User:Dngroup

Group Members
1. Shweta Kulkarni 2. Ashwini Thaokar 3. Neerja Bhivandkar 4. Sugandha Joshi

Objective
To set up a robust, secure, dynamic and intelligent network using Linux Command Line Interface.

DHCP
Dynamic Host Configuration Protocol allows a host in its network to obtain (be allocated) an IP address automatically from a defined pool of addresses. A network administrator can configure DHCP so that a given host receives the same IP address each time it connects to the network, or a host may be assigned a temporary IP address that will be different each time the host connects to the network.

For a newly arriving host, the DHCP protocol is a four-step process:

1. DHCP server discovery : The first task of a newly arriving host is to find a DHCP server with which to interact. This is done using a DHCP discover message, which a client sends within a UDP packet to port 67. The UDP packet is encapsulated in an IP datagram. But to whom should this datagram be sent? The host doesn’t even know the IP address of the network to which it is attaching, or the address of a DHCP server for this network. Given this, the DHCP client creates an IP datagram containing its DHCP discover message along with the broadcast destination IP address of 255.255.255.255 and a “this host” source IP address of 0.0.0.0. The DHCP client passes the IP datagram to the link layer, which then broadcasts this frame to all nodes attached to the subnet.

2. DHCP server offer(s) : DHCP server receiving a DHCP discover message responds to the client with a DHCP offer message that is broadcast to all nodes on the subnet, again using the IP broadcast address of 255.255.255.255. (You might want to think about why this server reply must also be broadcast). Since several DHCP servers can be present on the subnet, the client may find itself in the enviable position of being able to choose from among several offers. Each server offer message contains the transaction ID of the received discover message, the proposed IP address for the client, the network mask, and an IP address lease time—the amount of time for which the IP address will be valid. It is common for the server to set the lease time to several hours or days.

3. DHCP request : The newly arriving client will choose from among one or more server offers and respond to its selected offer with a DHCP request message, echoing back the configuration parameters.

4. DHCP ACK : The server responds to the DHCP request message with a DHCP ACK message, confirming the requested parameters. Once the client receives the DHCP ACK, the interaction is complete and the client can use the DHCP-allocated IP address for the lease duration

DNS
Definition DNS translates domain names to ip address. The computers talk to each other via ip address but it is impossible for humans to remember so many ip addresses at a go, they are more comfortable remembering and using words. To make communication between humans and computers, DNS is used.

Behavior of Protocol You type domain name in web browser which is human readable format that the computer does not understand. The DNS performs the below steps:
 * The DNS database searches its table to find its matching ip address and resolves it. Once a match is made, the computer is able to communicate with the web page and retrieve it.
 * First our computer searches its own local cache to find the web page, if its unable to do that it sends the query to resolver. Resolver searches its own memory to find the web page. If unsuccessful, it sends query to root server.
 * The root server are the top of the hierarchy. They do not know ip address but tell resolver where to look for the ip address. It directs it to top level domain. Top level domain stores address information of top level domains including .com, .org, .edu, .net etc. TLD read our request from right to left and direct us to the corresponding authoritative name server.
 * Authoritative name server have all information about domain stored in DNS records and thus responds with the ip address of our website to the resolver.
 * The resolver sends us the ip address and thus our computer is able to retrieve the page. Computer stores data in its cache and sends this information to browser and opens the website. The resolver then stores ip address for future reference.

DNS records Database records that tell DNS server which domain each ip address is associated with. It is used for mapping url to its ip address. The types of DNS records: 1.	A /AAAA record It points domain name to an ip address. A is an IPv4 address record and AAAA is IPv6 address record.

2.	PTR record It does the opposite function of A record which is resolving ip address to domain name.

3.	NS record It identifies authoritative DNS server for domains. We keep two entries for primary and secondary server so that if changes are made, secondary queries primary for changes. Multiple name servers provides redundancy to your DNS and to ensure that it works even if one if the name servers are unreachable to a host.

4.	CNAME record Known as canonical name record which creates aliases domain name pointing for other domain names. It is used when we run multiple services from one ip address. If ip address changes we only need to update the change in one place. The only thing to keep in mind is that cname cannot point directly to ip address.

5.	MX record Provides mail servers for your domain. It identifies server to which a mail is directed.

6.	SOA record First record in our zone file. It provides a number of details including : Primary name server of domain Timestamp which changes when we update our domain. The number of seconds before the zone should be refreshed. The number of seconds before a failed refresh should be retried. The upper limit given in seconds before a zone is considered no longer authoritative. The negative result TTL

DNS Zone files DNS zone is a portion of the domain name space in the DNS. We have defined and configured forward lookup zone and reverse lookup zone. Master or primary name server is defined in bind using type master in the named.conf file. It is master as it gets zone data from local source. Master server respond to query for which it is authoritative. Slave name server gets its zone data from external source. Slave contacts the master for its queries. If a slave cannot reach the master DNS when the 'expiry' time has been reached it will stop responding to requests for the zone

WebServer
A web server is a program that serves files to web browsers running on client machines over HTTP(Hyper Text Transfer Protocol). The files are generally HTML pages.

Firewall
Firewall controls the incoming and outgoing traffic through a set of rules. It acts as a barrier that prevents untrusted websites to access our secure network. It keeps the hackers, untrusted users, viruses that try to harm your system. A firewall can be hardware or software.

Backup Server
We should have a server for backing up and restoring all the files, folders, databases and hard drives on a network in order to prevent the loss of data in the event of a hard drives failure, user error, disaster or accident.

DHCP
1. Install DHCP server by downloading the package

sudo apt-get update

sudo apt-get install dhcp3-server

2. Configure the DHCP server

sudo nano /etc/dhcp/dhcpd.conf

go to #slightly different configuration for an internal subnet

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.20; option domain-name-servers 192.168.1.1, 8.8.4.4; option subnet-mask 255.255.255.0; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; }
 * 1) A slightly different configuration for an internal subnet.
 * 1) option domain-name "internal.example.org";

3. Restart the DHCP server sudo /etc/init.d/isc-dhcp-server restart

4. Make interface “ens33” (default interface) static to provide static ipv4 and ipv6 address to the server; also provide netmask and gateway sudo nano /etc/network/interfaces

auto lo iface lo inet loopback auto ens33

iface ens33 inet static address 192.168.1.5 netmask 255.255.255.0 broadcast 192.168.1.255 network 192.168.1.0 gateway 192.168.1.1

iface ens33 inet6 static address 2001:db8:0:1::2 netmask 64 gateway 2001:db8:0:1::1

5. To reflect the changes abone use the following command

sudo /etc/init.d/networking restart

6. Make “ens33” the default interface on DHCP server to serve DHCP request

sudo nano /etc/default/isc-dhcp-server

INTERFACES="ens33"

for IPv6 :

7. Enable IPv6 routing

sudo nano /etc/sysctl.conf

uncomment the following command

net.ipv6.conf.all.forwarding=1

8. Install radvd (advertising deamon) to advertise IP’s

sudo apt-get install radvd

9. Create and edit /etc/radvd.conf set up few command for radvd.conf to work

sudo nano /etc/radvd.conf

interface ens33 {       AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvinterval 10; prefix 2001:db8:0:1::/64 {               AdvOnLink on: AdvAutonomous on; AdvRouterAddr on; }; };

10. Create and edit dhcpd6.conf for DHCP server to assign IP addresses to all clients in the network

sudo nano /etc/dhcp/dhcpd6.conf

Write the following commands in dhpd.conf file

default-lease-time 600; max-lease-time 7200; subnet6 2001:db8:0:1::/64{ range6 2001:db8:0:1::1000 2001:db8:0:1::1fff; option dhcp6.name-servers 2001:db8:0:1::200; }

11. To generate address space for ipv6, radvd needs to be restarted.

sudo service radvd retsart

At client side:

1. Accept dynamic IP address from DHCP server on ens33 interface sudo nano /etc/network/interfaces

auto lo iface lo inet loopback

auto ens33 iface ens33 inet dhcp iface ens33 inet dhcp6

2. Type ifconfig to see the allocation of IP address from the range set by DHCP server ifconfig

DNS
For configuring DNS server following steps are done:

1. The DNS server needs to have its own a static IP address which is not dynamically allocated by the DHCP server. This helps in preventing single point of failure in case the DHCP server goes down. Use the following commands to do this.

sudo nano /etc/network/interfaces

we add following commands in this file

auto eth0 iface eth0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 iface eth0 inet6 static address 2001:db8:0:1::100 netmask 64 gateway 2001:db8:0:1::1

2. In our host file we add our host i.e groupproject.com along with its ip address

sudo nano hosts

192.168.1.100  ubuntu.groupproject.com ubuntu

3. We restart our networking daemons using networking restart command as below

sudo /etc/init.d/networking restart

4. Before doing our configuration we need to clean out any dynamic entry from our host file by uninstalling the network manager and network manager gnome. This is done as

sudo apt-get remove network-manager network-manager-gnome

5. We need to install bind9 which is Linux Ubuntu’s implementation of DNS

sudo apt-get install bind9

6. In the bind, we need to edit the following configuration: sudo nano /etc/bind/named.conf.options sudo nano /etc/bind/named.conf.local

7. We set forwarders in named.conf.options that are useful to forward requests to hostnames that are not in our network. This is done by uncommenting the forwarders command and adding our gateway in ipv4 and ipv6 format along with google primary and secondary server

sudo nano /etc/bind/named.conf.options

forwarders { 192.168.1.1;       2001:db8:0:1::1; 8.8.8.8;       8.8.4.4;        };

8. We create forward and reverse lookup zones in this file named.conf.local Forward lookup zone holds records and is used to map hostname to ip address Reverse lookup zone holds PTR records nd is used to map ip address to hostname

sudo nano /etc/bind/named.conf.local

zone "groupproject.com" { type master; file "/etc/bind/db.groupproject.com"; //allow-transfer {192.168.1.100;}; }; zone "groupprojectv6.com" { type master; file "/etc/bind/db.groupproject.com"; //allow-transfer {2001:db8:0:1::100;}; };
 * 1) Forward lookup zone

zone "1.168.192.in-addr.arpa" {       type master; file "/etc/bind/db.192"; //allow-transfer {192.168.1.100;}; }; zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; //allow-transfer {2001:db8:0:1::100;}; file "/etc/bind/db.195"; };
 * 1) Reverse lookup zone
 * 2) 192.168.1.100

9. We create forward database file db.groupproject.com

sudo nano /etc/bind/db.groupproject.com

$TTL   3D @      IN      SOA     ubuntu.groupproject.com. root.ubuntu.groupprojec$ 35; 28800; 3600; 604800; 38400); ; @                              IN      NS      ubuntu.groupproject.com. @                               IN      A       192.168.1.100                                IN      AAAA    2001:db8:0:1::100 linux                           IN      A       192.168.1.6 ubuntu                          IN      A       192.168.1.100                                IN      AAAA    2001:db8:0:1::100 student1                        IN      A       192.168.1.51                                IN      AAAA    2001:db8:0:1::51 student2                        IN      A       192.168.1.52                                IN      AAAA    2001:db8:0:1::52 student3                        IN      A       192.168.1.53                                IN      AAAA    2001:db8:0:1::53 student4                        IN      A       192.168.1.54                                IN      AAAA    2001:db8:0:1::54 slave                          IN      A       192.168.1.10 IN     AAAA    2001:db8:0:1::10 www                            IN      CNAME   ubuntu

10. We create reverse database file db.192

sudo nano /etc/bind/db.192

$TTL   604800 @      IN      SOA     ubuntu.groupproject.com. root.ubuntu.groupproject.com. (                            26 ;                         604800 ;                          86400 ;                        2419200 ;                         604800 ); ; @                                       IN      NS      ubuntu.groupproject.com. 100                                    IN      PTR     ubuntu.groupproject.com. ubuntu.groupproject.com. IN     A       192.168.1.100 51                                     IN      PTR     student1.groupproject.com. 52                                     IN      PTR     student2.groupproject.com. 53                                     IN      PTR     student3.groupproject.com. 54                                     IN      PTR     student4.groupproject.com. 1                                      IN      PTR     gw.groupproject.com. 6                                      IN      PTR     linux.groupproject.com. linux.groupproject.com. IN     A       192.168.1.6 10                                     IN      PTR     slave.groupproject.com.

11. We create a file db.195 for ipv6 reverse lookup $TTL   604800 @      IN      SOA     ubuntu.groupproject.com. root.ubuntu.groupproject.com. (                            43 ;                         604800 ;                          86400 ;                        2419200 ;                         604800 ); ;

@                                      IN      NS      ubuntu.groupproject.com. 0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     ubuntu.groupproject.com. ubuntu.groupproject.com. IN     AAAA    2001:db8:0:1::100 1.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     student1.groupproject.com. 2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     student2.groupproject.com. 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     student3.groupproject.com. 4.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     student4.groupproject.com. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0        IN      PTR     gw.groupproject.com. 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN	PTR	slave.groupproject.com.

12. Add nameserver in /etc/resolv.conf file

sudo nano /etc/resolv.conf

search groupproject.com nameserver 192.168.1.100

13. Restart bind that will reflect the changes we have done using command:

sudo /etc/init.d/bind9 restart

14. Check for the server using nslookup for both ipv4 and ipv6.

nslookup “add your host’s static IPv4 address” nslookup “add your host’s static IPv6 address”

For DNS Slave:

1. Repeat steps 1 – 7. We make changes in the named.conf.local file as follows:

sudo nano /etc/bind/ named.conf.local

zone "groupproject.com" { type slave; masters {192.168.1.100;}; file "/etc/bind/db.groupproject.com"; }; zone "groupprojectv6.com" { type slave; masters {2001:db8:0:1::100;}; };
 * 1) Forward lookup zone

zone "1.168.192.in-addr.arpa" {       type slave; masters {192.168.1.100;}; file "/etc/bind/db.192"; }; zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" {       type slave; masters {2001:db8:0:1::100;}; file "/etc/bind/db.195"; };
 * 1) Reverse lookup zone

2. Add nameserver in resolv.conf file.

sudo nano resolv.conf

search groupproject.com nameserver 192.168.1.100 nameserver 192.168.1.10

3. Restart bind that will reflect the changes we have done using command:

sudo /etc/init.d/bind9 restart

WebServer
1.Install apache 2 on webserver sudo apt-get install apache2

2.Change the ServerAdmin to your server name at your ip address in the file sites-available using the command sudo nano /etc/apache2/sites-available/000-default.conf

ServerName linux.groupproject.com ServerAdmin 192.168.1.6 DocumentRoot /var/www/html/ 3.Add the ip address and domain name of your webserver in the hosts file with the command sudo nano /etc/hosts 192.168.1.6    linux.groupproject.com

4.To edit your html page go to index.html file with the command sudo nano /var/www/html/index.html

5. Apache2 service is then restarted to reflect the changes as performed sudo service apache2 restart

Firewall
1.Install firewall sudo apt-get install ufw

2. By default, it is in inactive state. So to enable the firewall we have to add rules

To allow incoming and outgoing connection to unencrypted web servers use sudo ufw default allow outgoing sudo ufw default allow incoming

3.To deny http connection from 192.168.1.7 use sudo ufw deny from 192.168.1.7 to any port 80

4.To start over with firewall configuration use the command sudo ufw enable

5.To check the status of ufw we give the command sudo ufw status verbose or sudo ufw status numbered

Backup Server
1.Install apache2 on backup server as well sudo apt-get install apache2

2.backing up webserver using rsync rsync -avz --delete -e ssh /var/www/html/ ashwinithaokar@192.168.1.7:/home/ashwinithaokar/groupbackup/ 3.in web server, generate ssh key for secure communication between web server and backup server ssh keygen -t rsa ssh -add

4.Send the generated key in public file to the remote server that is the backup server scp /home/shweta/.ssh/id_rsa.pub ashwinithaokar@192.168.1.7:/home/ashwinithaokar/.ssh/id_rsa.pub

5.In backup server copy public key to authorized_keys file cat /home/ashwinithaokar/.ssh/id_rsa.pub >>/home/ashwinithaokar/.ssh/authorized_keys 6.Change the permission to authorized_keys file so that only the user can read, write and execute public key chmod 700 /home/ashwinithaokar/.ssh/authorized_keys

7.To automate the process of backup to 12 am every midnight use crontab crontab -e 0 0 * * * rsync -avz --delete -e ssh /var/www/html/ ashwinithaokar@192.168.1.7:/home/ashwinithaokar/groupbackup/

ARP poisoning
1.To Install Scapy we use the command

sudo apt-get install python-scapy

2.Write a python program to perform ARP poisoning in scapy script. Name the file as poison.py

Turn on the ip forwarding with the following command in root: echo 1 > /proc/sys/net/ipv4/ip_forward

3.To inject the malicious user's webpage into the victims web browser execute the following commands: iptables -t nat --flush iptables --zero iptables -A FORWARD --in-interface ens33 -j ACCEPT iptables -t nat --append POSTROUTING --out-interface ens33 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination 192.168.1.8

4.Now run the ARP Poisoning program in python sudo python poison.py

NFS
The IP addresses where the file is present is on IP address 192.168.1.5 (nfsserver). This file should be accessible from IP addresses 192.168.1.6(nfsclient) and 192.168.1.11(nfsclient). To do this following commands are used for nfsserver and nfsclient

NFS SERVER

1. update the packages

sudo apt-get update

2.install nfs-kernel-serevr

sudo apt-get install nfs-kernel-server

3. make directory to be mounted on client

sudo mkdir /home/xyz/nfsserver

4. configure the /etc/exports file

sudo nano /etc/exports

edit the file using following command:

/home/xyz/nfsserver 192.168.1.0/24(rw,sync,no_root_squash,no_subtree_check)

5. to make the changes reflect type following command sudo exportfs -a

6. restart the nfs server

sudo service nfs-kernel-serevr restart

NFS CLIENT

1. update the packages

sudo apt-get update

2. install nfs-common sudo apt-get install nfs-common

3. make directory to mount files locally

sudo mkdir /home/abc/nfsclient

4. type following command to mount directory from server to client sudo mount 192.168.1.5:/home/xyz/nfsserver /home/abc/nfsclient

5. to check wheather it got mounted

df -h

VPN Tunneling
IPSEC vpn tunnel is created between IP address 192.168.1.100 and 192.168.1.10

1. Install strongswan

sudo apt-get update

sudo apt-get install strongswan

For the system with IP address 192.168.1.100 do the following:

2. Edit ipsec.conf file and give left and right parameters

sudo nano /etc/ipsec.conf

conn server-to-client authby=secret auto=route keyexchange=ike left=192.168.1.100 right=192.168.1.10 type=transport esp=aes128gcm16!

3. Edit the ipsec.secrets file to provide the shared key

sudo nano /etc/ipsec.secrets

192.168.1.100 192.168.1.10 : PSK "password"

For the system with IP address 192.168.1.10 do the following

4. Install strongswan

sudo apt-get update

sudo apt-get install strongswan

5. Edit ipsec.conf file and give left and right parameters

sudo nano /etc/ipsec.conf

conn client-to-server authby=secret auto=route keyexchange=ike left=192.168.1.10 right=192.168.1.100 type=transport esp=aes128gcm16!

6. Edit the ipsec.secrets file to provide the shared key

sudo nano /etc/ipsec.secrets

192.168.1.100 192.168.1.10 : PSK "password"

7. ping 192.168.1.100      %from system with ip address 192.168.1.10

8. simultanoulsy, check if the packets are traversing via tunnel ( do this on the system with ip address 192.168.1.100)

sudo tcpdump esp

DHCP
At the client side use ifconfig to check if it received the IP address from the DHCP address pool

ifconfig

At the server side check leases to see which client received which address from the DHCP address pool.

sudo cat tail /var/lib/dhcp/dhcpd.leases   % to check IPv4 addresses

sudo cat tail /var/lib/dhcp/dhcpd6.leases   % to check IPv6 addresses

DNS
Test the forward zone entry to check if the forward zone file is working correctly named-checkzone groupproject.com /etc/bind/db.groupproject.com

Test the reverse zone entry to check if the reverse zone file is working correctly named-checkzone groupproject.com /etc/bind/db.192

Use nslookup for DNS server for ipv4 and ipv6 forward and reverse records nslookup 192.168.1.100 nslookup 2001:db8:0:1::100

In the master DNS Server, ping the slave DNS Server to see if it is able to communicate with it ping 192.168.1.10

In the slave DNS Server, ping the master DNS Server to see if it is able to communicate with it ping 192.168.1.100

Shut down the master DNS Server and check if the slave is resolving query for the client

Check if we are getting the host webpage in our web browser, go to firefox and enter hostname www.linux.groupproject.com

Web Server
Go to the web browser(firefox) and type the name of website that we have created i.e. linux.groupproject.com

Firewall
Open the blocked client's web browser and try to access the website. It will not be able connect to the server when the firewall is enabled on web server.

Backup
Changed the scheduled time of backup in crontab -e and check if the updated html file is received at the backup server.

ARP testing
Check the arp table in the victims system arp -a

Run the poison.py file on malicious server

Now try to open the legit website on the victims web browser, we will see the hacked web page

Again check the arp table on victims system and notice that the mac address has changed.

NFS testing
To check if the client's path got mounted to receive the files exported by the server use the following command

df -h

also go the the clients path to check the content in the received file

cat "client's path"

VPN testing
ping 192.168.1.100      %from system with ip address 192.168.1.10

Check if the packets are traversing via tunnel ( do this on the system with ip address 192.168.1.100)

sudo tcpdump esp

Packets are received on the other side of the tunnel

Future Scope
1. The DHCP Server can be made more robust by adding port security

2. Firewall can be enhanced to dodge poisoning attacks on the DNS server

3. We can integrate VPN gateways into the network to establish secure communication.