User:Divesh1757791/sandbox

--Divesh1757791 (talk) 04:54, 11 April 2014 (UTC)

Introduction
In the given project we are implementing and demonstrating the mini version of networking in organization or company. In this mini version we have a client, DNS server , DHCP server and Webserver running on different system. We gonna demonstrate the extra services that we gonna provide as a add-on service or for security reason. Beside we gonna be providing a backup in case of worst scenario where our web server stops working or it gets crashed.

Group Members

 * 1) Fangzhou Yuan
 * 2) Yutuo Zhu
 * 3) Esther Mvula
 * 4) Divesh Solanki

Components of Project
Following are the components that will be used in our project implementation:-
 * 1) Network Switch
 * 2) DHCP server
 * 3) DNS server
 * 4) Web server
 * 5) Firewall
 * 6) Backup server
 * 7) Add-On's
 * NTP
 * NFS
 * NIS
 * VPN
 * FTP

Network Switch
A Network Switch is a device which connects other devices and forms a network. For making connection among other devices it uses packet switching technique.A switch works on layer 2 of the OSI model i.e. data link layer.

DHCP Server
DHCP provides a layout through which it passes the configuration information to the host and also allocates network addresses to the host .It is based on a client server model.

DNS Server
DNS is a application layer protocol with distributed database implemented through a hierarchy of DNS servers where a host can query the distributed database .Also it provides a directory service which converts the hostname to IP and vice versa.

Web Server
A Web server is a program that runs on computer for delivering Webpages to the host that enquires about it. It also uses the client server model and HTTP for webpages.

Backup Server
A backup server is used to copy the files, folders, databases and hard drives on a network in other place in case if a worst scenario happens it can lead to loss of data and we need to prevent it.

DHCP Server
Command: sudo apt-get install isc-dhcp-server (installing isc-dhcp-server)
 * We installed isc-dhcp-server which can provide a DHCP server for us using the below command on the linux machine.

Command: sudo nano /etc/dhcp/dhcpd.conf (modifying “dhcp.conf”) We see that it will tell that that DHCP server will assign IP addresses from 192.168.1.100 to 192.168.1.200 that belongs to 192.168.1.0 subnet. Also, it will set up 192.168.1.1 to be the default gateway address. 192.168.1.2 for DNS master server and 192.168.1.3 for DNS slaveserver.
 * After installing DHCP server, we will go to the DHCP folder to modify “dhcpd.conf” file which is define how DHCP assigns IPv4 address to clients using the below command on the linux machine.

Command: sudo /etc/init.d/isc-dhcp-server restart (restart DHCP server)
 * After this,we will restart the DHCP server.

Command: ifconfig we will see that IP address is 192.168.1.100 which is inside the DHCP server’s IP address range.
 * And then, DNS serverchecks whether DHCP server is running or not.

Command: sudonano /etc/dhcp/dhcpd.conf
 * After this, we assigned a static IP address to one of our device. The static IP address will not be among DHCP server IP address range so as to demonstrate that we successfully set up the static IP address to one of our devices. Thus, we modify “dhcpd.conf”.

Command: ifconfig; sudo /etc/init.d/isc-dhcp-server restart
 * We used MAC address 00:0c:29:5c:63:67 of the device( can be any) to locate and assign a static IP address 192.168.1.2 to it.And then, we restart the device whose mac address we took, as we need to check whether its working or not.But, before doing this,we restarted the DHCP server again.


 * We successfully set up a static IP address to DNS master server. Also, because we didn't set up DHCP server to assign all 192.168.1.0 subnet IP address to clients but only 192.168.1.100 to 192.168.1.200, which means others IP address can be a reservation.

Command: sudo nano /etc/network/interfaces The figure clearly shows that we edited the settings for network interfaces.
 * Beside we want to assign the DHCP server a static IP address. So we modify the network interface, which will make the IP address of DHCP server static.

Command: sudo tail /var/lib/dhcp/dhcpd.leases (showing DHCP server lease)
 * Also, we can show a lease to DHCP server is working well.


 * This lease can tell that DHCP server is working well along with the time and date it was assigned.

DNS Server
I need to install BIND DNS server in both my master DNS server and slave DNS server. In can install it by using command ‘apt-get install bind9’. After installation, I need to modify ‘resolv.conf’ file to make it possible for the master DNS server can do query to itself.
 * DNS Installation

This is the most important part since the main task of the project is to configure the DNS server so that it can resolve all incoming DNS queries from DNS clients. To achieve this goal, we need to create some necessary DNS Resource Records in which both hostname-to-IP mapping and IP-to-hostname mappings are recorded. Host-to-IP mapping is used to perform forward resolving while IP-to-hostname mapping is used to realize inverse resolving. I will explain each file I implemented one by one.
 * Master DNS Server Configuration

This file defines three zones that will help resolve IP and hostname. The first zone is used to realize forward resolving while the second and third zone are used to realize IPv4 and IPv6 reverse resolving separately. The allow-transfer line is used to define the IP address of slave DNS server.
 * Create file ‘named.conf.local’

This file is created to map IPv4 and IPv6 addresses to hostname. It is in charge of domain ‘company.com’. I created A and AAAA record to each hostname. A record can resolve IPv4 address while AAAA record can resolve IPv6 one. The NS record tells the hostname of the DNS server and MX record defines the host name of mail server. Moreover, the CNAME record declares that www.company.com has a canonical name group-main.company.com.
 * Create file ‘for.db’

This file is edited to realize IPv4 reverse resolving. NS record points out the DNS server domain and the PTR records map hostnames to IPv4 addresses, which we know is the core of IPv4 reverse resolving.
 * Create file ‘rev-v4.db’

Similar to file ‘rev-v4.db’, file ‘rev-v6.db’ also helps the master DNS server to do IP reverse resolving. However, it maps IPv6 addresses rather than IPv4 addresses to hostnames.
 * Create file ‘rev-v6.db’

Slave DNS server is a kind of DNS server that can help master DNS server deal with DNS resolving work. Precisely, slave DNS server can get DNS records from its master DNS server automatically and then can resolve all DNS queries that can be resolved by master DNS server. If master DNS server crashes, slave DNS server can act like a backup to avoid whole network crashes. And also, if so many queries are sent to master DNS server, slave DNS server can help reduce master’s burden. All following works should be done on another host, which we will regard as slave DNS server.
 * Slave DNS Server Configuration

The type of DNS server this time should be slave instead of master. All DNS records recorded in our master DNS server with IP address 192.168.1.2 are sent to this slave DNS server automatically and stored in /var/cache/bind folder. Similar to the file in master DNS server, the first zone is in charge of IP forward resolving while the second and third zone are in charge of IP reverse resolving.
 * Create file ‘named.conf.local’

As demonstrated before, all DNS records in master DNS server will be sent to slave DNS server. And then, the above three files will be generated automatically.
 * Automatically generate file ‘db.company’, ‘db.ipv4’, ‘db.ipv6’

Webserver
< sudo apt-get install apache2>
 * Apache is the most commonly used web server in Linux. The command to install apache in Ubuntu is


 * After installing the server, we can test to see if it is working by opening the web browser and typing either “localhost” or “127.0.0.1” or the IP address of the host.


 * We can also see all the virtual ports or connections our computer is listening on by entering the command


 * “0.0.0.0: 80” shows that our web server is listening on every address in our local network.


 * To edit our homepage, which is “index.html, we need to go to the “www” directory and type


 * To make changes to the default html file and save that file, we type “ctrl +x” to exit and “Y” to save the file. The new homepage for our website now looks as per our settings.

Firewall

 * From the  we saw that our web server was listening to any IP address available. To implement security, we need a firewall. The free and advanced firewall that we thought of was just the Uncomplicated Firewall (ufw) and add some iptables to our webserver. To enable the ufw, we just typed the command

Below is the basic set of commands that are often used in either adding, changing, deleting or even just displaying the rules of the ipables.
 * We can see that our firewall is enabled, but we need to add some rules for it to either accept or reject any traffic. In order to make our server more secure after the initial set up, Ubuntu ships with Iptables which is the distribution’s default firewall. At the outset, although the Ubuntu firewall is configured, it is set up to allow all incoming and outgoing traffic on a virtual private server. To enable some stronger protection on the server, we can add some basic rules to the IP Table.


 * Let’s see the existing rules in the virtual server’s IP table by using the following command:

< sudo iptables -I INPUT 1 -i lo -j ACCEPT> -I INPUT 1 places this rule at the beginning of the table -lo refers to the loopback interface -j ACCEPT then guarantees that the loopback traffic will be accepted
 * To start, we should to provide our VPS with loopback access
 * We can explain this command by the following:
 * We need to keep in mind that as soon as a packet is ACCEPTED, REJECTED, or DROPPED, no further rules are processed. Therefore the rules that come first take priority over later ones.

 -A tells the IP table to append a rule to the table. -INPUT designates this rule as part of the Input chain. -m state followed by the --state ESTABLISHED,RELATED guarantees that the result of this rule will only apply to current connections and those related to them are  allowed -j ACCEPT tells the packet to JUMP to accept and the connections are still in place.
 * Then, we must to allow all current connections, all of the connections at the time of making the rule,
 * We can go ahead and break this down:


 * We can then permit or accept ssh and http by using the commands below. We should en by dropping all the remaining packets to make our server best secured.

< sudo iptables -L –v>
 * After creating all the rules, we can see how they look like in the table by typing the command


 * We will see that the rules have been saved as we wanted.


 * A very important characteristic of the iptables rules is that after rebooting the server, all the rules will be deleted. To make sure that the rules remain in effect, we should use the package called iptables-persistent
 * We will also start the iptables-persistent

Backup Server
In order to avoid the risk of loosing data we need to create our backup, so if the situation where our system crashes we can restore it the way it was before crash and recover the data that got lost due to backup.For my Backup server I have used the tool called as rsync to transfer my data from webserver to backup server. And to make those jobs as automated process I have scheduled the crontab jobs, which will call the job according to the scheduled time.

Configuration

Command : ssh zyt611@192.168.1.3
 * The first step is to see whether the SSH is working or not, and we are able to connect with the server or not .So through my source machine , that is in this case where my webserver is im gonna ssh to the backup server using the ssh command along with the hostname at the particular ip address is located to.

Command : ssh-keygen -t dsa
 * Once I'm able to make the connection, i will setup a public/private key pair for my device using the below command.

Command : ssh-copy-id -i /root/.ssh/id_dsa.pub zyt611@192.168.1.3
 * Now I copied the public key to the destination or backup server.

Command : rsync -e ssh -varuzP /var/www zyt611@192.168.1.3/home/zyt611/backup/
 * Now i created a Backup directory on my backup server, so that all the backup data will be going to this folder . And then on my webserver machine i created a script file which will run the rsync command with the name of backup.txt and wrote the rsync command which is given below.

So i created a cron file using the below command : Command : * * * * * date >>/tmp/log1.txt * * * * * /home/ross/backup.txt >> /tmp/log1.txt 2>&1
 * And also added the executable permission to my script file . Now I want to make this script file to run automatically at particular given scheduled time . This can be done using the cron job.

Now in that command, I have made a log file in tmp folder to see the jobs running status along with the date , 2>&1 means that it will redirect the standard output and standard error in that log file for the cron job. And we added cron job for date so as to monitor the job through the logfile and see the timing at which it was running.


 * Now usually we can see the log file for cron jobs running status by going through the folder called /var/log/cron.log & /var/log/sys.log, for seeing the jobs are running or not.

VPN
Use command ‘sudo apt-get install openvpn’ to install VPN server.
 * VPN Server Installation

Create file ‘var’ in directory /etc/openvpn/easy-rsa The export route should be ‘/etc/openvpn/easy-rsa’ and the detailed information can be modified to fit our situation.
 * VPN Server Configuration

Use command ‘mkdir’ to create folder keys in directory /etc/openvpn/easy-rsa/.
 * Generate master Certificate Authority (CA) and key

After creating this folder, all future generated public and private keys will be stored in here. Use command ‘source vars’, ‘./clean-all’ and ‘./build-ca’ in directory /etc/openvpn/easy-rsa/ to generate the Certificate Authority (CA).

After execute these three commands, the CA will be generated according to the information recorded in file ‘var’.

Use command ‘./build-key-server fangzhou’ to generate public and private keys. We use Fangzhou to be the VPN server name.
 * Generate certificate and private key for server

Use command ‘./build-dh’ to generate the 1024-bit long safe prime.
 * Generate Diffie Hellman parameters for the VPN server

Put all server related files from folder ‘keys’ to directory /etc/openvpn

We can see that four files are all in same directory which will be used future.

Use command ‘source vars’ and ‘./build-key client2’ to certificate a client called client2.
 * Generate certificate and private key for client

After running above commands, we can see the public and private keys for client2 are generated and stored in folder ‘keys’.


 * Create file ‘server.conf’

To realize VPN, we will create a tunnel between server and client and the CA, public key, private key and Diffie Hellman parameter should be declared in the server configuration file. We assign the network address 10.8.0.0 with mask 255.255.255.0 to the secret tunnel. Then the VPN server will automatically use IP address 10.8.0.1.

Put certificate files from server to client
 * VPN Client Configuration

As demonstrated above, the CA, public key and private key for clients are generated on VPN server. In order to let clients access to our VPN server, these files must be stored on VPN client side as authorization.


 * Create file ‘client.conf’

Similar to the ‘server.conf’ file on VPN server, the ‘client.conf’ file on VPN client side is a very important file to realize VPN client configuration. We can see from above diagram that the VPN client will be connected to our VPN server with IP address 192.168.1.2 through a secret tunnel by using UDP.

FTP
FTP 1.	FTP Installation Use command ‘sudo apt-install vsftpd’ to install FTP server. After configuration, a folder called ‘ftp’ will be created in path /srv/files

2.	FTP Server Configuration
 * Modify file ‘vsftpd.conf’ in directory /ect

By making above three changes, it is able for localhost to login FTP server and it is able for authenticated clients to upload files. And the last line is a welcome word for clients after they build TCP connection to our FTP server.

Use command ‘group-add ftp-users’ to add a new group named ‘ftp-users’ to FTP server. Use command ‘useradd –g ftp-users –d /srv/ftp user’ to add a new user named ‘user’ to group ‘ftp-users’. Use command ‘password user’ to set password to client user.
 * Add FTP group, FTP user and set password

Use command ‘service vsftpd restart’ to start FTP server.
 * Start FTP server

NFS
We need to install NFS server by using command ‘sudo apt-get install nfs-kernel-server’.
 * NFS Installation

Create folder ‘data1’ in route /home/fangzhou by using ‘mkdir data1’
 * NFS Server Configuration

This folder is created to be the share folder in the future which means all files put in this folder will can be shared with several designated clients.

Edit file ‘exports’

The circled line means that all files in folder /home/fangzhou/data1 will be shared by remote client 192.168.1.100.

Execute file ‘exports’ Use command ‘exportfs -a’

From above diagram, we can see that server configuration is completed successfully.

Start NFS server Use command ‘sudo /etc/init.d/nfs-kernel-server start’ to star NFS server.

Install nfs-common Use command ‘sudo apt-get install nfs-common’ to install nfs-common.
 * NFS Client Configuration

Create folder data1 in route /home/todd on NFS client

Share ‘data1’ folder Use command ‘mount 192.168.1.2:/home/fangzhou.data1 /home/todd/data1’ to share the folder ‘data1’ between NFS server and NFS client.

NTP
Use command ‘sudo apt-get install ntp’ to install NTP server.
 * NTP Server Installation

We just need to modify the file ‘ntp.conf’ in path /etc as following.
 * NTP Configuration

Before the modification, there are 5 servers that provided to our host to synchronize time with. After the modification, only our DNS server is offered to provide time synchronization.

NIS
NIS can allow NIS clients use different accounts, which are saved in NIS server to login, to one computer which is in computer network. 1. Installing “portmap” which runs on network nodes which provide other ONC RPC services. Command: sudo apt-get install portmap I have successfully installed “portmap”. I update “protmap” when I have installed “portmap”. Command: sudo update-rc.d portmap defaults 10
 * NIS server

2. Installing NIS which can provide NIS service. Command: sudo apt-get install nis During installing NIS, it asks me about the NIS domain. According to DNS server, our project’s domain name is “company.com”, so I give “company.com” to my NIS domain name as well. I have successfully installed NIS.

3. Configuring NIS server. Command: sudo nano /etc/default/nis From this figure, I have set up this computer as a NIS server, this computer also is a DHCP server.

4. Configuring YP server which will allocate which subnet can access my NIS server. Command: sudo nano /etc/ypserv.securenets I have assigned only 192.168.1.0, 255.255.255.0. This is our project’s network. Command: sudo nano /var/yp/Makefile I have set up my NIS server’s password to be “shadow” mode, which means that I encrypt NIS server’s password for security.

5. Restarting “portmap”, YP server and YP bind. Command: sudo service portmap restart; sudo service ypserv restart; sudo service ypbind restart

6. Activating NIS server. Command: sudo /usr/lib/yp/ypinit -m

7. Add the users and groups to be used by NIS clients throughout the network to the NIS server. Command: sudo useradd –d /home/user1 –m user1; sudo useradd –d /home/user2 –m user2 I have successfully added user1 and user2 to my NIS server.

8. On my NIS server, give my new users passwords to log in and authenticate with NIS clients in our project’s network. Command: sudo passwd user1: sudo passwd user2 9. Compile my new users, groups and passwords into the NIS database. Command: cd /var/yp; pwd; sudo make

These are done with NIS server.

Ⅱ. NIS Client

I open a new Ubuntu system to be my NIS client to test my NIS server is working or not.

1. Installing “portmap” which runs on network nodes which provide other ONC RPC services. Command: sudo apt-get install portmap

I have successfully installed “portmap”.

I update “protmap” when I have installed “portmap”. Command: sudo update-rc.d portmap defaults 10

2. Installing NIS which can provide NIS service. Command: sudo apt-get install nis During installing NIS, it asks me about the NIS domain. According to DNS server, our project’s domain name is “company.com”, so I give “company.com” to my NIS domain name as well. I have successfully installed NIS.

3. Add the NIS server’s hostname and fully qualified domain name to the client’s host file. Command: sudo nano /etc/hosts I have set up this because I set up my DHCP server 192.168.1.3 to be my NIS server.

I can resolve names from its host file.

4. Add domain name and server to YP for invoking NIS server’s database. Command: sudo nano /etc/yp.conf

5. Modify Name Service Switch file for invoking NIS server’s database. Command: sudo nano /etc/nsswich.conf

6. Modify the permission on the default /home folder so Nautilus can allow user to login in accounts which are in NIS server’s database. Command: cd home; sudo chmod 777 home

DHCP
By giving the command ifconfig we can check the dhcp assigned ip address are getting or not on client PC. And if it gets our DHCP server is working well.

DNS
To prove our master DNS server and slave DNS server works, we need to test them separately. (1) Test master DNS server
 * Check DNS records through master DNS server with IP 192.168.1.2 from a host with IP.

(2) Test slave DNS server
 * Check DNS records through slave DNS server with IP 192.168.1.3 from a host with dynamic IP address 192.168.1.108.

Webserver

 * The devices on my network could also access my webpage either by typing my IP address, or my domain name: www.company.com.
 * For example the host whose ip address is 192.168.1.100 could access my webpage.

Backup Server
If we see the file is being transferred to the backup server at particular interval of time at the destination folder. Also we can check the log file that we created the history of our transfer data.

Firewall

 * we will test our firewall from any client in our network.
 * Since we did not allow icmp packets to come into our server, we can see that our client can’t ping our web server.
 * We can also see that our client can access our server via ssh connection.

VPN
VPN Test Use command ‘ifconfig’ on VPN server
 * Check network interfaces on VPN server

We can see besides eth0 and lo, there is another interface called tun0 that is turned on. This interface acts as the port on VPN server side. We can see that in this tunnel, the IP address of VPN server is 10.8.0.1.

Use command ‘ifconfig’ on VPN client
 * Check network interfaces on VPN client

We can see besides eth0 and lo, there is another interface called tun0 that is turned on. This interface acts as the port on VPN client side. We can see that in this tunnel, the IP address of VPN client is 10.8.0.6

Use command ‘ping 10.8.0.1’ on VPN client.
 * Ping VPN server from VPN client

We can see that VPN server and VPN client can connect to each other successfully in the secret tunnel.

NFS
NFS Test
 * Create a file named ‘file1’ in path /home/fangzhou/data1 on NFS server with IP address 192.168.1.2.


 * Then we can find that this file is shared with NFS client with IP address 192.168.1.100.


 * Create a file named ‘file2’ in path /home/todd/data1 on NFS client with IP address 192.168.1.100


 * Then we can see the file is share with NFS server.

NTP
Use command ‘ntpq -p’.

We can see this host is synchronized with our DNS server.

NIS
Testing NIS. Command: su user1; su user2; su user3

It shows NIS successfully work. NIS Client is done here.

FTP
FTP Test

(1)	Local host FTP test Use command ‘ftp localhost’ to connect to FTP server and login by using correct username and password.

Use command ‘lcd /home/fangzhou’ to change localhost directory to /home/fangzhou and use command ‘send ftp-test1’ to upload the file to FTP server.

we will see that the file ‘ftp-test1’ has been uploaded to FTP server successfully. Use command ‘lcd /home’ and ‘get ftp-test1’ to download file ‘ftp-test1’ from FTP server.

we see that the file ‘ftp-test1’ has been downloaded to FTP server path /home successfully.

(2)	Remote FTP test
 * Use command ‘ftp 192.168.1.2’ to build FTP connection from remote client with IP address 192.168.1.3 to our FTP server.


 * We will see that a welcome word is shown to FTP client and all we need to do is to enter the username and password correctly.

10th april 2014

 * 1) Fangzhou has implemented DNS server (master-slave configuration)
 * 2) Yutuo has implemented DHCP server
 * 3) Esther has implemented Webserver
 * 4) Divesh has implemented the Backup server, making the wikipage.

11th april 2014

 * 1) Fangzhou has implemented NTP, FTP, VPN, NFS.
 * 2) Yutuo has implemented NIS.
 * 3) Esther has implemented Firewall.
 * 4) Divesh has implemented the automated backup server, making the wikipage.

12th april 2014

 * 1) Esther is making the report.
 * 2) Divesh is making the wikipage.