN) allows access to a private network through a public network. OpenVPN has been implemented for demonstrational purposes.

INSTALLATION AND KEY GENERATION
sudo apt-get install openvpn easy-rsa mkdir /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ source ./vars ./clean-all ./build-ca ./build-key-server server myservername ./build-dh cd keys/ cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/
 * 1) 1. Enter the following command to install OpenVPN through terminal
 * 1) 2. Enter the following command to setup certificates
 * 1) 3. Edit /etc/openvpn/easy-rsa/vars to setup parameters.
 * 2) 4. Enter the following commands to generate master Certificate Authority
 * 1) 5. Enter the following command to generate Certificate and private key for server
 * 1) 6. Enter the following command to generate Diffie Hellman parameters
 * 1) 7. Enter the following command to copy keys and certificate files to /etc/openvpn

CONFIGURING VPN SERVER
•	sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ •	sudo gzip -d /etc/openvpn/server.conf.gz •	ca ca.crt •	cert myservername.crt •	key myservername.key •	dh dh2048.pem
 * 1) 1. Enter the following commands to copy and unpack server.conf.gz to /etc/openvpn/server.conf
 * 1) 2. Edit /etc/openvpn/server.conf
 * 1) 3. Edit /etc/sysctl.conf and remove # in front of the following line

net.ipv4.ip_forward = 1
 * 1) 4. Reload sudo sysctl -p /etc/sysctl.conf
 * 2) 5. Enter service openvpn start to start OpenVPN service.
 * 3) 6. Enter ifconfig tun0 to check whether OpenVPN has been correctly configured

CONFIGURATION
sudo apt-get install openvpn The files that need to be securely copied to the client's /etc/openvpn directory are: /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client). /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client). Copy those files over using a tool like scp from the server to the client. If the server doesn't have direct access to the client, just put them on a flash drive and copy from there. sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn sudo nano /etc/openvpn/client.conf dev tap remote 192.168.137.2 1194 cert hostname.crt key hostname.key tls-auth ta.key 1 sudo service openvpn start ifconfig tun0

TESTING
After setting up the VPN for both server and client, the client can successfully ping server’s virtual IP address — 10.8.0.1

NTP SERVER
NTP stands for Network Time Protocol. NTP is employed for synchronizing the time on our Linux system with a centralized NTP server. With the NTP server set-up all the servers in the network can be in sync with an accurate time.

INSTALLATION
For the server installation we use the following command: sudo apt-get install ntp The packages are installed for setting up the NTP Server

CONFIGURATION
We need to edit the configuration files and add the following: server ntp.ubuntu.com server pool.ntp.org We edit the configurations, save the file and test the working of the NTP Server.

TEST PLAN
We can test if the NTP Server is set up by entering the following commands: pgrep ntpd After this command we get a plain old process ID numbers. Now we enter the following commands to update and check for the system information: ntpdate –u 192.168.137.1 ntpdc –c sysinfo We get the updated date and time along with the server information.

FTP SERVER
FTP Server is a file transfer protocol which uses the ports 20 and 21. It is used to download and upload files to the server. Here we configure vsftpd (Very Secure File Transfer Protocol Daemon) in Linux for functionality.

INSTALLATION
To install the FTP server we use the following command sudo apt-get install vsftpd

CONFIGURATION
We need to edit the configuration files for the server to set up the server. We can edit the files through this command sudo nano /etc/vsftpd.conf We now make the configurations for file upload capability, then set-up the home page for the server, next we enable the authentication for the users and restrict the authentication to some files. Now we restart the FTP Daemon sudo restart vsfptd We then configure local file permission on ftp directories. We use the following commands to change the user, group and ownership. sudo chmod sudo chown sudo chgrp

TEST PLAN
We now test the working of FTP Server by logging in	ftp katlaparthi

Then we provide the passphrase and user name (either admin or anonymous), then we enter the commands for listing the files and accessing them. We should be able to access and restrict the files depending on the user.

ENCRYPTFS (ENCYPTION)
To make our system more secure we use Encryptfs for encryption.

INSTALLATION
To install the encyptfs we need to enter the following command: ecryptfs-setup-private Next it will ask for a password, we set up the password and confirm it.

CONFIGURATION
We need to configure the files, create a folder and change its authority. mkdir /root/tPrivate chmod 700 /root/tPrivate Next we use ecrypt to encrypt the folder. mount -t ecryptfs /root/tPrivate /root/tPrivate

It will display the encrypted file along with its attributes.

DESCRIPTION
SSL stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites, allowing you to transmit private data online. Sites secured with SSL display a padlock in the browsers URL and possibly a green address bar if secured by an EV Certificate.

CONFIGURATION
sudo a2enmod ssl sudo service apache2 restart sudo mkdir /etc/apache2/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:abc Organizational Unit Name (eg, section) []:dn project Common Name (e.g. server FQDN or YOUR name) []:192.168.2.5 Email Address []:370117709@qq.com sudo nano /etc/apache2/sites-available/default-ssl.conf     ServerAdmin 370117709@qq.com ServerName 192.168.137.5 ServerAlias apple.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on       SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key  SSLOptions +StdEnvVars   SSLOptions +StdEnvVars  BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown   sudo a2ensite default-ssl.conf sudo service apache2 restart

TESTING
By putting “https://” in front of our domain name, it shows the website. We can conclude that the SSL certification is protecting the website.

DESCRIPTION
It is a method by which file sharing is achieved between hosts in the network.

INSTALLATION-SERVER
sudo apt-get install nfs-kernel-server — install NFS server into Linux System

CONFIGURATION-SERVER
Edit /etc/exports as per the following configuration sudo service nfs-kernel-server start —  start the nfs service

INSTALLATION-CLIENT
sudo apt-get install nfs-common — install NFS client into Linux System

CONFIGURATION-SERVER
Create a new file /home/nfs-share as a shared file from server.

TESTING
mount 192.168.137