Professional Documents
Culture Documents
Question-Breakdown Structure
Question 1: Lee Win Neng
Question 2: Hea Zhen Yao
Question 3: Alex Chung Sheng Feng
Question 4: Liu Yung Peng
Question 5: Lee Win Neng
Question 6: Hea Zhen Yao
Question 7: Alex Chung Sheng Feng
Question 8: Liu Yung Peng
Question 9: Lee Win Neng
Question 10: Hea Zhen Yao
Question 11: Alex Chung Sheng Feng
Question 12: Liu Yung Peng
Gantt Chart
Acknowledgement
We would like to express our deepest appreciation to all those who provided me the
possibility to complete this report. A special gratitude I give to our System Administration
Network lecturer, Mr. Shounak Ghosh, whose contribution in stimulating suggestions and
encouragement, helped us to coordinate our project especially in doing this assignment.
Furthermore a special thanks goes to my team mates, Lee Win Neng, Alex Chung and Liu
Yung Peng, who cooperate with me to configure this assignment and gave suggestion on
how to encounter obstacles met. Last but not least, many thanks again to our Lecturer Mr
Shounak Ghosh whose have invested his full effort in guiding the team in achieving the
goal. We have to appreciate the guidance given by other friends as well as the panels
especially in our project presentation that has improved our presentation skills thanks to
their comment and advices.
System Configurations
First, open the Oracle Virtual Box and click the new button to create a virtual machine on
the computer.
Next, we will insert name for the virtual machine by selecting the type as a Linux
operating system and version of Linux 2.6 (32-bit).
After we insert the name and selecting the type & version, the virtual box will prompt for
the memory size to be used by the virtual machine. We will assigned the memory of 256
MB for the usage of memory in the virtual machine.
In the hard drive, we will select the option of create a virtual hard drive now for the
virtual machine. The file types for the hard drive will be VHD which is Virtual Hard Disk
and click the next button.
In the next part, we will select the option of Fixed Size and assigned manually for the
sizes of hard drive for the virtual machine. The size for the hard drive will be assigned
with 200 MB for the storage of virtual machine.
After the file size allocation, the virtual machines and hard drive will created. We will
require to do some changes on settings in the settings menu on top of the virtual machine.
Firstly, we will change the boot order from Floopy > CD/DVD-ROM > Hard Disk to
Hard Disk > CD/DVD-ROM and untick the Floppy options for the boot order.
Second changes will be perform was inserting the hard drive and ISO files to the virtual
machine. Hard Drive that created just now and the ISO files of TinyNetBase will be
inserted.
Third changes will be perform was selecting the network adapter for virtual machine.
Gateway virtual machine will be turn on 4 adapter and assigned 2nd, 3rd and 4th adapter
with Host-Only Adapter. While all the other virtual machine include of LDAP, Mail
Server and others will be assigned adapter with Host-Only Adapter also.
After that, save the settings changes and click the start button on top of the virtual
machine. The startup progress of virtual machines will showed on the screen of virtual
machine
After the startup progress perform completed, we will require to select the slax options.
We will choose the 4th option which is Slax Text Mode to start the operating system.
After the operating system was started successfully, we will login the virtual machine by
using username and password which is root and toor
Next, we will insert the command of cfdisk for the partition menu of the hard drive.
After the cfdisk command, we will select the first partition and click on the New
button to create a new partition of the hard drive.
The continuous steps after clicking the option of New button will be clicking the
Primary button.
In the next step, we will insert the size of the partition which is 180MB for the first
hard drive partition in the virtual machine.
After the completion steps of hard drive partition, we will select the Bootable option
for the first hard drive to be able to boot when the virtual machine start up.
Next, we will make the second partition of hard drive which is click the new button for
the second partition which located below the first partition.
After clicking of new button, we are require to select Primary button for the next steps
to perform.
After that, we will insert the size of the partition with the remaining hard drive size and
change the type of the partition.
We will change the type for second partition of hard drive from Linux to Linux Swap
by using the filesystem type of 82.
Next, we will insert some command after partition and exiting of the cfdisk interface.
Commands:
- mkswap /dev/hda2
- mke2fs /dev/hda1
- swapon /dev/hda2
- mkdir /mnt /hda1
- mount /dev/hda1 /mnt/hda1
Next, we will go to the midnight commander by using the command of mc and
changing the two sides of directory to /mnt/hda1 and /mnt/hdc for the purpose of
copying files from CD /DVD-ROM to hard drive. We will perform copy action by using
F5 keys from hdc to hda1. The files will copied was boot and slax from to
/mnt/hdc to /mnt/hda1.
After copied completed, we will go to the directory of /mnt/hda1/boot to search and
install the file named as liloinst.sh for the purpose to install the operating system.
After clicking enter of the file named liloinst.sh, the virtual machine will prompt to
press any key to continue. Users are require to press enter button and the installation
progress will be completed.
1.0 Setup Virtual Server & User Access (Lee Win Neng)
1.1 Objectives
1. Make webmail a virtual server, and set up one more virtual server.
2. Setup two normal users.
3. Configure the system so users cannot surf web pages or run cgi scripts from their
home directories, and cannot access the virtual server document root, but can
upload files for web/cgi.
Webmail are a cloud applications for the users to access the email server for sending and
receiving of email through an online platform. While the web server are require to install
for the users able to access by using HTTP/HTTPS protocols. The access rights of the users
are able to deny by using the configuration of firewall onto the server and the protocols of
HTTP and HTTPS only which provides highly secure encryption and access rights for the
external users.
1.2 Configuration
Configuring of operating system on the virtual machine are require before configuring the
role of the server for further setup and configuration. Before setup the role of server, the
image file of TinyBase.iso will be using for the setup and configuration of the operating
system with the virtual machine. Next, the virtual machine will be rebooted and changed
the image file from TinyBase.iso to TinyConfig.iso for the further configuration of server
role. After rebooted, the diagram of below will be showing and we will select the server
role as a MailHost for the virtual machine to be setup.
After setting up the configuration of MailHost, the next configuration will be create a
system user for the webmail services on the virtual machine.
Configuration Steps:
- groupadd g 55 postdrop
- groupadd g 54 postfix
- groupadd g 56 dovecot
- groupadd g 58 vmail
- useradd g postfix u 54 d /var/spool/postfix c postfix MTA s /bin/false
postfix
- useradd g dovecot u 56 d /etc/dovecot c dovecot IMAP-LDA: -s /bin/false
dovecot
- useradd g vmail u 58 d /home/vmail c dovecot Mail Owner s /bin/false
vmail
After the configuration steps of mail storage, the configuration command will checks for
the postfix to ensure it runs properly.
Configuration Steps:
- mkdir /home/vmail
- mkdr /home/vmail/indexes
- chmod R a+rwxt /home/vmail
- cp /etc/dovecot/mail-pwd /home/vmail
- chown R vmail:vmail /home/vmail
- mkdir /var/run/dovecot
- chown dovecot:dovecot /var/run/dovecot
- cd /etc/postfix
- ./post-install command_directory=/usr/sbin/ create-missing
- ./post-install command_directory=/usr/sbin/ set-permissions
- postmap /etc/postfix/virtual_mailbox
- postmap /etc/postfix/canonical
- postmap /etc/postfix/virtual_alias
After all this configuration and command, webmail had successfully setup. Next, we
will configure the web server on another virtual machine by setting up server roles as
Web Server by using TinyConfig.iso file for the setup configuration.
After settings up the server roles as a Web Server, open the default file of monkey.conf in
the midnight commander. Monkey.conf can be found in the directory of /usr/monkey.
The first diagram was showing the default configuration and command of monkey.conf
files. While the second diagram was showing edited configuration and command onto the
monkey.conf files. We will require to press F4 to edit and the changed command from
Server_root /var/monkey/htdocs to Server_root /var/www.
The first diagram was showing the default configuration and command of monkey.conf
files. While the second diagram was showing edited configuration and command onto the
monkey.conf files. The command was changed from Server-ScriptAlias /cgi-bin/ /
var/monkey/ to Server-ScriptAlias /cgi-bin/ / var/www/.
Next, we are require to change the hash mark in front of the lines that showed in the
diagram below. The first line of the htm files will be assigned with the hash mark while
the second line of the php files will be changed to unassigned hash mark.
After edited of the command and configuration in the files, we need to save the file by
using F2 button and F10 for exit.
After edited of the monkey.conf files, the webpages will be able to access by using browser
on the computer and showing SquirrelMail webpage with the links
192.168.56.153/squirrelmail/src/login.php
Login to the SquirrelMail are require to create a new user for login authentication. First,
create new user by using adduser command with the name and password. All the other
field will not make any changes on the default configuration and settings.
CGI script are strictly limited the user from running the command. So that, we can edit the
Ch0wn command in Midnight Commander (MC) by using F9 hotkeys and setup into
nobody in the Ch0wn under the File. Nobody will limit the user of accessing and
running of the command.
After the configuration, the diagram below showing the permission was denied from
accessing and running the files.
1.3 Obstacles
The obstacles I meet in this question was unable to perform testing on user that able to
make upload action of files onto the web/cgi but it denied the permission of accessing the
files on the virtual machine. So that, we will expected the system will blocking the user
from accessing the files without permission.
1.4 References
(MyTinyNet, 2010)
(MyTinyNet, 2010)
(MyTinyNet, 2010)
2.0 User Privilege Configuration (Hea Zhen Yao)
2.1 Objectives
Choose 1 server to:
2.2 Configuration
Code
mc --------------------------Open Midnight Commander
AllowUsers-----------------Allow user1 to use sshd
2.3 Result
Code
user2; 123---------------------------------Login to user2
ssh 192.168.76.181---------------------ssh IP
Code
Root ; toor-------------------------Login to Root
user1 ; 123------------------------Login to user1
2.4 Obstacles
None
2.5 Reference
(Inkblot, 2010-2014)
3.0 SASL Authentication & Encryption (Alex Chung Sheng Feng)
3.1 Objective
The main objective of this section is to assign the SASL (Simple Authentication and
Security Layer) which allowing users to authenticate themselves through plaintext
username and passwords to access the mail server.
3.2 Configuration
In order to enable the SASL, the configuration steps are shown and depict as the following:
In MC mode, go to the /etc/postfix/main.cf to configure the postfix and edit the following
command lines under the ### smtpd directives.
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
permit_mynetworks
permit-sasl_authenticated
Then disable the existing following command lines with a hash (#) symbol within the curly
braces of auth default.
After setting up the postfix and dovecot configurations, the mail host is able to add user
with information values stored in the mail hosts with the following steps.
# adduser
Input the information values and password for the new user.
Diagram 3.3: Adding user
3.3 Results
Result 1: Login to the SquirrelMail with the new user account.
3.4 Obstacles
The IP address for eth0 always in conflict causing failure to access to the URL.
3.5 Suitable encryption protocols used for configuring the mail host
The appropriate encryption protocols that able to apply in configuring the mail host would
be the Transport Layer Security (TLS) and IPsec.
The advantage of using TLS, involves with robust authentication and data integrity as TLS
offers a safe security scheme to secure the network communication while protect against
threats such as replay attacks, man-in-the-middle and so on. Next it provides high
adaptability as TLS able to support majority of the web browsers. In addition, TLS provides
convenience as TLS is applied under the application layer, without client aware while still
able to have a secured communication. (Microsoft, 2003)
While, IPsec is a group of security protocols designed by the IETF (Internet Engineer Task
Force) to offer packet security at the network level. IPsec also known as IP Security, it
involved of many component technologies and encryption process. IPsec is a popular VPN
protocol that functions using the IP protocol and its addressing thus can be considered a
Network Layer VPN protocols. It has 2 algorithms includes of encryption algorithms and
authentication algorithms. Encryption algorithms is to protect data to avoid review by a
third-party while the data transferring from one end to another. IPsec also come with
authentication algorithms which will verify and check the authenticity of message with the
data integrity (D.Janowski, 2003). IPsec functions by creating a security association that
exclusively determine IPsec by security parameter index, a security protocol AH
(authentication header) or ESP (encapsulating security protocol) and the destination of the
IP address. There are 2 type modes that IPsec functions on which is the transport mode and
tunnel mode. In transport mode, the payload of the IP is encrypted and the IP header is sent
as plain text whereas in tunnel mode the entire packet is encrypted creating a new IP header
(Sultan & Shoukat, 2016). The main advantage of applying IPsec is the Network Layer
security provided allowing end-user unable to detect and helps at monitoring and securing
network traffics.
4.0 Port Forwarding, Telnet & TFTP (Liu Yung Peng)
4.1 Objective
1. Configure xinetd port forwarding for telnet and tftp.
2. Demonstrate xinetd port forwarding for telnet and tftp and screenshot it.
3. Explain how xinetd port forwarding for telnet and tftp works on cisco router or
switch.
4. Discuss about configuration of xinetd port forwarding in Cisco devices.
4.2 Configuration
The configuration of telnet is doing in the gateway server by using IP address
192.168.76.101.
A few steps are needed for setting up the telnet as shown in the diagram above.
Inside the services file we could also found that telnet is using port 23.
4. Bind and Port are added to lock on the specific IP address and the port number we
use in the host. As shown in diagram, IP address used is 192.168.76.101 while
port number is UDP port 23.
5. Locked IP and port will be perform port forwarding to the IP address and port
used by the host according to the given redirection written in the file. In this case,
It is redirect to the IP address 192.168.76.161 by using port 23.
Here are the configuration needed for tying the port forwarding for telnet
The configuration for TFTP service at gateway server is almost the same with telnet.
1. In the file tftp that could found in directory etc/xinetd.d/tftp, click f4 to edit it.
Comment out Only_from to enable tftp service for other hosts.
2. Also, extra configuration of bind, port and redirect is added into the file.
3. Set P address 192.168.76.101 for bind, and let it use the port 69, which we
could see that port 69 is use for tftp in the services file.
4. After bind and port, type in the IP Address and the port used for the redirected
host. In this case, we use 192.168.56.161 and port number is 69.
4.3.2 Try xinetd port forwarding for TFTP
1. In root@if0m1nc, enter tftp 192.168.76.101 69. The IP Address is the
gateway server IP while 69 is the port used for tftp.
After typing in the command, user will be get into the tftp mode.
2. Next, try to get file from the server by enter command get /etc/webserverfile
/etc/webserverfile^C to get the file from the directory
NFS mounted on a gateway as a sharing files devices that able to gain access by all the
devices connected to the gateway. In the mailstore and filestore, this both files are require
to be store on a separate machine which is mailserver and webserver. In the mailserver, the
files of mailstore will be located at /home/vmail while the files of filestore in webserver
will be located at /var/www.
5.2 Configuration
Before we configure the sharing permission to all the devices able to access, we need to
locate the files of mailstore and filestore in the particular virtual machine. After located of
the files, directory /etc/exports will be opened in webserver and added with a new line
which is /var/www *(rw,sync,no_root_squash,no_subtree_check) to enable the sharing
features in the virtual machine. While the next step will configure the mailserver which
open the directory of /etc/exports after the files was located in the virtual machine. The file
opened in the directory will be added with a new line which is /home/vmail
*(rw,sync,no_root_squash,no_subtree_check) to enable the sharing features in the virtual
machine. The sharing features are enabled to allow any virtual machine connected to the
devices are able to gain access to the files. Edited of the exports file will using F4 keys and
saved of the edited file by using F2 key. The usage of the * symbol was to enable the
sharing features that all the virtual machine able to see the files mounted onto the NFS
server.
WebServer
/var/www *(rw,sync,no_root_squash,no_subtree_check)
MailHost
/home/vmail *(rw,sync,no_root_squash,no_subtree_check)
After the sharing features enabled, we need to enable the NFS service by executing 2
command on the four machine.
Configuration Steps:
To turn on the sharing features on the server, we are require to enable and startup the 2
functions which is rc.nfsd and rc.rpc by using start command.
Configuration Steps:
- /etc/rc.d/rc.nfsd start
- /etc/rc.d/rc.rpc start
On the next step after enabled and startup configuration, we able to perform checking on
the shared directory by using the ip address.
Configuration Steps:
The command of mount are used to mount the files onto the gateway from server. We just
execute the commands and the files will mounted onto the gateway from server.
Configuration Steps:
- mount 192.168.1.104:/var/www/home
To steps to configure the machine for the automatic copy features in LDAP data files to
NFS, edited of the directory /etc/fstab file are require to add extra line for the system to
execute the command. By executing the command, the system will perform automatic copy
features from LDAP files on scheduled basic onto NFS. The directory of /var/openldap-
data was located the LDAP data files. According to default of the system designed, the
system will run in an automatically way on every startup mode.
Configuration Steps:
- 192.168.1.128:/var/openldap-data/home rw,defaults 0 0
On other linux operating system like Ubuntu, we will perform the same edit action of
exports file. Next, the command below will be execute to enable the nfs services in the
linux operating system.
Configuration Steps:
5.3 Obstacles
Tiny-Net OS images contains some error and bugs when enabling the NFS application
and firewall. NFS application cannot be assigned as a server that create some problems to
setup the NFS and the firewall features cannot be enabled on Tiny-Net as well.
5.4 References
(Slackware Documentation Project, 2015)
(Moghadam, 2007)
6.2 Configuration
After the OpenVPN package has been setup, copy dh1024.pem, server.crt, server.key, tmp-
ca.crt in the server side from /user/share/doc/openvpn-2.0.9/sample-keys to
/etc/openvpn/keys. Then, copy the server.conf file from /user/share/doc/openvpn-
2.0.9/sample-config-files to /etc/openvpn.
6.2.2 Editing the server.conf and client.conf
Furthermore, there are a few things needed to edit in the server.conf to reflect the PKI
generated which are ca, cert, key and dh parameters.
After that, go to the client side and copy 3 files which is client.crt, client.key and tmp-ca.crt
from /user/share/doc/openvpn-2.0.9/sample-keys to /etc/openvpn/keys. Then, copy the
client.conf file from /user/share/doc/openvpn-2.0.9/sample-config-files to /etc/openvpn.
Furthermore, there are a few things needed to edit in the client.conf to reflect the PKI
generated which are ca, cert and key parameters.
To test whether OpenVPN is operating, type the command openvpn server.conf. Below
the diagram will be display if the OpenVPN is running.
6.3 Obstacles
Unable to examine and use the certificate with stunnel because installation of require too
many requirements.
6.4 Reference
(OpenVPN, n.d.)
7.0 Setup OpenVPN (Alex Chung Sheng Feng)
7.1 Objective
The aim for this section is to provide a secured VPN for between one place and another
through OpenVPN. The OpenVPN is required to setup and configuration is done for the
TUN and TAP servers with its respective configuration file.
7.2 Configuration
Step 1: Setup OpenVPN on the gateway for both server and client
First and foremost, mount the TinyNetConfig.iso image file and run the installation for the
OpenVPN with the following commands for both client and server side.
# cd /mnt/hdc
./SetupMenu
Install OpenVPN
In order to provide a secured handshake, both client and server required to have the same
Certificate Authority (CA) key generated by OpenVPN which used for authenticate
between the client and the server are directly using the same keys. Therefore, in order to
generate the key and certificate by OpenVPN correctly, both of client and server side are
required to input the following command lines.
/usr/doc/openvpn-2.0.9/easy-rsa/
./vars
./clean-all
./build-ca
After completing step 2 for server, continuing on adding the following command lines in
/usr/doc/openvpn-2.0.9/easy-rsa/.
./build-key-server server
Input Common Name field as server then confirm the certificate with y.
./build-dh and check the dh1024.pem exists in MC mode.
Copy the all of the newly generated keys and certificates of ./keys directory to
/usr/doc/openvpn-2.0.9/sample-config-files/ in MC mode.
Diagram 7.3: Step 3 configuration for server
Similar to step 3, the client must complete step 2 and add on the following command lines.
Copy the previously generated ca.key and ca.crt to ./keys of the client.
Go to /usr/doc/openvpn-2.0.9/easy-rsa/ and ./build-key client
Input Common Name field as client then confirm the certificate with y.
Copy the all of the newly generated client keys and certificates of ./keys directory
to /usr/doc/openvpn-2.0.9/sample-config-files/ in MC mode.
;dev tap
dev tun
Check for the ca.crt, server.crt, server.key and dh1024.pem is properly defined.
; server-bridge 192.168.8.8 255.255.255.0 192.168.8.128 192.168.8.254
server 10.8.0.0 255.255.255.0
;server
;client
;dev tap
dev tun
remote 192.168.76.101 1194
;remote my-server-2 1194
Check for ca.crt, client.crt and client.key are properly defined.
Open the server and input the following command lines to create and initialize the tun for
both server and client.
Mkdir /dev/net
Mknod /dev/net/tun c 10 200
/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tun-server.conf
/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tun-client.conf
Diagram 7.14: Step 6 client configuration and showing initialization sequence completed
dev tap0
;dev tun
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
;server 10.8.0.0 255.255.255.0
activate bridge-utils-1.2-2.lzm
client
;server
dev tap
;dev tun
remote 192.168.76.101 1194
;remote my-server-2 1194
Check for ca.crt, client.crt and client.key are properly defined.
Previously done by step 6, the initialization already done with the mknod /dev/net/tun c 10
200 command. The configuration that need to be done is initialize the tap0 opened allowing
it to set the persist state to ON.
/usr/doc/openvpn-2.0.9/sample-scripts
./bridge-start
/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tap-server.conf
/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tap-server.conf
Then the test for Tap configuration is done by the client through ping 192.168.8.4 for br0.
7.3 Results
The results are shown with TUN and TAP connections are able to ping each other through
OpenVPN.
7.4 Obstacles
The obstacle faced by configuring the section is the ca.key, ca.crt and dh1024.pem are not
properly defined in the server and client side causing an error where the client is not able
to authenticate with the correct key used.
8.0 Cosway, Figlet & Toilet (Liu Yung Peng)
8.1 Objective
1. Setup a VM machine by using TinyNet-gcc image file
2. Uses cowsay, figlet and toilet package in the VM file.
3. Demonstrate on this VM using scripts and ideas getting from the link provided in
the question.
8.2 Configuration
Before we start, there is some tools need to be downloaded for later use. For example,
cowsay, figlet 2.2.5 and toilet 0.3 are needed to download.
8.2.1 Cowsay
After that, put all the downloaded file into a USB so that we could copy it from USB into
SLAX. Go to VMs setting, at the option USB user are able to use attach an USB. In this
case, I use my USB Kingston DataTraveller 2.0.
After login into the system with the root account, go to directory /mnt/sda1. User might
able to see the file downloaded before shown in the directory. This means that the VM
has successfully read the file from USB.
Then, we copy all 4 files into SLAX system to the directory /mnt/hda1/slax/modules so
that the package could be used every time the VM operate.
Last, kindly ensure that those file copied is inside the directory
ISC, DNS and Bind was using in the configuration of Gateway Virtual Host. Bind was a
software that implemented in the DNS for the network connection. While DNS was the
domain name system that converts the domain name to IP address on the internet. DNS
was a protocol which perform conversion functions between IP addresses and domain
name.
9.2 Configuration
On the first step, we are require to install BIND and DHCP on the virtual machine. The
command showed below will be used to install the files to activate and start the features of
BIND and DHCP.
Configuration Steps:
- cd /mnt/hdc/modules/isc
- ls
- lzm2dir bind-9.8.4_P1-i486-1.lzm /
- lzm2dir dhcp-4.1_ESV_R7-i486-1.lzm /
The first line of the command which is cd /mnt/hdc/modules/isc are used to change the
directory of the command. While lzm2dir bind-9.8.4_P1-i486-1.lzm / and lzm2dir
dhcp-4.1_ESV_R7-i486-1.lzm / are used to install BIND and DHCP programs onto the
Gateway virtual machine.
Next, we will create a private setup of BIND DNS server for the purpose of assigned the
BIND DNS server to be private. The configurations to keep private of the BIND DNS
server was to add new zones in the directory of /etc/named.conf. The configuration files
are located in the directory of /var/name/caching-example. The command of
configuration for the setup of BIND DNS server was showed in the screenshot. The file of
named.conf are require to select and press F4 for the edit process. While press F2 when
finish edit to save the files.
Configuration Steps:
- zone example.com in {
allow-transfer {any; }
file caching-example/zone.example.com;
type master;
- zone 1.168.192.in-addr,arpa: {
type master;
file caching-example/192.zone;
In the steps of configuration for the setup of zone files, there are few things must be focuses
on which is the directory and the files selected to copy. First, we will using the command
of /var/name/caching-example to the directory in midnight commander. Second, we will
copy the file named as localhost.zone. We will perform copy action of the
localhost.zone twice for the purpose of renaming in the /etc/ files. The first of
localhost.zone file will be renamed as zone.example.com while another
localhost.zone: files will be renamed as 192.zone.
Configuration Steps:
Configuration Steps:
- /etc/rc.d/rc.bind start
- Dhcpd-q eth0
9.3 Obstacles
Some libraries that are not installed in the Slax system are create problems for the
configuration. Example, DHCPD service unable to search and locate with the library of
libcap.so.2 and libxml2.so.2. With this problems, we had come out with a way to solve
the issue by using Idconfig command onto the terminal and using Izm2dir command
for the installation process.
9.4 References
(Digital Ocean, 2014)
10.0 Setup Snort & Demonstration Of Its Functions (Hea Zhen Yao)
10.1 Objectives
a. Setup snort
b. Use netcat, hping 2 to demo recognized attacks
10.2 Configuration
Diagram 10.2: Copy the files from /etc/snort and remove .new
10.2.2 Changing the path snort rules
After the Snort package has been setup, by default all the files within the /etc/snort is a
.new file type so copy the entire files inside /etc/snort and rename them by deleting the
.new. After successfully copied the files, edit a few lines in the snort.conf file. Change
the path to /etc/snort/rules as it will be used to enable a correct path for the system to be
execute on. Then, add an alert command as follow:
Furthermore, user will need to uncomment all the default rules and insert 5 new correct
path way to run the rules files as follow:
User will be require to type snort c /etc/snort/snort.conf to run snort. The diagram below
shown is when the snort is successfully operating.
Diagram 10.8: Snort is successfully running
Furthermore, use the hping command to generate any number of packets to flood the
network, in our case we use 65000 packets. After that, system will be jam thus the user
need to CTRL+C to abort it.
Diagram 10.10: Flood the network with 65000 packet to jam it
10.3 Obstacles
The obstacles encountered is the internet resources about how to setup snort is extremely
hard to comprehend. To enable snort to be successful, a lot more files will be needed to be
configured. Lastly, the successfulness of using hping2 command to demo a flood attacks
is unknown.
10.4 Reference
(TheGeekStuff, 2010)
11.0 Setup LDAP With FreeRadius & Protocols (Alex Chung Sheng
Feng)
11.1 Objective
Objective of this section is to setup freeradius with LDAP while able to demonstrate the
centralized logins after setting up the freeradius. Remote Authentication Dial-In User
Service (RADIUS) is an access server authentication and accounting protocol which
provides a secure authentication to the server defined by (Cisco, 2006).
11.2 Configuration
Step 1: Install the freeradius
In order to install the freeradius, the image file must be mounted and enters the following
command lines
ls l .mnt/hdc
cd /mnt/hdc
./SetupMenu
After the installation is done and LDAP enabled, the freeradius can be started.
/etc/rc.d/rc.freeradius start
11.3 Results
The freeradius is functional and shown in the following with the command lines in the
terminal as well.
radiusd -d /etc/raddb
Diagram 11.4: Result to prove freeradius is functional.
11.4 Obstacle
The obstacle faced in this section found in demonstrating the centralized login as there are
little understanding of implementing the freeradius as such to some extent it is hard to
actuate. While the TInynetconfig.iso missing the PPP authentication to operate causing
error to authenticate users.
12.2 Configuration
First, install Kerberos 1.6.3 from the TinynetConfig.iso on both Kerberos server and
Application Server. After installation finish, type command reboot on both server to
apply the configuration on to those servers.
12.2.2 Preparation
Configure the IP address, Hostname and Domain Name for both servers under directory
/etc/hosts. The Ip address filled in here must be referred to the IP used at eth0 Interface
and can be checked by entering ifconfig. U can also use command hostname to check
for hostname.
After that, create a new user named lucas. User could also use other words to be the
user name. All the fields such as Full name, Room Number and Home Phone shows after
that can be left blank without fill in any thing because they will be replaced by default
value except password. Set a high security password for yourself in order to create an
system that has Authentication, Authorization and Accountable (AAA).
12.2.3 Configure Kerberos Server with KDC-AS and TGS
4. After Step1 until Step3 has all done, create Kerberos Database to store all
principals created. We can create new principal by using command kdb5_util
create r LUCAS.COM under directory of /usr/sbin. As shown in the
screenshot, the 4th line shows to user master key. User must remember the master
key for kdc database.
6. Enter ktadd to create a new keytab file with key attribute kadmin. As shown
in the screenshot, kadmin/admin and kadmin/changepw keytab files are
created successfully in directory /var/krb5kdc/kadm5.keytab.
7. Now, create a host principal for KDC using command addprinc and ktadd.
Ater this has done, a host name host/gateway.lucas.com must be cound in
directory /etc/hosts. If there is not, redo this step and try again.
8. Until this step, all the principal and privilege setting has been done. Start
Kerberos Database by using command /usr/sbin/krb5kdc and start Admin server
by using command /usr/sbin/dadmind. After that, use command netstate nat |
grep 749 and netstat nat | grep 88 to makes both port 88 and port 749 are
opened and listening.
9. Finally, type in ktutil to make sure all the keytab files are all created
successfully. Type Command rkt /yar/krb5kdc/kadm5.keytab following by
ktutil to continue the progress. All keytab files created in previous steps will be
shown. According to the screenshot, they is 4 principle created. If principal more
than or less than 4 is created, some error happens. Check back to previous steps to
find problems.
12.3 Configure Application Server with SSH and Telnet Service
4. Lastly, use command kadmin p root/admin to create a local host principal for
the client on KDC. After this command done, Kerberos Server and Admin server
should be able to start running. Try to login into the server using command
root/admin, and then type addprinc and ktadd to create a new principal
host/if0m1nc.lucas.com.
As shown in the screenshot above, an access to the server by using kadmin has been
captured. The screenshot shows that UDP packets transferred from IP 192.168.76.183 to
IP 192.168.1.40 by using port 88 which is the port for KDC. The packets has proven that
client is able to access KDC Server successfully.
This screenshot shows the statistics of packets in the eth3 Interface from Server. It clearly
state out the amount of incoming and outgoing packets continuously. This statistic will
keep updating as long as there are clients trying to access kadmin.
This screenshot shows more detail on incoming and outgoing packets by also identify the
hardware addresses from the source. For example the first line shows that the HW
address of the source is 8 which 12 packets out and 1926 of bytes outgoing.
This is the statistic on the server while server is trying to do command klist and kinit.
These command will generate a Service-Granting-Ticket from Ticket Granting Server.
While Server requesting for a ticket, it needs to access from port 88 too. Hence this
screenshot shows that the access of requesting ticket is also captured by IPTraf.
In Kerberos Server, type the command su -lucas which is used to switch the user
account to lucas. After that, check the tickets held by the user by using command
klist. Use command kinit to request for a ticket is the user is not holding any ticket.
As shown in the demo, after typing klist, it said you have no tickets cached. Hence the
user use command kinit to request for a ticket with the ticket cache:
FILE:/tmp/krb5cc_1000. Then user can type klist again to make sure it is holding a
ticket.
After the ticket has been given, use command ssh lucas@if0m1nc to grain SSH Access
to the destination. But the system tells user that it is not supported GSSAPIAuthentication
access. Hence the ticket is unable to use to authenticate the user, which means that the
user needs to use his password to do authentication. Thats the reason of the system
asking for lucas@if0m1ncs password in the bottom of the picture.
After the ticket has been given, user can also use the command telnet Fxl
lucasif0m1nc.lucas.com to use telnet connection to the destination. Although it can use
telnet to connect to the destination but is was failed to authenticate by ticket. This is
because Kerberos V5 and Encrypt is not supported in this connection. Hence it asking for
password of principle lucas for authentication.
Overall, after establishing Virtual Machines for each sections, we could conclude that we
are able to accomplish each given criteria that are given to fulfill. While in amidst, every
assigned member able to gain understanding of using Slax by doing researches and able to
perceive how the Oracle VM emulates the computer architectures and operating system
and gain more understand regarding to Linux architecture and operating system as well.
References
Cisco, 2006. How Does RADIUS Work?. [Online]
Available at: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-
dial-user-service-radius/12433-32.html
[Accessed 8 June 2016].
Digital Ocean, 2014. How To Configure BIND as a Private Network DNS Server on Ubuntu 14.04..
[Online]
Available at: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-
private-network-dns-server-on-ubuntu-14-04
[Accessed 12 June 2016].
Inkblot, 2010-2014. Lab Exercise 5: Testing the eMail service via WebMail. [Online]
Available at: http://www.my-tiny.net/Lab05_WebMail.htm
[Accessed 30 November 2014].
Linux Home Networking, n.a. Quick HOWTO : Ch29 : Remote Disk Access with NFS. [Online]
Available at:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch29_:_Remote_Disk
_Access_with_NFS#Table_29.2_Some_Common_NFS_Error_Messages.
[Accessed 11 June 2016].
Moghadam, P., 2007. Slackware 12.0 - NFS : Network File System. [Online]
Available at: http://pmoghadam.com/homepage/HTML/slackware-12.0-nfs.html
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 4: Creating system users and testing the eMail service. [Online]
Available at: http://www.my-tiny.net/Lab04_MailConfig.htm
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 5: Testing the eMail service via WebMail. [Online]
Available at: http://www.my-tiny.net/Lab05_WebMail.htm
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 9: Creating users and a look at sudo.. [Online]
Available at: http://www.my-tiny.net/Lab09_UsrMgt.htm
[Accessed 11 June 2016].
Slackware Documentation Project, 2015. NFS - Quick and Dirty Setup. [Online]
Available at: http://docs.slackware.com/howtos:network_services:nfs-quick_and_dirty_setup
[Accessed 11 June 2016].