- Assignment 2 - Internet & Network Services for a company · INS - Assignment 2 Le Bris Vincent. The created ﬁles in the directory /home/khufunetns2/.ssh/ :-id_dsa is the private

Purpose

For this assignment, we will work by group and implement 2 servers providing Internet and Network Services for a fictive company (Khufunet). The first server will be called NS1 (for Name Server 1) and the second NS2. Both server will have different services :

NS1- Apache Server- Name Server 1- Print server- Samba Server

NS2- eMail Server- Name Server 2- DHCP Server- SSH Server- FTP Server

VMware and Dropbox will be used on two different laptops to run this servers as virtual machines. A desktop version of ubuntu will also be run on each laptop as client machines. Below is the topology of the network we will create.

- Assignment 2 -Internet & Network Services

for a company

INS - Assignment 2 Le Bris Vincent

VirtualBox Bridged Mode

on Laptop 1

NS1

Client 1

Vmware Bridged Mode

on Laptop 2

NS2

Client 2

Physical Link

Virtual Hub Virtual Hub

Virtual Link

Topology

Configuration :

Machine Address

Laptop 1

Laptop 2

NS1

NS2

Installation of Server NS2Ubuntu server is installed on the machine. The address is set by the DHCP that set the physical interfaceʼs address (router). We will first install a SSH server and a FTP server on it.

Installation of SSH serverInstallation of the deamons on the server :

apt-get install openssh-server apt-get install openssh-client


Letʼs try to establish a connection between the client and the server :

We will be asked a password, enter the one of the khufunetns2 account (khufunet).

This is the welcome message to indicate us that we are connected to the machine. We can now enter commands as if we were on the machine.

But if we have to administrate a lot of machine by ssh, it can become hard to remember all the passwords. The solution isnʼt to desactivate the password authentication, ssh is very secured and it would be useless to do that. But we can become a trust user using SSH keys.

First, we have to generate public and private keys on both machines :

ssh [email protected]@192.168.80.2’s password:

Linux ubuntu 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010 x86_64 GNU/LinuxUbuntu 10.10

Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/Last login: Wed Apr 27 09:04:49 2011 from 192.168.80.134khufunetns2@ubuntu:~$


The created files in the directory /home/khufunetns2/.ssh/ :- id_dsa is the private key- id_dsa.pub is the public key- authorized_keys is a file that contained all the known clientʼs keys.

We have to do the same for the client machine (logged as root if you want to use only this one to communicate with the server).

Now we have to share the clientʼs public key with the server to be authorized by him.

This command send a command by ssh to the server. The command write all the content of the public key of the client in the authorized_keys file of the server.

We can now connect the client to the server, it shouldnʼt ask any password. To remove the client of the known clients, the server has to find his key in his authorized_keys file. To delete all the clients from the file, this command will clear the keys :

khufunetns2@ubuntu:~$ ssh-keygen -t dsaGenerating public/private dsa key pair.Enter file in which to save the key (/home/khufunetns2/.ssh/id_dsa): Created directory '/home/khufunetns2/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/khufunetns2/.ssh/id_dsa.Your public key has been saved in /home/khufunetns2/.ssh/id_dsa.pub.The key fingerprint is:60:1d:ba:d9:54:0d:26:55:dd:26:69:2c:4f:39:2e:79 khufunetns2@ubuntuThe key's randomart image is:+--[ DSA 1024]----+| o.=+.o + || o = o X o|| + o B + || . * o E || o S o || || || || |+-----------------+

khufunetns2@ubuntu:~$

ssh [email protected] "echo $(cat .ssh/id_dsa.pub) >> .ssh/authorized_keys"

echo “” > .ssh/authorized_keys


Installation of FTP server

FTP (File Transfer Protocol) permit to clients to download and upload files on a server. VSFTPD is a FTP deamon easy to install, to setup and to manage :

The configuration file is /etc/vsftpd.conf, we have to modify it to setup the main rules.

By default, anonymous connection are not allowed. Change the lineanonymous_enable=NO into:anonymous_enable=YES

The anonymous users are not allowed to upload files, I think itʼs more secured and avoid the server to be overloaded.

To allowed authenticated users to upload files, the following lines has to be uncommented :write_enable=YES

We can make vsftpd more secure and limit users to their home directories by uncommenting :chroot_local_user=YES

By default, the directory that contains the files of anonymous users is /srv/ftp, it can be changed inby creating a new directory and to change it as the ftp userʼ home directory.

To apply the modifications of vsftpd.conf, we have to restart the FTP deamon :

apt-get install vsftpd

nano /etc/vsftpd.conf

mkdir /srv/files/ftpsudo usermod -d /srv/files/ftp ftp


We can now use the client to test it, filezilla is an opensource software that permit to do it graphically. You can try it and upload/download files as authenticated or anonymous users.

Installation of DNS serverDomain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another. In this way, DNS alleviates the need to remember IP addresses. BIND will be the package used on the server :

BIND9 Configuration files are stored in /etc/bind/

The main configuration is stored in the following files:

service vsftpd restart

apt-get install bind9


• /etc/bind/named.conf

• /etc/bind/named.conf.options

•/etc/bind/named.conf.local

There are differents possible configurations for BIND, the two of them that interest us is the Primary master server and the Secondary master server. NS1 will be the primary and NS2 will be the secondary.

First, letʼs configure it as the primary master.

We have to add a DNS zone to BIND by editing the file/etc/bind/named.conf.local :

Now we will create the db.khufunet.com from an existant file :

sudo cp /etc/bind/db.local /etc/bind/db.khufunet.com

We will replace the localhost parameters with the khufunetʼs ones.

zone "khufunet.com" { type master; file "/etc/bind/db.khufunet.com";};

sudo cp /etc/bind/db.local /etc/bind/db.khufunet.com


A zone file must begin with the definition of a SOA (Start Of Authority)The “@” specify the zone declared in the configuration file“IN” precise that this is an Internet zone, itʼs kind of a default value because the other types are rare.After, we set the SOA keyword followed by the FQDN of the server which hosts the zone (ns2.khufunet.com), and on the same line, a mail address (“.” instead of “@”).After that, we have to declare the following :

- serial (often the date in YYYYMMDDxx format)- refresh time (in second)- time between two tries- expire time- TTL

Directly after the SOA is the declaration of the the DNS server to consult :@ IN NS ns2.khufunet.com.

After that, we can declare the different machines of the network, each line set :the name of the pc - the zone type - the register type (A=Alias) - the IP address

ex: ns2 IN A 192.168.80.2

The server is now able to resolve names to IP address ( at least for the host registered), we have to allow it to resolve an address to a name, thatʼs called a Reverse zone.

;; BIND data file for local loopback interface;$TTL 604800@ IN SOA ns2.khufunet.com. root.khufunet.com. ( 0428 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS ns2.khufunet.com.ns2 IN A 192.168.80.2ns1 IN A 192.168.80.1client2 IN A 192.168.80.128


Edit /etc/bind/named.conf.local and add the following:

As weʼve done before, we will create a db.192 file with an existant “db” file (db.127)

And edit it to change the same options as before

Donʼt forget to change the serial after each modification. We have to restart BIND for the change to take effect :

zone "80.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192";};

sudo cp /etc/bind/db.127 /etc/bind/db.192

;; BIND reverse data file for local loopback interface;$TTL 604800@ IN SOA ns2.khufunet.com. root.khufunet.com. ( 20110427 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS ns2.khufunet.com.2 IN PTR ns2.khufunet.com.128 IN PTR client2.khufunet.com.


The DNS server is now configured, we can test it on the client.

The DHCP of VMware akso provide a DNS server address, we have to specify the khufunetʼs one by modifying the /etc/resolv.conf file :

We can now test the server with nslookup and try to ask him to resolve names and IP address :

The DNS work perfectly and is able to resolve the name and IP address.

Installation of DHCP server

service bind9 restart * Stopping domain name service... bind9 ...done. * Starting domain name service... bind9 ...done.

nameserver 192.168.80.2domain khufunet.comsearch khufunet.com

nslookup

> ns2Server: 192.168.80.2Address: 192.168.80.2#53

Name: ns2.khufunet.comAddress: 192.168.80.2> > 192.168.80.128Server: 192.168.80.2Address: 192.168.80.2#53

128.80.168.192.in-addr.arpa name = client1.khufunet.com.


A DHCP (Dynamic Host Configuration Protocol) server can provide dynamic IP address to each workstation, and so sort out all the address management issues. It provide also all the informations to communicate with each other machines like the DNS server address.

To install the dhcp server :

To configure the DHCP server, the mode VMware network mode “host only” is the best. Indeed, if the physical interfaces are not connected, the bridged mode doesnʼt permit the machines to contact each other and some conflicts can appear if an other DHCP is present on the network. But the “Host-only” mode of VMware fusion uses the VMnet1 virtual adapter and a DHCP used to assign address to virtual machines. The topology of the “host only” mode is the following :

Virtual Network Adapter

VMnet1NS2 Client 2

Virtual Hub

Virtual Link

Topology of the Host Only mode

Virtual DHP server

Below is a solution to configure the address of vmnet1 and to desactivate the DHCP service on VMware fusion :

apt-get install dhcp3-server


- quit VMware fusion application- as root, modify the following file with any text editor :/Library/Application Support/VMware Fusion/networkingFor example the following command will edit it with nano editor :

The configuration used looks like that (modify the coloured options) :

- Restart the VMware network service with the script boot.sh :

The VMnet interfaces should be reconfigured. We can now launch VMware and setup our own DHCP server. But first, letʼs set a static IP address to NS2 by editing the file/etc/init.d/interfaces as below :

nano /Library/Application\ Support/VMware\ Fusion/networking

VERSION=1,0answer VNET_1_DHCP noanswer VNET_1_DHCP_CFG_HASH 4176B8924FB610405D7C2B4BB4B03B7053F41881answer VNET_1_HOSTONLY_NETMASK 255.255.255.0answer VNET_1_HOSTONLY_SUBNET 192.168.80.0answer VNET_1_VIRTUAL_ADAPTER yesanswer VNET_8_DHCP yesanswer VNET_8_DHCP_CFG_HASH 0717114E92F1528EDADD8F6415078AC92815906Danswer VNET_8_HOSTONLY_NETMASK 255.255.255.0answer VNET_8_HOSTONLY_SUBNET 192.168.68.0answer VNET_8_NAT yesanswer VNET_8_VIRTUAL_ADAPTER yes

./Library/Application\ Support/VMware\ Fusion/boot.sh --restart


And restart the networking deamon :

Edit the /etc/dhcp3/dhcpd.conf and add the following lines:

This configuration set a range of address that will be assigned to machines and provide them some informations about the network as the router, the domain name and the DNS server.

We can also add statics addresses, below the configuration for the client2 and the server itself, still in dhcpd.conf :

auto loiface lo inet loopback

auto eth0#iface eth0 inet dhcpiface eth0 inet staticaddress 192.168.80.2netmask 255.255.255.0gateway 192.168.80.1

/etc/init.d/networking restart * Reconfiguring network interfaces...ssh stop/waitingssh start/running, process 2795 ...done.

subnet 192.168.80.0 netmask 255.255.255.0 { range 192.168.80.10 192.168.80.180 ; option domain-name-servers 192.168.80.1, 192.168.80.2; option domain-name "khufunet.com"; option routers 192.168.80.1;# option broadcast-address 10.5.5.31; default-lease-time 600; max-lease-time 7200;}


The hardware ethernet is the MAC address of the client2, it can be found by doing the command ifconfig on the client2, it may appears on the ethernet0 section.

We will now set the Interface the server will listen on for client requests by editing the /etc/default/dhcp3-server :

We can now restart (rather start because the first start failed) :

Then, letʼs try our dhcp server with our client by doing a DHCP request :

host client2 { hardware ethernet 00:0c:29:40:58:e0; option host-name "client2"; fixed-address 192.168.80.128;}

host ns2 { hardware ethernet 00:0c:29:e9:12:b2; option host-name "ns2"; fixed-address 192.168.80.2;

INTERFACES=”eth0″

service dhcp3-server restart

* Stopping DHCP server dhcpd3 ...fail! * Starting DHCP server dhcpd3 ...done.


It works perfectly, our client has been assigned the address specified in the dhcpd.conf file of the server.

dhclient eth0

Internet Systems Consortium DHCP Client V3.1.3Copyright 2004-2009 Internet Systems Consortium.All rights reserved.For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:0c:29:40:58:e0Sending on LPF/eth0/00:0c:29:40:58:e0Sending on Socket/fallbackDHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3DHCPOFFER of 192.168.80.128 from 192.168.80.2DHCPREQUEST of 192.168.80.128 on eth0 to 255.255.255.255 port 67DHCPACK of 192.168.80.128 from 192.168.80.2bound to 192.168.80.128 -- renewal in 246 seconds.


https://www.isc.org/software/dhcp/

https://www.isc.org/software/dhcp/

Installation of Mail serverThis section will show hot to install a mail server on Ubuntu, using Postfix (SMTP) and Dovecot (IMAP/POP3). Postfix is the open source SMTP server the moste used. It is very powerful and Dovecot provide a secure IMAP/POP3 server. But also complicated to configure properly... Below is the basic configuration with TLS+SASL.

Installation of Postfix :

Add the packages for postfix and SASL :

An interface will ask few questions, here are the answers:

But this is a condensed version of the configuration, to get the full one, we have to relaunch the configuration utility:

The same interface will ask again few questions:

aptitude install postfix sasl2-bin

General type of configuration? <-- Internet Site

System Mail name? <-- ns2.khufunet.com

dpkg-reconfigure postfix


TLS :The security layer of the TLS transport (or SSL) provide authentication based on certificates and session encryption. An encrypted session protect the informaitons transmitted by SMTP message or by the SASL authentications.

We have to generate certificates for Postfix :

Some questions will be asked, you can answer the following ones and let the other ones blank :

General type of configuration? <-- Internet Site

System Mail name? <-- ns2.khufunet.com

Where should mail for root go <-- leave blankOther destinations to accept mail for <-- : ns2.khufunet.com, khufunet.com, localhost.khufunet.com, localhost

Force synchronous updates on mail queue? <-- No

Local networks? <-- leave default

Use procmail for local delivery? <-- Yes

Mailbox size limit <-- 0

Local address extension character? <-- +

Internet protocols to use? <-- all

mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr


We can go on the generation and answer the same things when asked :

Now we have to activate TLS by adding some lines to /etc/postfix/main.cf :

Organization Name (O) : Khufunet Common Name (CN) : ns2.khufunet.com

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_auth_only = no smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_recipient_limit = 100 smtpd_helo_restrictions = reject_invalid_hostname smtpd_sender_restrictions = reject_unknown_address smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_client, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, permit


The last instruction allow the connexion to SASL authenticated clients, then to local networks clients, reject the unknown destinations, the sender coming from unknown domain and the unknown clients. It also contains a list of RBL servers which provide databases of identified spammerʼs IP addresses. The last permit allow the access to the clients who have succeed to pass this check list.

SASL :To allow SASL authentication by Postfix, and to allow the SMTP access only to identified users (e-mail address as login and password), we have to add other lines to /etc/postfix/:

Now we can set up the saslauthd authentication deamon.

Edit the config file /etc/default/saslauthd :

Edit /etc/postfix/sasl/smtpd.conf:

Now we will create the chroot directory, add the postfix user to the sasl group, and then starting saslauthd:

smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes

START=yesMECHANISMS="pam" PARAMS="-r" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

pwcheck_method: saslauthd mech_list: login plain


We can test the email server, the couloured lines are the most important :

Installation of Dovecot :

mkdir -p /var/spool/postfix/var/run/saslauthddpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthdadduser postfix sasl/etc/init.d/saslauthd start

telnet localhost 25Trying ::1...Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.220 server1.khufunet.com ESMTP Postfix (Ubuntu)

ehlo localhost 250-server1.khufunet.com250-PIPELINING250-SIZE 10240000250-VRFY250-ETRN250-STARTTLS250-AUTH LOGIN PLAIN250-AUTH=LOGIN PLAIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSN

quit 221 2.0.0 ByeConnection closed by foreign host.

apt-get install dovecot-imapd dovecot-pop3dperl -pi -e 's/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/' /etc/dovecot/dovecot.conf/etc/init.d/dovecot restart


The mail server is now working. Each user has their own email account, stored in /home/username/Maildir/ directory. We can configure the adduser command to create a Maildir directory in their home.

We can now test our server:

From the server, crate a user called “client2”:

From the client, ceate mail account on Evolution Mail :

cd /etc/skelmaildirmake.dovecot Maildir

adduser client2



Enter the password (client2):

From the server, send an email to the client2 :

echo "test" | mail -s testsubject [email protected]


We can check it on the client :

We can notice that a mail has been received in the inbox :

The mail is well received! And we can notice that the root sent us a mail from the future...

The Mail server is functionnal and has a good security. But this is just a basic configuration, Postfix and Dovecot are really powerfull and can be configured with a lot of features.

Sources :

http://ubuntu.orghttp://rimuhosting.comhttp://jonsview.comhttp://alsacreation.com


http://ubuntu.org

http://ubuntu.org

http://rimuhosting.com

http://rimuhosting.com

http://jonsview.com

http://jonsview.com

http://alsacreation.com

http://alsacreation.com

Documents

- Assignment 2 - Internet & Network Services for a company · INS - Assignment 2 Le Bris Vincent. The created ﬁles in the directory /home/khufunetns2/.ssh/ :-id_dsa is the private