Computer Oriented Project

Transcription

1 Computer Oriented Project Server Implementations on Campus Wide Networks BITS Goa Case Study Aalap Tripathy Faculty Guide : Mr Mangesh Bedekar

2 Agenda Introduction to networks IP Addressing & Packet Analysis Brief Description of the servers installed DNS Server DHCP Server Proxy Server Incomplete Assignments LDAP server Packet Analysis on our network Q&A

3 Basics The internet works using two main address units: the IP Address and the port. For example, I want to load it starts by asking the IP address of for the webpage. asks s IP address on port 80--the universal webpage port. Our computer instructs the response to be sent back to our IP address on some port that we opened to recieve that data. By using ports, our computer can keep track of which stream of data belongs to what. Our Computer s Instructions : main text content be sent back to it on port and the image be sent back on recieving instant messages on other ports and s on yet other ports The ports here don't matter because our computer just makes them up on the fly. all of the ports from are set aside for such standardization.

4 two types of addresses public IP addresses Public IP addresses are those addresses that are routable on the internet. private IP addresses Addresses that begin with 10.x.y.z or x.y (where x, y, and z can be anything 0-255) are strictly private addresses and cannot exist on the internet. 127.x.y.z is set asside as the local loop back address There are only 2^32 possible IP addresses, and worldwide there are many more than 2^32 devices (computers, printers, scanners, etc) that would like to have internet IP addresses.

5 4,294,967,296

6 Private Addresses and, more specifically, NAT were setup to solve the problem of a limited number of IP addresses. The new IP Protocol specification, IPv6 intends to solve this problem by increasing the number of addresses. Ipv6 is something BITS Pilani is spearhearding research on. Why not we have a lecture on this? Someone volunteering??

7 NAT can be done on a router example the one you see infront of you or on a PC Let s see how it is done!!!

8 WRT54G Wi-Fi Router firmware source code released to satisfy the obligations of the GNU GPL. All models come standard with a 4+1 ports network switch (the Internet/WAN port is also in the same switch, but on a different VLAN) and a wireless chipset by Broadcom which provides Wi-Fi connectivity. The devices have two removable antennas connected through Reverse Polarity TNC connectors

9

10 A Little Primer on IP Addressing We write them in decimal form to make it more readable for humans. `the network - meaning all 256 addresses from to network' which meant all addresses from to Each number between the dots in an IP address is actually 8 binary digits ( to )

11 A Little Primer on IP Addressing We usually don't write ` '. Instead, we shorten it to ` /16'. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the the network So what is /8? A Big Network or small Network? What is the range of IP Addresses

12 A Little Primer on IP Addressing We usually don't write ` '. Instead, we shorten it to ` /16'. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the the network So what is /8? A Big Network or small Network? What is the range of IP Addresses

13 A Little Primer on IP Addressing ` /8' is a big network Contains any address from to (over 16 million addresses!) /16 is smaller, containing only IP addresses from to /24 is smaller still, containing addresses to

14 BITS IP Addressing ` /8' is a description of the BITS Goa Network!!! Contains any address from to (over 16 million addresses!) /16 is mostly 1 hostel or a combination of nearby hostels /24 is most generally closest rooms in a hostel or classroom/faculty chambers in a corridor

15 Let s get the concepts clear!!

16

17

18

19

20

21 ICANN The Internet Corporation for Assigned Names and Numbers

22 Root Servers There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. These root servers know all the authoritative DNS servers for all the main domains -.com,.net, and the rest. This layer of servers keep track of all the DNS servers that Web site systems administrators have assigned for their sub domains.

23

24 Root Servers

25 Only one of the root servers that direct traffic and serve as the Internet's master directories is located outside the US -- in Tokyo, Japan US monopoly over the internet. We should have a debate sometime!!! Twelve of the 13 root servers that make the Internet run are located in the United States.

26 Many different Web sites can map to a single IP address, but the reverse isn't true; an IP address can map to only one FQDN. Default Server: dns3.bits-goa.ac.in Address: Why??? > yahoo.com Server: dns3.bits-goa.ac.in Address: Non-authoritative answer: Name: yahoo.com Addresses: , > Server: dns3.bits-goa.ac.in Address: Name: w2.rc.vip.dcn.yahoo.com Address: Forward Lookup Reverse Lookup

27

28

29 Ascii of a is 97 = 61 in hex Everything is Logical!!!

30

31

32 DHCP Dynamic Host Control Protocol

33

34

35 Let s ask Ok got it What is its ip address???

36 External DNS

37

38

39

40

41

42 Internal DNS Primary

43 Relevant configuration details for configuring Authoritative Zone zone "bits-goa.ac.in" IN { type master; file "bits-goa.zone"; notify yes; allow-query {any;}; allow-update {any;}; allow-transfer { ;}; };

44 Example of A Reverse Zone Authoritative Zone Definition zone " in-addr.arpa" IN { type master; notify yes; file "pri in-addr.arpa"; allow-transfer { ;}; };

45 The Full Zone file ; ; Zone File for bits-goa.ac.in ; The Full Zone File ; $TTL IN SOA ns1.bits-goa.ac.in. admin.bits-goa.ac.in.( ; Serial 3600 ; Refresh seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600) ; minimum, seconds NS www A studentnet A orion A proxy A proxy A proxy A titan A glimpses06 A library A S1 A S2 A dns4.bits-goa.ac.in. mailbox A bits-goa.ac.in IN MX 10 mailbox.bits-goa.ac.in. dns3 A dns4 A dakiya A central A mail CNAME dakiya

46 A Sample Reverse Zone file ; ; Reverse Zone File for bits-goa.ac.in ; Note Made By Aalap as Internal DNS server only ; ; The Full Reverse Zone File ; $TTL IN SOA ns1.bits-goa.ac.in. admin.bits-goa.ac.in.( ; Serial 3600 ; Refresh seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600) ; minimum, seconds NS dns4.bits-goa.ac.in.; 61 PTR dns3.bits-goa.ac.in. 62 PTR dns4.bits-goa.ac.in. 222 PTR studentnet.bits-goa.ac.in 223 PTR orion.bits-goa.ac.in 225 PTR titan.bits-goa.ac.in 220 PTR library.bits-goa.ac.in Remember FQDN?!?!?!?

47

48 Internal DNS Secondary

49 How is the Secondary DNS Config Different Because I never make the entries which it finally answers on it It is supposed to prefetch the primary DNS Servers entries as and when they change and keep onto local cache. My named.conf configuration is critical here

50 The Critical Lines in named.conf // query-source address * port 53; allow-notify { ;}; recursive-clients 6000; // the above line was added by RJ/AS/RS on 27/10/2006 }; // // a caching only nameserver config // controls { inet allow { any; } keys { rndckey; }; };

51 Definition of what it is the authoritative zone for it // Segment added to make This m/c a slave for bits-goa.ac.in Internal Zone It seeks its addresses from which is defined to be the master zone "bits-goa.ac.in" IN { type slave; file "slaves/bits-goa.zone"; masters { ; }; };

52 Similarly defining reverse lookup for authoritative zones zone " in-addr.arpa" IN { type slave; file "slaves/pri in-addr.arpa"; masters { ; }; };

53 Remember.. We made a transfer entry on the primary server zone " in-addr.arpa" IN { type master; notify yes; file "pri in-addr.arpa"; allow-transfer { ;}; };

54 A Jail!!! This is a Technology Lecture right??? Ensures that if the system is ever compromised, the attacker will not have access to the entire file system. The attacker might feel that he has compromised the system but actually he has just exposed himself as his activity has been logged!!

55

56

57 Making the chroot Jail Effective This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allows services to access each others' resources. Check the /etc/passwd and /etc/group files for a free UID/GID number available. In my case, I used number 53 and the name named. [root@dns4] /#useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null :

58 Client Browser Proxy Web Server Proxies Types & Applications

59 Proxies Web Traditional Caching CGI Proxies Reverse SSL HTTPS to create an encrypted tunnel There are privacy concerns with SSL proxies. Split a pair of proxies installed across two computers. Ex - Google Web Accelerator Open accept client connections from any IP address make connections to any Internet resource. Intercepting often incorrectly called transparent proxy (also known as a forced proxy) combines a proxy server with NAT. it is not possible to use user authentication, since the browser does not know there is a proxy in the middle, so it will not send any authentication headers.

60 Reverse Proxies Instead of delivering pages for internal users, it delivers them for external users. It can be used to take some load off web servers and provide an additional layer of protection. This proxy placed outside the firewall as a stand-in for the content server. When outside clients try to access the content server, they are sent to the proxy server instead.

61 Web Proxy

62

63 Why Web Proxy?? Improve Performance: it saves the results of all requests for a certain amount of time (caching) Filter Requests: Pages to be accessed can be limited Ports / Services Accessed can be controlled Timing of Web Access can be controlled Bandwidth Control: Most Important Mandate in the system currently setup on campus

64 Caching how is it done? expiration algorithm Two simple cache algorithms are Least Recently Used (LRU) and Least Frequently Used (LFU). LRU removes the documents that have been left the longest, while LFU removes the least popular documents. The algorithms can also be combined.

65 CGI proxies A special case of web proxies These are web sites which allow a user to access a site through them. They generally use PHP or CGI to implement the proxying functionality. Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity, called "Proxy Avoidance."

66

67 We use Squid Web Proxy which is... a full-featured Web proxy cache free, open-source software the result of many contributions by unpaid (and paid) volunteers

68 Some Relevant Proxy Configuration Entries http_port :8080 # The socket addresses where Squid will listen for HTTP client requests. cache_mem 100 MB # maximum_object_size KB #Objects larger than this size will NOT be saved on disk. # minimum_object_size 0 KB # Knowingly done so that everything is actually stored. This is for faster operation visible_hostname BITSGOA

69 Some Relevant Proxy Configuration Entries cache_replacement_policy lru memory_replacement_policy lru # cache_access_log /var/log/squid/access.log # TAG: cache_access_log # Logs the client request activity. Contains an entry for # every HTTP and ICP queries received. To disable, enter "none". log_fqdn on Remember fqdn??

70 Critical Proxy Configuration Lines auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd auth_param basic children 300 auth_param basic realm BITS GOA PROXY auth_param basic credentialsttl 1 minute

71 Access Control & Definition on the Proxy Server # ACCESS CONTROLS acl ncsa_users proxy_auth REQUIRED acl all src / acl labs src / / acl hostels src / / acl SSL_ports port acl Safe_ports port 80 # http acl day_time time 8:30-17:30 acl night_time time 17:30-24:00 0:00-8:30 acl other_time time 17:30-21:00

72 http_access directives Most Critical instructions http_access allow ncsa_users http_access allow labs day_time other_time http_access allow hostels night_time http_access deny banned http_access deny!safe_ports #http_access deny all #Last line. By default. The final directive is the reverse of the last okayed directive

73 The actual configuration file Squid.conf

74

75

76

77 What I didn t cover The deep intricacies in the working of servers Many configuration settings : Secret!! Setting services on/off. Autorun facilities avaliable on the Linux platform

78 Future Objectives In house Mail Server Development LDAP Server Deployment Cascading Proxies & Atleast one proxy per hostel Decentralization of the website

79 Bored??? Let s have some The Net is very very slow??? questions? Well if the bandwidth is too less and he user s too many that s what happens Proxy can handle only limited traffic. Future plans : One Proxy Per hostel My Net isn t working?? Ensure that you give the correct proxy name i.e. proxy and port 8080 In case you give the ip address there is no guarentee that it will work always Come on More.????? Let us confine ourselves to the Server configurations only.