User:ARPJ1234/sandbox

Group Candidates
1. Anup Shandilya

2. Jahan Wadia

3. Param Shah

4. Ruchir Nerurkar

Purpose of Project
As in today’s world we use linux in most of the industries on switches, routers and all workstations because it is the open source Operating System and it is also customizable and is safe. That is the reason why we are working on this project because it will be useful to us in industrial experience. We have configured various Linux systems via VMware to host various servers. We are hosting a DHCP Server, Master & Slave DNS Server, Webserver and a Backup Server. We have setup a network and the DHCP server is assigning IP addrrsses to clients if and when required. The webserver hosts a legit webpage which the client can access if and when required. Certain firewalls have been set up so that the client does not get full access to the server configuration.

Topics Covered
DNS:

The Domain Name System (aka DNS) is used to resolve human-readable hostnames like www.Dyn.com into machine-readable IP addresses like 192.168.77.15. DNS also provides other information about domain names, such as mail services. Whereas in internet DNS maps domain name to IP address by assigning Authoritative servers to each domain.

DNS is like a phone book for the Internet. If you know a person’s name but don’t know their telephone number, you can simply look it up in a phone book. DNS provides this same service to the Internet.When you visit http://dyn.com in a browser, your computer uses DNS to retrieve the website’s IP address of 192.168.77.15. Without DNS, you would only be able to visit our website (or any website) by visiting its IP address directly, such as 192.168.77.15.

Hostname to IP address mapping is known as Forward DNS query and IP address to hostname mapping is known as Reverse DNS query.

When you visit a domain such as dyn.com, your computer follows a series of steps to turn the human-readable web address into a machine-readable IP address. This happens every time you use a domain name, whether you are viewing websites, sending email or listening to Internet radio stations like Pandora.

How does DNS work ?

Step 1: Request information

The process begins when you ask your computer to resolve a hostname, such as visiting http://dyn.com. The first place your computer looks is its local DNS cache, which stores information that your computer has recently retrieved.

If your computer doesn’t already know the answer, it needs to perform a DNS query to find out.

Step 2: Ask the recursive DNS servers

If the information is not stored locally, your computer queries (contacts) your ISP’s recursive DNS servers. These specialized computers perform the legwork of a DNS query on your behalf. Recursive servers have their own caches, so the process usually ends here and the information is returned to the user.

Step 3: Ask the root nameservers

If the recursive servers don’t have the answer, they query the root nameservers. A nameserver is a computer that answers questions about domain names, such as IP addresses. The thirteen root nameservers act as a kind of telephone switchboard for DNS. They don’t know the answer, but they can direct our query to someone that knows where to find it.

Step 4: Ask the TLD nameservers

The root nameservers will look at the first part of our request, reading from right to left — www.dyn.com — and direct our query to the Top-Level Domain (TLD) nameservers for .com. Each TLD, such as .com, .org, and .us, have their own set of nameservers, which act like a receptionist for each TLD. These servers don’t have the information we need, but they can refer us directly to the servers that do have the information.

Step 5: Ask the authoritative DNS servers

The TLD nameservers review the next part of our request — www.dyn.com — and direct our query to the nameservers responsible for this specific domain. These authoritative nameservers are responsible for knowing all the information about a specific domain, which are stored in DNS records. There are many types of records, which each contain a different kind of information. In this example, we want to know the IP address for www.dyndns.com, so we ask the authoritative nameserver for the Address Record (A).

Step 6: Retrieve the record

The recursive server retrieves the A record for dyn.com from the authoritative nameservers and stores the record in its local cache. If anyone else requests the host record for dyn.com, the recursive servers will already have the answer and will not need to go through the lookup process again. All records have a time-to-live value, which is like an expiration date. After a while, the recursive server will need to ask for a new copy of the record to make sure the information doesn’t become out-of-date.

Step 7: Receive the answer

Armed with the answer, recursive server returns the A record back to your computer. Your computer stores the record in its cache, reads the IP address from the record, then passes this information to your browser. The browser then opens a connection to the webserver and receives the website.

This entire process, from start to finish, takes only milliseconds to complete.

Master and Slave DNS Servers

A slave dns server is a dns server which maintains no independent dns zone data. Instead, it retrieves, or receives zone record data from one or more designated masters.

A master dns server is a dns server which maintains and stores authoritative dns zone data independently. This data may or may not be provided to other dns servers. A special case is the use of hidden masters. A hidden master is a master dns server which provides data only to other dns servers that are authoritative for the zone. This configuration is used as an administrative convenience.

DHCP:

The Dynamic Host Configuration Protocol (DHCP) is an Internet Engineering Task Force (IETF) standard designed to reduce the administration burden and complexity of configuring hosts on a Transmission Control Protocol/Internet Protocol (TCP/IP)-based network, such as a private intranet.

By using DHCP server computers to centrally manage IP addresses and other related configuration parameters, using DHCP client computers to request and accept TCP/IP configuration information from DHCP servers, and using DHCP relay agents to pass information between DHCP clients and servers, the process of configuring TCP/IP on DHCP clients is automatic.

There are three methods by which DHCP server allocates IP address:

Dynamic Allocation:   Devices connected to the network are dynamically allocated with IP addresses when the network is initialized.

Static Allocation:    Every device requesting for a IP address is permanently assigned withan IP address.

Automatic Allocation:  DHCP allocates IP addresses based on the pre defined, MAC address IP address mapping.

IP allocation is done in four phases, which includes discover, offer, request, acknowledge.

DHCP Server Discovery:  Client broadcasts a DHCP discover message with source address as 0.0.0.0

DHCP Server Offer:  DHCP Server responds with an offer message, which includes Transcation ID, Processs ID, Subnet mask, and IP address lease time.

DHCP Request:  Client sends a DHCP Request message in response to the DHCP Offer message, which indicates that client is ready to accept the Configuration information involved in the Offer message. Unlike Discovery message, client includes its MAC address in the Request message.

DHCP ACK:  DHCP server sends ACK message in response to the DHCP Request message, which includes the information client has requested for.

Web Server:

A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers' HTTP clients. Dedicated computers and appliances may be referred to as Web servers as well.

The process is an example of the client/server model. All computers that host Web sites must have Web server programs. Leading Web servers include Apache (the most widely-installed Web server), Microsoft's Internet Information Server (IIS) and nginx (pronounced engine X) from NGNIX.

Apache 2

Apache is the most widely used web server software. Developed and maintained by Apache Software Foundation, Apache is an open source software available for free. It runs on 67% of all webservers in the world. It is fast, reliable, and secure. It can be highly customized to meet the needs of many different environments by using extensions and modules. Most WordPress hosting providers use Apache as their web server software. However, WordPress can run on other web server software as well.

Backup Server

This provides a secondary location which stores all of the configurations done on the Apache2 webserver after the file is compressed using tar function.

Firewalls

A firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Network firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Firewalls can be either hardware or software but the ideal configuration will consist of both. In addition to limiting access to your computer and network, a firewall is also useful for allowing remote access to a private network through secure authentication certificates and logins.

UFW

One of the many heralded aspects of Linux is its security. From the desktop to the server, you’ll find every tool you need to keep those machines locked down as tightly as possible. For the longest time, the security of Linux was in the hands of iptables (which works with the underlying netfilter system). Although incredibly powerful, iptables is complicated—especially for newer users. To truly make the most out of that system, it may take weeks or months to get up to speed. Thankfully, a much simpler front end for iptables is ready to help get your system as secure as you need.

That front end is Uncomplicated Firewall (UFW). UFW provides a much more user-friendly framework for managing netfilter and a command-line interface for working with the firewall. On top of that, if you’d rather not deal with the command line, UFW has a few GUI tools that make working with the system incredibly simple.

Steps to perform the setup / installation
Installation of Domain Name System (DNS):

login to your root: sudo su Enter your password

To install bind9 DNS server : apt-get install bind9

Get your virtual machine in bridged mode and define static interface. cd /etc/network/interfaces For static interfaces:

auto eth0 iface eth0 inet static address 192.168.77.5 netmask 255.255.255.0 network 192.168.77.0 broadcast 192.168.77.255 gateway 192.168.77.1

iface eth0 inet6 static address fd01:db8:0:1::2 netmask 64

Master DNS: cd /etc/bind/ named.conf.options forwarders { //192.168.77.81; 		8.8.8.8; 		8.8.4.4; 	      	//0.0.0.0; 	 }; we are using google's DNS servers as forwarders.

named.conf.local: zone "linuxproj.org"{ type master; file "/etc/bind/zones/db.linuxproj.org"; allow-transfer { 192.168.77.96; }; }; zone "7.168.192.in-addr.arpa"{ type master; file "/etc/bind/zones/db.192"; allow-transfer { 192.168.77.96; }; }; zone "0.0.0.0.8.b.d.0.1.0.d.f.ip6.arpa"{ type master; file "/etc/bind/zones/db.ipv6"; allow-transfer { fd01:db8:0:1::12; }; };
 * 1) Forward zone:
 * 1) Reverse zone for IPV4:
 * 1) Reverse zone for IPV6:

cd /etc/bind/zones/

db.linuxproj.org : For Forward lookup table: ; ; BIND data file for local loopback interface ; $TTL	604800 @	IN	SOA	linuxproj.org. admin.linuxproj.org. ( 			     3		; Serial 			 604800		; Refresh 			  86400		; Retry 			2419200		; Expire 			 604800 )	; Negative Cache TTL ; @	IN	NS	linuxproj.org. @	IN	A	192.168.77.25 IN	AAAA	fd01:db8:0:1::25 server1	IN	A 	192.168.77.41 IN	AAAA	fd01:db8:0:1::41 NFS    IN	CNAME 	server1 www	IN	A	192.168.77.25 IN	AAAA	fd01:db8:0:1::25 dns	IN	A	192.168.77.5 IN	AAAA	fd01:db8:0:1::2

db.192 : IPV4 Reverse lookup table: cd /etc/bind/zones/db.ipv4 ; ; BIND reverse data file for local loopback interface ; $TTL	604800 @	IN	SOA	linuxproj.org. admin.linuxproj.org ( 			     3		; Serial 			 604800		; Refresh 			  86400		; Retry 			2419200		; Expire 			 604800 )	; Negative Cache TTL ; @	IN	NS	linuxproj.org. 25	IN	PTR	linuxproj.org. IN	PTR	www.linuxproj.org. 41	IN 	PTR 	server1.linuxproj.org. IN	PTR	NFS.linuxproj.org. 5	IN	PTR	dns.linuxproj.org.

db.ipv6: IPV6 Reverse lookup table : cd /etc/bind/zones/db.ipv6 $ORIGIN 0.0.0.0.8.b.d.0.1.0.d.f.ip6.arpa. ; ; BIND reverse data file for local loopback interface ; $TTL	604800 @	IN	SOA	linuxproj.org. admin.linuxproj.org ( 			     1		; Serial 			 604800		; Refresh 			  86400		; Retry 			2419200		; Expire 			 604800 )	; Negative Cache TTL ; @	IN	NS	linuxproj.org. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0		IN	PTR	dns.linuxproj.org. 5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0		IN	PTR	www.linuxproj.org. IN	PTR	linuxproj.org. 1.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0		IN	PTR	server1.linuxproj.org. IN	PTR	NFS.linuxproj.org.

check if your zones are working fine : named-checkzone db.linuxproj.org /etc/bind/zones/db.linuxproj.org named-checkzone 77.168.192.in-addr.arpa /etc/bind/zones/db.192 named-checkzone 0.0.0.0.8.b.d.0.1.0.d.f.ip6.arpa /etc/bind/zones/db.ipv6

The zone will be loaded as follows: zone db.linuxproj.org/IN: loaded serial 3 OK The other zones should also get a similar output.

Restart Master DNS : service bind9 restart For Slave Zone Files: named.conf.local: zone "linuxproj.org" { type slave; file "/var/cache/bind/db.linuxproj.org"; masters { 192.168.77.5; }; }; zone "7.168.192.in-addr.arpa" { type slave; file "/var/cache/bind/db.192"; masters { 192.168.77.5; }; }; zone "0.0.0.0.8.b.d.0.1.0.d.f.ip6.arpa"{ type slave; file "/var/cache/bind/db.ipv6"; masters { fd01:db8:0:1::2;}; };
 * 1) Slave DNS:

Restart the Slave DNS : service bind9 restart

Next check your syslog file if all the zones are loaded and running fine. cat /var/log/syslog

Commands used in installing DHCP on linux: 

DHCP (IPV4) Steps 

login to your root: sudo su Enter your password 1) To install DHCP server:  apt-get install isc-dhcp-server

2) DHCP file Configuration:  sudo nano /etc/default/isc-dhcp-server

Interfaces= “eth0” is to be set.

sudo gedit /etc/dhcp/dhcpd.conf

subnet 192.168.77.0 netmask 255.255.255.0 { range 192.168.77.10 192.168.77.100; option domain-name-servers 192.168.77.5; option domain-name-servers 192.168.77.96; option domain-name "dns.linuxproj.org"; option routers 192.168.77.1; option broadcast-address 192.168.77.255; default-lease-time 600; max-lease-time 7200; }

3) Command to edit network interfaces file:     sudo gedit /etc/network/interfaces

auto lo   iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.77.3 netmask 255.255.255.0 gateway 192.168.77.1 network 192.168.77.0 broadcast 192.168.77.255 dns-domain-nameserver 192.168.77.5 dns-domain-nameserver 192.168.77.96 dns-domain-search dns.linuxproj.org iface eth0 inet6 static address fd01:db8:0:1::3 netmask 64 gateway fd01:db8:0:1::1

4) DHCP Server restart:  sudo /etc/init.d/isc-dhcp-server restart

or sudo service isc-dhcp-server restart

DHCP log:  cat /var/log/syslog or sudo tail –f /var/log/syslog

DHCP (IPV6) Steps: 

1) Command used to install IPV6 server:  sudo apt-get install radvd

2) Command to edit the configuration file of radvd:  sudo nano /etc/radvd.conf

interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix fd01:db8:0:1::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };   }; 3) Command to edit dhcpv6 configuration:   sudo nano /etc/dchp/dhcpd6.conf

default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 fd01:db8:0:1::/64 { range6 fd01:db8:0:1::10 fd01:db8:0:1::20; range6 fd01:db8:0:1::/64 temporary; option dhcp6.name-servers fd01:db8:0:1::2; option dhcp6.name-servers fd01:db8:0:1::12; option dhcp6.domain-search "dns.linuxproj.org"; } 4) Command to restart the radvd:  sudo service radvd restart

5) Command to restart dhcp6 :  sudo service isc-dhcp-server6 restart

Installation Steps:

Apache Webserver: 

sudo apt-get install apache2

sudo /etc/init.d/apache2 restart

sudo nano /var/www/html/index.html

#make your own personalized webpage

Additional
ARP Poisoning

ARP poisoning attack is a kind of attack in which a attacker sends falsified ARP (Address Resolution Protocol) messages over a LAN. As a result the attacker links his MAC address with the IP address of a legitimate computer (or server) on the network. If the attacker managed to link his MAC address to an authentic IP address, he will begin receiving any data that can be accessed by that IP address. ARP poisoning allows malicious attackers to intercept, modify or even stop data which is in-transit. ARP poisoning attacks can only occur on local area networks that utilize the Address Resolution Protocol.

ARP Poisoning Attacks

ARP poisoning attacks can have serious effects for enterprises. In their most basic level, ARP poisoning attacks are used to steal sensitive information of the company. Apart from this, ARP spoofing attacks are often used to facilitate other attacks like:

Denial-of-service attacks: DoS attacks use ARP spoofing to link multiple IP addresses in a LAN with a single target’s MAC address. Due to this, traffic that is meant for different IP addresses will be redirected to the target’s MAC address, thus overloading the target with traffic. Session hijacking: Session hijacking attacks can make use of ARP spoofing to steal session IDs, thus granting attackers access to private systems and data. Man-in-the-middle attacks: MITM attacks can use ARP spoofing to intercept and/or modify traffic between two victims.

NFS

NFS allows a system (NFS server) to share files with the systems connected to it in the same network.This helps in reducing the storage of files on each and every system in the network, instead can have access to all the files stores on server using NFS.

Steps involved in configuration of NFS server and client includes the following commands

 NFS Commands :: - 

1) For NFS Server

sudo apt-get update sudo apt-get install nfs-kernel-server sudo chmod 777 /etc/exports sudo su cd /etc nano exports -- For configuring individual client ip's or network with the server /var/nfs 192.168.201.0/24(rw,sync,no_root_squash,no_subtree_check) --- For client network /home 192.168.201.0/24(rw,sync,no_root_squash,no_subtree_check) /etc/init.d/nfs-kernel-server status - For checking the server status /etc/init.d/nfs-kernel-server start /etc/init.d/nfs-kernel-server stop /etc/init.d/nfs-kernel-server start exportfs -u -- For checking the mounting configured inside the server
 * 1) /var/nfs 192.168.201.136(rw,sync,no_root_squash,no_subtree_check) -- For individual IP's
 * 2) /home 192.168.201.136(rw,sync,no_root_squahs,no_subtree_check)

2) For NFS Client 1

sudo apt-get install nfs-common sudo mkdir -p /mnt/nfs/home sudo mount 192.168.77.41:/home /mnt/nfs/home sudo mount 192.168.77.41:/var/nfs /mnt/nfs/var/nfs df-h -- For checking mounting of client directories with those of NFS server

3) For NFS Client 2

sudo apt-get install nfs-common sudo mkdir -p /mnt/nfs/home sudo mount 192.168.77.41:/home /mnt/nfs/home sudo mount 192.168.77.41:/var/nfs /mnt/nfs/var/nfs2 df-h -- For checking mounting of client directories with those of NFS serve

VPN IPsec

VPN stands for Virtual Private Network, which enables two devices on private network to connect over public network. In VPN the device in private network communicates as though it is connected to a public network, VPN ensures security. VPN is a point to point connection between two private networks through a dedicated network followed by encryption of data that can be sent over public network.

VPN in our project is enabled by creating a VPN connection with SSID and password.

Install IPsec

apt-get install ipsec-tools strongswan-starter

Now we need to create the actual crypto maps which we’ll be using, so edit the IPSec configuration file on the Red:

nano /etc/ipsec.conf

And fill in the following with the details pertinent to your network at the end of that file, e.g. IP address:

conn red-to-blue authby=secret auto=route keyexchange=ike left=192.168.100.100 right=192.168.100.200 type=transport esp=aes128gcm16!

Now create the file which holds the PSKs

nano /etc/ipsec.secrets

Populate like the following with your IP datails (warning each element in this file should be separated by a space NOT a tab):

192.168.100.100 192.168.100.200 : PSK "Your password here!"

Lets restart our IPSec:

ipsec restart

Then you should have something like the following:

Stopping strongSwan IPsec… Starting strongSwan 5.1.2 IPsec [starter]…

If you type in:

"ipsec statusall" you can check the status of the tunnel

Repeat the process for the second system and test the system by pinging from one system to another system and check watch statusall and the number of packets should be increasing continuously

Testing
Test Plan

DNS server

Testing of following entries

1. Forward zone

2. Reverse zone

3. CNAME

4. A Name

5. Ping

Testing DNS:

Dig

Nslookup (Name Server Lookup)

Ping

Testing DHCP:

Ifconfig

cat /var/lib/dhcp/dhcpd.leases

sudo dhclient

Testing Web Server:

By entering the webpage name www.dnlab.net in the client we were able to fetch a web page from the web server.

Testing Firewall:

When client whose IP address is blocked tries to ping the server then the result will be “request time out” and “server not reachable”.

Testing Backup:

Backup Testing was performed by synchronising the files to a fixed directory. We can confirm the presence of file by using ls command.

Future Prospects
Future Scope: 

1. We could have implemented light weight directory access protocol for maintenance of directory. 2. We could have implemented cloud server and bit torrent server. 3. We could have implemented modularity in network. 4. We could have implemented VLAN,s.