Data Networking/Spring 2017/RADAR

THE TEAM
1. RISHABH AGARWAL 2. ARIF JAN ASHRAF JAN 3. DIVYA SHARMA 4. ABHISHEK RAO JANARDHAN RAO

MOTIVATION
This project helps us build a deeper understanding of the basic networking fundamentals with the practical implementation of a Dynamic Host Configuration Protocol (DHCP) Server, Domain Name System (DNS) Server, Web Server, Firewall and Backup Server. The main purpose of this project is to create a complete network environment in which the servers and clients will be able to dynamically get IP addresses from the DHCP server created, after which with the help of the DNS server created, the users in the created network would be able to successfully fetch and ping www.radar.com which is the webserver hosted by us. Configuration of components such as backup server, firewall, Network File System(NFS) and IPSec VPN tunnels to create a very complex, intricate, robust and secure inter-networking system which can be implemented and used by organizations and companies.

Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is an internet protocol that allows the server to assign IP addresses to the systems(client) in the network it’s a part of, also it can be configured to assign IP addresses from a selected range of IP’s provided by the person that constructed and configured the server. The DHCP server can lease IP addresses to the cliest which are enabled to get IP’s assigned by the DHCP server. The IP addresses which are no longer used by the clients are returned back to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.

DHCP assigns IP’s in the following manner.


 * 1) Automatic allocation: DHCP assigns IP address to a client when it gets the IP request packet.
 * 2) Dynamic allocation:DHCP assigns IP addresses to clients for a particular time limit(or till the client is no longer using it) which is basically leasing of the IP’s. When the lease period is completed, the client will request an extension on the lease or request for a new IP to be assigned.
 * 3) Manual allocation:Another not so commonly used method of allocation is manual allocation in which the client is assigned the same IP address using the MAC address of the system as a label or tag.

Domain Name System
DNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.

Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.

DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.

Webserver & Firewall
A webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

Dynamic Host configuration Protocol (DHCP) Server
Step 1. Install DHCP Server Command: sudo apt-get install isc-dhcp-server Step 2. Install radvd package Command: apt-get install radvd Step 3. Set the static IP address of the DHCP server Command: sudo nano /etc/network/interfaces

IPv4 Configuration

auto lo                         iface lo inet loopback auto ens33 iface ens33 inet static address 192.168.27.2 netmask 255.255.255.0 gateway 192.168.27.1 network 192.168.27.0 broadcast 192.168.27.255 dns-domain-nameserver 192.168.27.8 dns-domain-search radar.com

IPv6 Configuration

iface ens33 inet6 static address 2001:720:40b:666::2 netmask 64 gateway 2001:720:40b:666::1

Step 4. Configure the IPv6 and IPv4 forwarding Command: nano /etc/sysctl.conf net.ipv4.conf.default.rp_filter=1 net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

Step 5. Make ens33 as the default interface Command: nano /etc/default/isc-dhcp-server INTERFACES="ens33"

Step 6. Configure the DHCP server for ipv4 Command: nano /etc/dhcp/dhcpd.conf subnet 192.168.27.0 netmask 255.255.255.0 { range 192.168.27.50 192.168.27.200; option domain-name-servers 192.168.27.8; option domain-name "radar.com"; option routers 192.168.27.1; option broadcast-address 192.168.27.255; default-lease-time 600; max-lease-time 7200; }

Step 7. Edit the resolv.conf file Command: sudo nano /etc/resolv.conf nameserver 192.168.27.8 nameserver 192.168.27.10 search radar.com

Step 8. Configure the DHCP server for ipv6 Command: nano /etc/dhcp/dhcpd6.conf default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2001:720:40b:666::/64{ # Range for clients range6 2001:720:40b:666::50 2001:720:40b:666::150; }

Step 9. Configuration of the radvd module Command: nano /etc/radvd.conf

interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2001:720:40b:666::64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };                        };

Step 10. Reboot the System Command:

sudo init 6

Step 11. Restart the DHCP server Command: sudo service network-manager restart

DNS Master Server
Step 1: Install Bind9 Command: sudo apt-get install bind9

Step 2: Restart the networking daemon Command: sudo /etc/init.d/networking restart

Step 3: Add a DNS zone to BIND9 Command: edit /etc/bind/named.conf.local

// Forward zone zone "radar.com" { type master; file "/etc/bind/db.radar.com"; allow-transfer{192.168.27.10;}; also-notify{192.168.27.10;}; };

// Reverse zone zone "27.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer{192.168.27.10;}; also-notify{192.168.27.10;}; };

zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.ipv6"; allow-transfer{192.168.27.10;};

Step 4: use an existing zone file as a template to create the /etc/bind/db.radar.com file Command: sudo cp /etc/bind/db.local /etc/bind/db.radar.com

/etc/bind/db.radar.com ;                         ; BIND data file for local loopback interface ;                         $TTL    604800 @      IN      SOA     ns1.radar.com. root.radar.com. (                             6         ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;                        radar.com. IN     NS      ns1.radar.com. radar.com. IN     NS      ns2.radar.com. ns1            IN      A       192.168.27.8 ns2            IN      A       192.168.27.10 www.radar.com  IN      AAAA    2001:720:40b:666::124 @              IN      A       192.168.27.9 www.radar.com. IN     A       192.168.27.9 dhcp.radar.com. IN     A       192.168.27.2

Now restart the BIND9: Command: sudo service bind9 restart

Step 5: Setup reverse zone Command: sudo cp /etc/bind/db.127 /etc/bind/db.192

;                   ; BIND reverse data file for local loopback interface ;                   $TTL    604800 @      IN      SOA     radar.com. root.radar.com. (                             5         ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;                   @       IN      NS      ns1.radar.com. @      IN      NS      ns2.radar.com. 8      IN      PTR     ns1.radar.com. 10     IN      PTR     ns2.radar.com. 9      IN      PTR     www.radar.com.

Command: sudo service bind9 restart

Zone for ipv6 /etc/bind/db.ipv6 ;                      ; BIND reverse data file for local loopback interface ;                      $TTL    604800 @      IN      SOA     radar.com. root.radar.com. (                             5         ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;                      @       IN      NS      ns1.radar.com. @      IN      NS      ns2.radar.com. 4.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0                IN      PTR     www.radar.com.

Step 7 : Create Network Interface

Command:

/etc/network/interfaces

# interfaces(5) file used by ifup(8) and ifdown(8) auto lo                    iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.27.8 netmask 255.255.255.0 gateway 192.168.27.1 network 192.168.27.0 broadcast 192.168.27.255 dns-nameservers 192.168.27.8 auto eth0 iface eth0 inet6 static address 2001:720:40b:666::124 netmask 64

DNS Slave Server
/etc/bind/named.conf.local //include "/etc/bind/zones.rfc1918";

zone "radar.com" { type slave; file "/var/chache/bind/db.radar.com"; masters { 192.168.27.8; }; };

zone "27.168.192.in-addr.arpa" { type slave; file "/var/chache/bind/db.192"; masters { 192.168.27.8; }; };

zone "6.6.6.0.b.0.4.0.0.2.7.0.1.0.0.2.ip6.arpa" { type slave; file "/var/chache/bind/db.ipv6"; masters { 192.168.27.8; }; };

Web Server
Download and update package list Command: sudo apt-get update

Install apache2 for Webserver Command: sudo apt-get install apache2

Make directories Command: sudo mkdir -p /var/www/radar.com/public.html Assign owners and permission Command: sudo chown -R $USER:$USER var/www/radar.com/public.html sudo chmod -R 755 /var/www

Creates webpage. index.html is an HTML document that contains code for the company webpage Command: sudo nano /var/www/radar.com/public.html/index.html

Make HTML page Command: cd /etc/apache2/sites-available

Create and copy virtual host file Command: sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/radar.com.conf

Edit virtual host file radar.com.conf Command: sudo nano /etc/apache2/sites-available/radar.com.conf  ServerAdmin info@radar.com ServerName radar.com ServerAlias www.radar.com DocumentRoot /var/www/radar.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined 

sudo a2ensite radar.com.conf    > enabling site radar.com sudo a2dissite 000-default.conf  ---> site 000-default disabled Restart apache service to take effect sudo service apache2 restart Setup local host file sudo nano /etc/hosts 127.0.0.1   localhost 127.0.1.1   ubuntu 192.168.27.9 radar.com

Firewall
Step 1

Command: : Install UFW package sudo apt-get install ufw Step 2: Check UFW status Command:

sudo ufw status Step 3: Set Up Default Policies

Command: sudo ufw default deny incoming sudo ufw default allow outgoing Step 4: Allow SSH,http,ftp,https Connections

Command: sudo ufw allow from 192.168.27.0/24 to any port 443 sudo ufw allow from 192.168.27.0/24 to any port 80 sudo ufw allow from 192.168.27.0/24 to any port 21 sudo ufw allow from 192.168.27.0/24 to any port 22 Step 5: Disabling ping

Command:

sudo nano /etc/ufw/before.rules

//Comment out this line: -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT Step 6: Enable UFW

Command:

sudo ufw enable

Backup Server
Step 1: Install open-ssh on the linux server Command:

sudo apt-get install open-ssh Step 2: Install expect package Command: sudo apt-get install expect

Step 3: Create a new file and type the following script to create the backup script file. Command:

#! /bin/bash TIME=$(date=+%b-%d-%I-%M-%S) FILENAME=backup-$TIME.tar.gz                            SRCDIR=/var/www DESDIR=/home/divya/backup tar -cpzf $DESDIR/$FILENAME $SRCDIR /usr/bin/expect <<EOD spawn scp $DESDIR/$FILENAME divya@192.168.27.3:/home/divya/backup expect "password:" send "****" send "\r" expect "*\r" expect"*\r" EOD

The script zips the file that needs to be backed up and sends the file from the source directory to the destination directory and from the destination directory it gets transferred to the remote backup server. The same procedure is repeated for all webservers.

Step 4 : Crontab is used for scheduling the backup using a cronjob which includes the bash script to dump the file for every 5 mins.

Crontab -e

You can edit the frequency of the backup using crontab. The following screenshot shows the backup scheduling of the webserver.

ALGORITHM
1. Create a DHCP server and give IP Address range 192.168.27.50 – 192.168.27.200

2. Create a client, it fetches its IP Address from the DHCP in the range specified

3. Create a webserver and host a HTML page for “radar.com”

4. The client can access the webpage hosted and can ping it

5. The DNS server is created to resolve domain IP Address

6. Backup server is created for backing up and securing the cache created at a scheduled time by the webserver

7. To increase the security, IPSec tunnel is implemented which helps to ping two servers in a private network, on a public network using encryption

8. NFS is created to share files between two hosts

Address Resolution Protocol (ARP)
ARP poisoning has been implemented using Scapy. Here an attacker tries to intrude in the client's network. When the client requests the webserver page initially, he'll be able to view the webpage requested, but when the attacker uses the Scapy script he floods the ARP cache of the victim(client) with its own MAC address. Now when the client tries to request the webpage of the webserver instead of the original webpage, the hacked webpage hosted by the attacker is visible.

Network File System (NFS)
Step 1:Configuring the NFS-server Command:

sudo apt-get install nfs-kernel-server sudo chmod 777 location

Edit the file

sudo nano /etc/exports

On the last line append below

/home/divya/mnt 192.168.27.0/255.255.255.0(rw,sync,root_squash,subtree_check)

Save and Exit Change the directory cd /home/divya/mnt touch new1 sudo nano new1

Create a sample fie named "new1" Start the server sudo service nfs-kernel-server start

Step 2:Configuring the NFS-client To Install NFS client: Command sudo apt-get install nfs-common

Make directory in a location sudo mount server 192.168.27.9:/home/divya/mnt /home/mnt sudo mount -a

To verify whether it is mounted df -h

IPSec VPN tunnel
Server 1

/etc/ipsec.conf conn server1-to-server2 authby=secret auto=route keyexchange=ike left=192.168.27.8 right=192.168.27.10 type=tunnel esp=aes128gcm16!

/etc/ipsec.secerts 192.168.27.8   192.168.27.10  : PSK "Password!"

Server 2

conn server2-to-server1 authby=secret auto=route keyexchange=ike left=192.168.27.10 right=192.168.27.8 type=tunnel esp=aes128gcm16!

TESTING
1.	DHCP Dynamic IP Assigning to client

2.	Client pinging to DNS Master

3.	Client pinging to DNS Master

4.	Client pinging the webserver 5.	Checking if the webserver hosts the website

6.	NFS testing 7.	nslookup to check DNS capability
 * The detailed screenshots are provided in the report