User:Agalya Gunasekaran/sandbox

The Folks
1. Agalya Gunasekaran

2. Karthik Ramachandran

3. Mayuri Dekate

4. Shree Kumar Bakthavatsalam

Motivation
Linux which began its existence as a server OS has become useful as desktop OS for example tablet, computer, network router. Linux is an open source. Also in security aspects Linux is much stronger than the window. We have taken this project to learn in depth about Linux operating system which is widely used. In this project we have created DNS server, DHCP server, NFS server, NIS server, VPN server, SMTP server, Web server and Firewall.

Understanding the protocol
Behavior of the protocol

Dynamic Host Configuration Protocol (DHCP) is a standardized Internetworking Protocol that automatically provides IP addresses to the connected hosts. It also provides other related information such as the subnet mask and default gateway. ISPs provide the configuration information to the DHCP server. DHCP dynamically updates the current pool of addresses. DHCP also supports a mix of dynamic and automatic IP address allocation. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems, the device's IP address can even change while it is still connected. In automatic addressing, the client receives the same IP address whenever it comes onto the network.

Signaling

DHCP discover: Broadcast by a client to find the available servers.

DHCP offer: Response from the server for DHCP discover and offering IP address and other parameters.

DHCP request: Message from client to a server requesting the parameters and declining other offers.

DHCP ack: Acknowledgement from server to client with parameters including IP address

Steps to perform the setup/installation
Install isc-dhcp server:

sudo apt-get install isc-dhcp server Set static IP for the DHCP server: auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 dns-domain-nameserver 192.168.1.100 dns-domain-search group5.com

Restart the network:

sudo nano /etc/init.d/networking restart Edit the configuration in DHCP server:

sudo nano /etc/dhcp/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.30; option domain-name-servers 192.168.1.254 option domain-name “group5.com”; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200;

Edit the resolv.conf file:

sudo nano /etc/resolv.conf

nameserver 192.168.1.100

Restart the DHCP server:

sudo service isc-dhcp-server restart

Testing
Step 1: The leases on DHCP server and the IP addresses which has been leased to the client can be checked using the command below: sudo tail /var/lib/dhcp/dhcpd.leases

Step 2:The log output of DHCP is verified using the command below: sudo tail –f /var/log/syslog Step 3:The messages like DHCPREQUEST and DHCPACK with name of the client and name of the interface can be verified.

Understanding the protocol
Domain name group5.com is entered the web browser will search the IP address of the host. IP address is returned back when DNS gets the query. We have used BIND server in which caching is performed so every time user request that page the page is returned by DNS Cache without going to origin web server.

Signaling

The protocol used in DNS are UDP and TCP DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. TCP is used for zone transfer if the response data size exceeds 512 bytes.

Heirarchy

There are three classes of DNS server Root, top-level and Authorative DNS. Root DNS: In internet there are 13 root servers. This is top of the tree and together there are 247 root servers. Top-level: This are responsible for top level domain such as edu, com, org. Authorative DNS: Every organization with publicly accessible host such as web servers on the internet must provide publicly accessible DNS records that map the names of those host to IP address.

Steps to perform the setup/installation
Below are the steps to configure DNS Server through Ubuntu Terminal

Configure Server with static IP address.

Always static IP address should be assigned to web server. Because we know that DHCP assigns IP address dynamically to the host and if DHCP server fails to allocate IP address to the DNS server the entire DNS services will be down. Hence all servers are static.

Edit the file /etc/network/interfaces with the below commands sudo nano /etc/network/interfaces

auto eth0 iface eth0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.255 Now restart the Networking process as we have made changes to the interfaces file using the below command

sudo /etc/init.d/networking restart

Now check the host name of the server using the below command cat /etc/hostname Now edit the /etc/hosts file as below 127.0.0.1 	  localhost 127.0.1.1 	  ubuntu

Install the BIND9 Utility using the below command sudo apt-get install bind9 Now configure the file named.conf.options

We are here setting up a DNS Server authoritative for our domain, so for requests outside our domain the requests will be forwarded to these ISP’s IP address. Hence we configure the named.conf.options file with these forwarders IP addresses. sudo etc/bind/nano named.conf.options forwarders { 192.168.1.1;                       8.8.8.8;                        8.8.8.4;                        }; Configure the named.conf.local file with forward and reverse lookup zones

Forward lookup zones is used for hostname to IP address translation, and reverse lookup is used for IP address to hostname translation. sudo nano named.conf.local #FORWARD LOOKUP ZONE – Holds A records, maps hostnames to IPs zone “group5.com”                                                                            zone “group5.com” {                                                                                            {           type master;                                                                                  type salve; file “/etc/bind/zones/group5.com.db”;                                                        masters {IP of masters; }; allow-transfer { IP of slave ; };                                                            file” var/cache/bind/group5.com.db”; };                                                                                           };           zone"1.168.192.in-addr.arpa"                                                                 zone"1.168.192.in-addr.arpa" { type master;                                                                              {type salve; allow-transfer { IP of slave ; };                                                           masters{IP of masters; }; file "/etc/bind/zones/db.192"; };                                                           file”var/cache/bind/db.192” ; };                                                                                          };
 * 1) REVERSE LOOKUP ZONE – Holds PTR records, maps IP address to hostname #Our reverse zone

Now create a directory zones in order to configure forward and reverse lookup zone database files. sudo mkdir zones

Now create a directory zones in order to configure forward and reverse lookup zone database files. sudo mkdir zones Create the Forward Lookup Zones database file. $TTL 3D @ IN SOA group5.com. root.group5.com. (          2014112001;	serial number           28800; 	refresh rate           3600;	retry           604800;      Expire           38400; Negative Cache TTL           ); @	       IN	        NS	        group5.com #A records @		IN		A		192.168.1.150 ubuntu 	IN		A		192.168.1.253 ubuntu1	IN		A		192.168.1.252 ubuntu2	IN		A		192.168.1.251 www		IN		CNAME		ubuntu1

Create the Reverse Lookup Zone database file $TTL 3D @ IN SOA group5.com. root.group5.com. (          2014112001;	 serial number           28800; 	refresh rate           3600;	retry           604800; Expire           38400; Negative Cache TTL           ); @	       IN	        NS	        group5.com 150		IN		PTR		group5.com. 253  	IN		PTR		ubuntu.group5.com. 252		IN		PTR		ubuntu1.group5.com. 251		IN		PTR		ubuntu2.group5.com. 252		IN		PTR		www.group5.com.

Edit your /etc/resolv/conf file to reflect your new DNS server settings. sudo nano resolv.conf

search group5.com. nameserver 192.168.1.150 Restart the BIND9 Daemon to update our new configuration changes sudo /etc/init.d/bind9 restart

Testing
1) Dig (Domain Information Groper)

Used to interrogate DNS name servers. Same function performed as DNS lookups

2) Nslookup (Name Server Lookup)

Command use to query DNS server. It consist of two modes interactive mode and non-interactive mode.

Check forward Zones

host group5.com Check Reverse Zone

nslookup 192.168.1.150 dig group5.com 3) Ping

Ping command is used to check network layer status of the server.

4) Host

Host command is used to perform DNS lookups. It is used to convert names to IP addresses and vice versa.

Understanding Web Server
A Webserver contains the contents that can be accessed/share through internet/intranet. Major function of webserver is to respond to requests made to it.To serve the correct files requested BUT only to the authorized people. Client requests the data on the webserver using http. Requested data may contain any type of file. In this project we implemented apache web server and created a webpage that is available to clients.

Steps to perform the setup/installation
Install the apache webserver on the server machine. Before the installation update all the packages using a command. Browser should be able to load the content of the default web page of the server. Moreover we can configure the default page and modify the content of the page when required. In order to update all the packages in the machine the following commands are used: sudo apt-get update

To install apache webserver in the machine sudo apt-get install apache2

To edit the default webpage •	Go to /var/www directory from the current working directory using cd /var/www. •	After running the command user does an ls to find the files and directories in the current directory. •	User finds index.html file which is the default web page of the server. •	Now user launches the file in edit mode to modify the content of the file using a command. sudo nano index.html. Flush all the rules on port 80 in the webserver so that it can be made accessible to the clients in the network using the below command sudo iptables –F (If only port 80 rule is present) sudo iptables –A INPUT –p tcp –dport 80 –j ACCEPT

Testing
Pre-Test: User updates all the packages in the machine and installs the apache web server on the server machine. Now try to launch the default webpage of the server using the browser in the same VMware

Step 1:

Action: Open the browser and type “localhost or 127.0.0.1” in the address bar.

Result: User should be displayed with the default web page of the server.

Pre-Test: After the installation, now user tries to edit the default page of the server and saves the page successfully. Now try to launch the webpage and see whether the changes are reflected or not

Step 2:

Action: Open terminal and go into the var/www/html After which type the following command in order to edit Sudo nano index.html We type in Group 5 Project in compliant with the HTML format.

Pre-Test: Try to access the webpage from client’s machine in the network.

Step3:

Action: The following command to key in the IP 192.168.1.150 of the webserver, This will keep a static IP for the webserver   /etc/network/interfaces The Webserver will be accessible if the respective IP 192.168.1.150 is keyed into the browser.

Final : The Webpage is displayed and all the content is loaded.

Understanding Firewall
Firewall protects an internal secured network from any other network which is not accepted as secured. The main function of the firewall is to block and filter packets to pass into the network. The term firewall can also be used with in a network when a particular server with lots of databases or confidential information is being protected from unauthorized users/unwanted hits in the network.

Firewalls are classified into three categories

1. Traditional packet filters

2. Stateful filters

3. Application gateway

Steps to perform the setup/installation
IPTABLES

IPTABLES is the database of firewall rules configured in command-line interface terminal, it has the following built-in chains. •	INPUT chain – Incoming to firewall. For packets coming to the server.

•	OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the server.

•	FORWARD chain – Packet for another NIC on the server. For packets routed through the local server.

IPtables is a user space application program that allows user to configure the firewall providing accept and reject rules. Iptables can be modified after installing the application program to our Linux.

Sudo apt-get update or do apt-get install iptables Implementation: To install telnet and Ssh services on Linux machines: SSH: sudo apt-get install openssh-server. Telnet: sudo apt-get install telnetd. IP tables rules set: sudo iptables -L to list all the rules in the table. sudo iptables -F to flush all the rules in the table.

Configuring the iptables for the firewall: Implementing specific TCP rules sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 80 -i eth0 sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 443 -i eth0 sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 20 -i eth0 sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 21 -i eth0 sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 22 -i eth0 sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 23 -i eth0

Block all ICMP sudo iptables -A INPUT -j DROP -p ICMP -i eth20 Allow the DNS Server sudo iptables -A INPUT -j ACCEPT -p tcp --destination port 53 -i eth0 To delete a particular command sudo iptables -D INPUT  Configuring firewall on the client side

UFW rules: Used for easy configuration of iptables firewall.

UFW status: Used to check the status of firewall.

UFW enable: Used to enable UFW.

Ufw reject out http: Used to block access to http port

Ufw reject out https: Used to block access to https port

Testing
Pre-Conditions: To test the function of firewall it is configured on a server and client machine. Before testing, it is made sure that both client and server are in the same subnet.

Case 1:

Action: Ping from the client machine to the server and vice versa

Result: The ping, telnet and SSH should be successful as both the machines are able to communicate with each other

Command: Ping 192.168.1.150

Command: Telnet 192.168.1.150

Command: Ssh –p 22 ubuntu@192.168.1.150

Case 2:

Pre-Conditions: A rule is included in the IPtables to block ping, telnet and SSH requests to the server machine using following command.

Command: Sudo iptables -A INPUT -p icmp –j REJECT

Command: Ping 192.168.1.150

Result: Client should get a message”Destination Host Unreachable”.

Command: Sudo iptables -A INPUT -p tcp --dport 23 –j REJECT

Command: Telnet 192.168.1.150

Result: Client should get a message “Connection refused”

Command: Sudo iptables -A INPUT -p tcp --dport 22 –j REJECT

Command: Ssh –p 22 ubuntu@192.168.1.150

Result: Client should get a message “Connection refused”

Command: ufw reject out http/https

User shouldn’t be able to access the default webpage of the server.

Understanding Backup
Backup is the process of copying and archiving the data so that it be used whenever there is an event of data loss or corrupt. Generally backup have two purposes. Major purpose of backup is we can recover data if there is any data loss or data corruption. The secondary purpose is user can recover data from a particular time as defined by user, data retention policy. In this project the content of webserver should be managed to backup and put it in a server systematically every day. The major purpose is we will have a copy of the webserver in another server even though there is an event of data loss or data corrupt. The backup is scheduled to run at 12:00 am every day using a job that runs in the webserver. Every day this job is run to take a backup, Zip the file and put it in the specified directory of the particular server.

Steps to perform the setup/installation
Install rsync in the server machine to manage the backup of the content of the server. Rsync is a utility software which manages to synchronize the files and directories from user specified server location to user specified backup location. Rsync manages differing the files by checking last modified time if the backup is scheduled every day or whenever we perform the backup. This package enables the server to put the backup in another server on the network. This can be done by using the command Step 1- Install ssh first sudo apt-get install ssh Step-2 Generating rsa keys ssh-keygen –t rsa Step-3 To copy the rsa public key to other host over ssh cat /home/karthik/id_rsa.pub “mkdir –p /root/.ssh && cat >> /root/.ssh/authorized_keys” Step-4 Install rsync using following command install apt-get rsync Step-5 Rsync to copy the public key to virtual server ssh root @192.168.1.60  rsync /var/www/html  root@192.168.10.150 :/var/www/html Step-6 Crontab for ssh commands to run periodically 10 * * * * rsync /var/www/html root@192.168.10.150:/var/www/html

Testing
rsync command is used for testing the backup. Backup is made to every 1 min with which scheduler crontab is tested.

Understanding NIS
Network Information System is used by the smaller networks to identify their network by a name and can be used as system administration. NIS is implemented so that the entire knowledge of a particular system is acquired by every client / server in the particular system. Using a single user identification and password the files and applications in the network can be accessed. NIS for smaller groups or networks can be related with DNS system. The client server model is implemented in NIS so that clients can access from centralized server. NIS servers consists an entire archive of client programs and a small no. of administrative tools to manage the clients. NIS is used along with NFS which backups tasks done on every server.

Steps to perform the setup/installation
1. NIS Server Configuration: In /etc/hosts.allow, the following is added portmap ypserv ypbind : list of IP addresses 2. NIS is installed using the command: sudo apt-get install portmap nis 3. The following file has to be modified as        /etc/default/portmap Comment out the line ARGS=”-i 127.0.0.1" 4. The following file has to be modified as        /etc/default/nis         NISSERVER line is set to NISSERVER = master 5.The following file has to be modified as         /etc/yp.conf         domain server 6. The following file is modified as         /var/yp/Makefile         MINGID is set to 1 7. The following file is modified as /etc/ypserv.securenets Line to restrict access to domain members is added. It is made sure that the 0.0.0.0 line is commented out. 8. DB is built for the first time:         sudo /usr/lib/yp/ypinit -m 9.Portmap and NIS are restarted:         sudo /etc/init.d/portmap restart         sudo /etc/init.d/nis restart

Testing
Scenario1: Testing the backup archiving after running the command to save it locally. Go and check the specified destination folder and check for the contents of the file

Scenario2: Testing the backup archiving after running the command to save it across the network. Go and check the specified destination folder in the particular machine.

Scenario3: Make some changes in the webpage before 12:00 am of a day and check for the latest backup after 12:00 am either locally or in the particular machine in the network.

Scenario4: Check whether the files are zipped and saved in the specified destination paths given locally or across the network in the particular machine.

Understanding VPN
Virtual Private Network provides access to the private network from a public network like internet. While accessing, the private network will have same privileges similar to internet. The VPN connection is setup by creating a new VPN connection from the remote client and providing the generated SSID (Secure Session ID) and password from the access network. This provides VPN to allow a client to get access to a private network from internet in a secure way.

Steps to sperform the setup/installation
1.Install pptp server using apt-get sudo apt-get install pptpd 2. Need to configure the pptpd file sudo nano /etc/pptpd.conf 3. Add server IP and client IP 4.Configure DNS Server for clients when they connect to the pptpserver sudo nano /etc/ppp/pptpd-options 5.Add VPN users in /etc/ppp/chap-secrets sudo nano /etc/ppp/chap-secrets 6. Start the server /etc/init.d/ppptpd restart

Testing
Established a VPN Connection successfully.

Verified the PPP IP address using the ifconfig.

Understanding NFS
Network File system is used by the client to access files over a network similar to access from storage. NFS allows a user to store and update a file in a remote computer as it can be accessed from user’s personal computer. The NFS uses client/ server model so a NFS client is installed in user’s computer which can be used to access from NFS server. NFS needs to have TCP/IP for communication between client and server model. The file system hosted in the NFS server is accessed along with read/write privileged access mode.

Steps to perform the setup/installation
1. Install NFS sudo apt-get install nfs-kernel-server 2. Edit the exports file sudo nano /etc/exports/home/maks/nfsroot * 3. Make a directory called nfsroot using the command: mkdir /home/maks/nfsroot 4. Restart the NFS server for the changes to be effective sudo service nfs-kernel-server restart 5. Restart portmap service sudo /etc/init.d/portmap restart cd /home/maks/nsfroot/ touch ybox #Create a field named ybox sudo nano ybox 6. For Client NFS install nfs-common sudo apt-get install nfs-common 7. Check the path of the shared folder sudo showmount –e  8. Link the 2 directories and the mount the file to the server sudo mount –t nfs :/home/maks/nfsroot /home/maks/nfs

Testing
1)To test in the NFS server:       sudo showmount -e If it shows        /Export list for Ubuntu:        /armnfs * It means that the NFS server has been configured successfully. 2. To test the client:        sudo mount 192.168.1.60: /armnfs /var/www/armnfs If you want stop the connection between the NFS client and the NFS server, use the below command:        sudo umount 192.168.1.60:/armnfs /var/www/armnfs

Understanding SMTP:
SMTP is an Internet standard for electronic mail (e-mail) transmission. SMTP stands for Simple Mail Transfer Protocol. It's a set of communication guidelines that allow software to transmit email over the Internet. Most email software is designed to use SMTP for communication purposes when sending email, and it only works for outgoing messages. When people set up their email programs, they will typically have to give the address of their Internet service provider's SMTP server for outgoing mail. There are two other protocols - POP3 and IMAP - that are used for retrieving and storing email.

Steps to perform the setup/installation:
1) In order to install Postfix with SMTP-AUTH and TLS, first install the postfix package from the Main repository using your favorite package manager.     sudo apt-get install postfix 2) Configuration sudo dpkg-reconfigure postfix 3) To configure the mailbox format for Maildir:    sudo postconf –e ‘home mailbox = Maildir/’ 4) You may need to issue this as well: sudo postconf –e ‘mailbox command =’ 5) Configure Postfix to do SMTP AUTH using SASL (saslauthd):    edit /etc/postfix/sasl/smtpd.conf       pwcheck_method: saslauthd     mech_list: plain login 6) Generate certificates to be used for TLS encryption and/or certificate Authentication: 7) Configure Postfix to do TLS encryption for both incoming and outgoing mail: Restart the postfix daemon    sudo /etc/init.d/postfix restart Authentication

The next steps are to configure Postfix to use SASL for SMTP AUTH. touch smtpd.key chmod 600 smtpd.key

Testing
To see if SMTP-AUTH and TLS work properly now run the following command: telnet localhost 25 After you have established the connection to your postfix mail server type ehlo localhost