User:Paranoid345/sandbox

Team Members
1. Sujay Premkumar

2. Shashank Hegde

3. Anirudh Rao

4. Nithesh Nagaraj

Objective
The Objective is to design and implement a robust, secure, dynamic and intelligent network that supports Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Web Server, Firewall and Backup system using the Linux operating system.

Motivation
Linux is one of the most powerful open-source operating system. Linux Operating system has become the backbone of any network application. Linux OS being an open-source operating system is available for free and more flexible than most others, thus making it the most feasible and preferable option.

Domain Name System
The main function of the Domain Name System is to resolve the name of a domain into its corresponding IP address using the entry in its database file. The resolving is done when the domain name is typed in the address bar of a web browser, a DNS query is first sent to the name server and the nameserver resolves the name into the IP according to the entry. An option of Caching is also provided so that next time the same address is entered in the browser, the domain-name resolution is done faster. This can be verfied using the DIG command.

Dynamic Host Configuration Protocol
Assigning IP addresses to the networking component can be done in the following ways.

i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator.

ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network.

iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.

Webserver & Firewall
In order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network). Requirements The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.

DNS
Step 1: Install bind using the below command(

Command:

sudo apt-get install bind9

Step 2: Create a hostname

Command:

sudo nano /etc/hostname

ns

Where ns stands for NAMESERVER. Any host name can be used, we have used ns for better understanding. Step 3: Create a domain-name by editing /etc/hosts

Command:

sudo nano /etc/hosts

Add

127.0.0.1  localhost

192.168.1.204    ns.example.org    ns

Step 4: Now Configure named.conf.options

Command:

sudo nano /etc/bind/named.conf.options

Add forwarders {

# ISP DNS IP’s 8.8.8.8;

8.8.4.4;

};

Step 5: Make sure named.conf has the following lines,

Command:

include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; Step 6: Configure named.conf.local

Command:

sudo nano /etc/bind/named.conf.local

Edit

# Forward zone

zone "example.org" {

type master;

file "/etc/bind/zones/db.example.org";

};

# Reverse Zone

zone "1.168.192.in-addr.arpa" {

type master;

file "/etc/bind/zones/db.192";

};

Step 7: Create two database files db.example.org and db.192 in zones folder

Command:

Make a directory(Here the Directory is zones) etc/bind/zones

sudo mkdir /etc/bind/zones

Use the below command to copy db.local to db.example.org

sudo cp /etc/bind/db.local /etc/bind/zones/db.example.abc

Open db.example.org file

sudo nano /etc/bind/zones/db.example.org

Edit the file

$TTL   604800

@      IN      SOA     example.org. root.example.org. (

1        ; Serial

604800        ; Refresh

86400        ; Retry

2419200        ; Expire

604800 )      ; Negative Cache TTL

;

@              IN  NS    ns.example.org

@              IN  A     192.168.1.8

itworks        IN  A     192.168.1.10

macbook        IN  CNAME itworks.linux.abc

www            IN  A     192.168.1.8

Save and Exit

Use the below command to copy db.127 to db.192

sudo cp /etc/bind/db.127 /etc/bind/zones/db.192

Open db.192 file

sudo nano /etc/bind/zones/db.192

Edit the file

$TTL   604800

@      IN      SOA     example.org. root.example.org. (

1        ; Serial

604800        ; Refresh

86400        ; Retry

2419200        ; Expire

604800 )      ; Negative Cache TTL

;

@              IN  NS    linux.abc

8              IN  PTR   linux.abc

10             IN  PTR   itworks.linux.abc

Save and Exit

Check whether forward zone is working properly by executing the below command

named-checkzone example.com /etc/bind/db.example.org

# Forward Zone

named-checkzone linux.abc /etc/bind/zones/db.linux.abc

zone linux.abc /IN: loaded serial  1

Ok

Check whether reverse zone is working properly by executing the below command

named-checkzone 1.168.192.in-addr.arpa. /etc/bind/db.192

#Reverse Zone

named-checkzone linux.abc /etc/bind/zones/db.192

zone autun.hom /IN: loaded serial  1

Ok

Step 10: Configure resolv.conf

Command:

sudo nano /etc/resolv.conf

Edit

Nameserver     192.168.1.5

domain         linux.abc

search         linux.abc

Restart the bind server and check the log file for no errors

sudo /etc/init.d/bind9 restart

tail -f /var/log/syslog

The output of tail -f /var/log/syslog should say serial loaded.

DHCP
Step1: Install DHCP server package

Command:

sudo apt-get install isc-dhcp-server

Step2: Edit the isc-dhcp-server file

Command:

sudo nano /etc/default/isc-dhcp-server

On line 11 change:

INTERFACES=”eth0”

Save and Exit

Step3: Editing file /etc/dhcp/dhcpd.conf

create backup /etc/dhcp/dhcpd.conf

Command:

sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original

Login as root

sudo -i

Create configuration file dhcpd.conf:

cat > /etc/dhcp/dhcpd.conf <<-EOF

option domain-name "linux.abc";

option domain-name-servers ns1.linux.abc,ns2.linux.abc;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {

range 192.168.1.10 192.168.1.30,192.168.1.60 192.168.1.80 ;

option domain-name-servers 192.168.1.5, 192.168.1.6 ;

option domain-name "serv.linux.abc";

option routers 192.168.1.1;

option broadcast-address 192.168.1.255;

Step4: Restart the DHCP server

Command:

sudo service isc-dhcp-server restart

Webserver
Step 1: Install Apache2 Webserver

Command: sudo apt-get install apache2

Step 2: Check whether the web server is able to listen on port 80

Command: netstat -a | more

Step 3: Restart the web server

Command: sudo /etc/init.d/apache2 stop

sudo /etc/init.d/apache2 start

Step 4: Develop a webpage for the server

Command: cd /var/www

sudo nano index.html

Firewall
Firewall allows the system administrator to configure the ip tables.

1. In order to block ICMP requests:

sudo iptables -A INPUT -d  -p icmp -icmp -type 0 -j DROP

2. In order to prevent SSH login:

sudo iptables -A INPUT -s  -d  -p tcp -dport ssh - j DROP 3. In order to block FTP ports:

sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 20 –j DROP

sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 21 –j DROP

4. In order to block the port used by Telnet:

sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 23 –j DROP

5. To block a webpage:

sudo iptables –A INPUT –d 192.168.1.8 –s 192.168.1.22 –p tcp –dport –j DROP

Mail Server
Postfix is the default mail transfer agent for Ubuntu.

Step 1: Install postfix

Command:

sudo apt-get install postfix

Step 2: Configure the following:

Command:

sudo dpkg-reconfigure postfix

Insert the following details:

1.General type of mail configuration: Internet Site

2.NONE doesnot appear in current config

3.System mail name: linux.abc

4.Root and postmaster mail recipient: 

5.Other destinations for mail: server1.linux.abc

6.Force synchronous updates on mail queue?: No

7:Local networks: 127.0.0.0/8

8:Yes doesnot appear to be requested in current config

9:Mailbox size limit (bytes): 0

10.Local address extension character: +

11.Internet protocols to use: all

Step 3: Configure the mailbox format for Maildir

Command:

sudo postconf -e 'home_mailbox = Maildir/'

sudo postconf -e 'mailbox_command ='

Step 4: Configure Postfix to do SMTP AUTH using SASL

Command:

sudo postconf -e 'smtpd_sasl_local_domain ='

sudo postconf -e 'smtpd_sasl_auth_enable = yes'

sudo postconf -e 'smtpd_sasl_security_options = noanonymous'

sudo postconf -e 'broken_sasl_auth_clients = yes'

sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

sudo postconf -e 'inet_interfaces = all'

Generate certificates to be used for TLS encryption and/or certificate Authentication

touch smtpd.key

chmod 600 smtpd.key

openssl genrsa 1024 > smtpd.key

openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts

sudo mv smtpd.key /etc/ssl/private/

sudo mv smtpd.crt /etc/ssl/certs/

sudo mv cakey.pem /etc/ssl/private/

sudo mv cacert.pem /etc/ssl/certs/

Step 5:Configure Postfix to do TLS encryption for incoming and outgoing mail:

Command:

sudo postconf -e 'smtp_tls_security_level = may' Step 6:Restart the postfix daemon

Command:

sudo /etc/init.d/postfix restart

VPN
Step 1:Install pptpd package used to configure VPN

Command:

sudo apt-get install pptpd

Step 2:Edit the files in /etc/pptpd.conf and change

Command:

localip  remoteip 192.168.1.10 192.168.1.30 Step 3:Edit /etc/ppp/pptpd-options file

Command:

ms-dns 192.168.1.254

Step 4:Set userid and password

Command:

sudo nano /etc/ppp/chap-secrets

user pptpd password *


 * indicates the IP addresses in the IP range

NFS
Step 1:Configuring the NFS-server

Command:

sudo apt-get install nfs-kernel-server

sudo mkdir /export/shared

sudo chmod 777 /export/shared

Edit the file

sudo nano /etc/exports

On the last line

append ==> /export/shared  (rw,sync,no_root_squash)

Save and Exit

Change the directory cd /export/shared

touch newfile

sudo nano new-file

sudo reboot

# Enter the data that is to be seen by the client

Restart the server

sudo service nfs-kernel-server restart

Step 2:Configuring the NFS-client

Command:

sudo apt-get install nfs-common

Make directory in /home

mount serverip:/serverpath /clientpath

sudo reboot

sudo mount -a

Master & Slave
Step 1: Edit /etc/hosts

Command:

sudo nano /etc/hosts

Add 127.0.0.1  localhost

192.168.1.5    ubuntu.linux.abc    ubuntu

192.168.1.6    ubuntu.linux.abc    ubuntu

Step 2: Edit /etc/bind/named.conf.local on the master virtual machine

Command:

sudo nano /etc/bind/named.conf.local

Edit

# Forward zone

zone "linux.abc" {

type master;

allow-transfer{ip address of the slave;};

file "/etc/bind/zones/db.linux.abc";

};

# Reverse Zone

zone "1.168.192.in-addr.arpa" {

type master;

allow-transfer{ip address of the slave;};

file "/etc/bind/zones/db.192";

};

Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine

Command:

sudo nano /etc/bind/named.conf.local

Edit

# Forward zone

zone "linux.abc" {

type slave;

masters{ip address of the master;};

file "/etc/bind/zones/db.linux.abc";

};

# Reverse Zone

zone "1.168.192.in-addr.arpa" {

type slave;

masters{ip address of the master;};

file "/etc/bind/zones/db.192";

};

Backup
The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.

Step 1: Install rsync

sudo apt-get install rsync

Step 2: Install ssh

sudo apt-get install openssh-server

Step 3: Create a public and a private key for security

ssh-keygen -t rsa -b 1000

Step 4: Copy this into the web server

ssh-copy-id -i /root/.ssh/id_rsa.pub webserver@ipaddress

Step 5: Edit crontab

crontab –e

Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync

rsync -avzh -e ssh webserver@ipaddress:/var/www /home/backupserver/DestinationFolder

PXE Boot and RARP
The Bootstrap Protocol is a network protocol used by a client to obtain an IP address from a server which provides an IP address pool.PXE boot is an extension from the BOOTP as well as DHCP. Using PXE boot, we can boot thousands of Linux Terminals from a remote server.

The configuration for PXE boot has the following four steps:

Step 1: Configure dhcp service

Add these lines:

allow booting;

allow bootp;

filename “/pxelinux.0”

Step 2: Restart the dhcp service

Configure the tftp service

sudo apt-get install tftp-server

sudo nano /etc/xinetd.d/tftp

Change “disable=yes” to “disable=no”

sudo service xinetd restart

Step 3: Configure the vsftp service

sudo apt-get install vsftp

sudo nano /etc/vsftp/vsftp.conf

Add anon_root= /mnt

Anon_upload_enable=NO

Step 4: Configure the pxe service

sudo mkdir /tftpboot

cp /usr/lib/syslinux/pxelinux.0 /tftpboot/

Copy the file to boot Ubuntu to /tftpboot and boot Ubuntu using PXE boot.

DNS Test
The following commands are used for DNS testing:

1) Dig

Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.

2) Nslookup

nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and information that is requested for a particular host or domain.

3) Ping

Ping is used for checking the network layer status of the server.

4) Host

Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.

DHCP Test
A device entering a network gets an IP address, which is allocated by the DHCP server. IP address can be verified using ifconfig/ipconfig.

sudo dhclient –r                 -This command is used for refreshing

cat /var/lib/dhcp/dhcpd.leases   - This command is used to view the lease provided by the DHCP server to a particular device

Webserver Test
Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.

Firewall Test
A client Can try to ping the servers which are blocked. If the response is request timed-out then, the firewall has blocked the client and it is working properly.

The client won't gain access to the webpage because it is forbidden.