See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/331177953

System And Network Administration (SNA) - Assignment

Research · December 2017

DOI: 10.13140/RG.2.2.16039.39843

CITATIONS READS
0 9,559

1 author:

Abdurraouf Fathi Sawehli

Asia Pacific University of Technology and Innovation
21 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Abdurraouf Fathi Sawehli on 18 February 2019.

The user has requested enhancement of the downloaded file.

 GROUP ASSIGNMENT
TECHNOLOGY PARK MALAYSIA
CT106-3.5-2-SNA
SYSTEM AND NETWORK ADMINISTRATION
UC2F1708 (NC) (IT)(ISS)
HAND OUT DATE : 4th NOBAMBER 2017
HAND IN DATE : 22th DECEMBER 2017
WEIGHTAGE : 60%

INSTRUCTIONS TO CANDIDATES:

1 Submit your assignment at the administrative counter.

2 Students are advised to underpin their answers with the use of references
(cited using the Harvard Name System of Referencing).
3 Late submission will be awarded zero (0) unless Extenuating Circumstances
(EC) are upheld.
4 Cases if plagiarism will be penalized.
5 The assignment should be bound in an appropriate style (comb bound or
stapled).
6 Where the assignment should be submitted in both hardcopy and softcopy,
the softcopy of the written assignment and source code (where
appropriate) should be on a CD in an envelope / CD cover and attached
to the hardcopy.
7 You must obtain 50% overall to pass this module.

1
 GROUP ASSIGNMENT
CT106-3.5-2-SNA
SYSTEM AND NETWORK ADMINISTRATION

NAME TP NUMBER
1. CHAN LEK KEAT

2. NICHOLAS CHIN YII JENG

3. WU YICHEN TP042884

4. ABDURRAOUF FATHI TP042816

INTAKE : UC2F1708 (NC) (IT)(ISS)

LECTURER NAME : MR. SHOUNAK GHOSH

HAND OUT DATE : 4th NOBAMBER 2017

HAND IN DATE : 22th DECEMBER 2017

2
Project management:
Approach:
The approach that we followed to accomplish the assignment values is
that all of us should contribute in doing all the enhancements in a way that each
one of us will be involved in each step of the assignment. That helped us to
improve our technical skills and to expand our knowledge in system and network
administration.
Basically, in each enhancement was at least two group members
performing the value’s configuration and the other two assuring that the
configuration steps are done correctly and to carry out some researches if there
is any obstacle. Moreover, the other two are responsible for documenting the
configuration steps and the difficulties that we faced so we can include them in
the assignment documentation. By following that, we could mange to work in
effective manner and avoid wasting our time as possible as we could. In all the
way, all the configuration files were examined and tested in each step we pass to
make sure that our system is working probably.
We also created a shared google drive word file to save all the
configuration steps while we are implementing the values, further, snapshots
were taken to include them in the documentation as the last result or if there is
any obstacle, so we can refer to it in the next meeting and we do not get
confused.
We considered that in each time we complete a question or value, we start
its documentation directly to manage our time efficiently. Most of our meetings
were held in APU main campus and successfully most of the group mates
attended them. We also created a WhatsApp group to discuss any topic or
sharing useful resources that might help us in doing our assignment.

3
The division of tasks:
Many researches were carried out in all the assignment stages and each
one of us had to choose a task which needs to be the owner for. That does not
mean he will work on it individually as we all were involved in each step, but he is
as a leader for the selected value while we are implementing it. To add on that,
each one of us were required to try the question that we will implement in the
next meeting on our own virtual machines and then we implement it in our main
system whether he could accomplish it or not. The next table shows the question
name and its owner as well as the contribution’s percentage for each member.

Percentage of contribution (%)

N WU CHAN ABDURRA
NICHOLAS
O TASK WITH ITS OWNER: YICHE LEK OUF
CHIN
. N FATHI

1 Case study analyze. 25% 25% 25% 25%

2 Define scope and objective of 25% 25% 25% 25%

the system.

3 System Design. 25% 25% 25% 25%

Question 1 (ALL MEMBERS) 20% 36% 30%

1.1 (On your WebServer, set

up two virtual servers
(VirtualHost) in addition to
the webmail.
1.2 Set up two normal users.
1.3 Configure the system so
4 users cannot serve web 19%
pages or run cgi scripts
from their home
directories, and cannot
access the virtual server
document root, but can
upload files for web/cgi
(hint-use a staging area
and cron).

4
 Question 2 (ALL MEMBERS): 26% 24% 26%

2.1 Allow no root access: force

users to use sudo (like
ubuntu).
5 2.2 Limit ssh access to only 24%
some users and no root
logins.
2.3 Have different color
prompts for normal users
and root.
Question 3 (ALL MEMBERS): 36% 19% 20%

3.1 Setup SASL plaintext

authentication.
6 3.2 Explain which 30%
authentication
mechanisms may be more
suitable for specific
configurations.
Question 4 (ALL MEMBERS): 36% 24% 30%

4.1 Demonstrate xinetd port

forwarding (outlined in RHL-
7 RG 15.4.3.3). 20%
4.2 For both telnet and tftp.
4.3 Explain how telnet and tftp
are useful for working with
a cisco router or switch.
9 Question 5 (ALL MEMBERS): 25% 25% 25% 25%

5.1 Use one easy method to

setup Multitail to show the
postfix logfiles on the
Gateway and the
Mailserver in separate
windows, and demonstrate
using email via telnet.
5.2 Use a different easy
method to setup Multitail to
show the postfix logfiles on
the Gateway and the
Mailserver in a single
window with different
colors, and demonstrate

5
 using email via telnet.
5.3 [Bonus: 5] Reconfigure
one of the above to use
authentication via keys
and sshagent.
Question 6 (ALL MEMBERS): 26% 24% 26%

6.1 Setup openvpn using

1 static keys.
6.2 Have two sets of config 24%
0
files, one for tun and one
for tap.
6.3 [Bonus: 5] Reconfigure to
use signed keys.
Question 7 (ALL MEMBERS): 19% 30% 20%

1 7.1 Setup the LDAP sever with

two domains (o= and dc=). 36%
1
7.2 Configure dovecot and
squirrelmail to use LDAP.
7.3 Get LDAP using stunnel.
Question 8 (ALL MEMBERS): 26% 24% 26%

8.1 Setup a VM using the

TinyNet-gcc image.
1
8.2 Install the asciiart package 24%
2 from the configuration CD.
8.3 Compile the toilet source
code.
8.4 Demonstrate using shell
scripts.
Question 9 (ALL MEMBERS): 19% 30% 20%

9.1 Put the Dovecot mail

directory and the
webserver VirtualHost
DocumentRoot directories
1
on a new VM NFS mount. 36%
3 9.2 Set up the VirtualHost
users on the NFS server,
and allow them ssh access
to their staging area.
9.3 Run the staging area to
document root cron jobs
on the NFS server.

6
 Question 10 (ALL 30% 24% 36%
MEMBERS):

10.1 Setup snort.

1
10.2 Use multitail and 20%
4 hping2 to demonstrate
recognized attacks.
10.3 How is information
about known attacks
compiled?
Question 11 (ALL 36% 20% 24%
MEMEBRS):
1
1. Setup ISC DHCP and 30%
5 Bind.
2. Replace dnsmasq with
dynamic updates in the
ISC configuration.
1 25% 25% 25%
Documentation. 25%
8

7
Gantt Chart:
The next table shows how manged our time to complete our assignment and how we
consumed it for each enhancement.

ID 30- 06- 13- 20- 27-

Oct Nov No No No 04- 11- 18-
1st Day of the week v v v Dec Dec Dec
Week 1 2 3 4 5 6 7 8
1 Base System Configuration
2 Question 1
3 Question 2
4 Question 3
5 Question 4
6 Question 5
7
Question 6
8 Question 7
9 Question 8
10 Question 9
11 Question 10
12 Question 11
13 Documentation

8
Base project scenario: Sending mail using stunnel and MSA

Objective – what this does for the system

MSA stands for Mail Submission Agent which allows us to correct minor errors in a
message’s format (such as syntax error, mistyped domain name. etc.) and instantly report
an error to the user so that it can be corrected before the process terminates / the mail is
sent to the recipients. Also, it has a dedicated port number 587, and it is always possible
for users to send new mails when connected to the domain. (Gellens & Klensin,
11/14/2013)
Stunnel encrypts the connection between gateway and mailhost. It listens on the port
specified in its configuration file and forwards the data to the original daemon listening
on its usual port. (PORTAL, 2016)

List the relevant configuration files, and for each one briefly describe what was done

All hostnames in all files on all servers match names in /etc/dnsmasq.d/cnames.

/etc/stunnel/mh.server.conf - connect to port 80.

Change the relayhost directive to point at the submission port in /etc/postfix/main.cf on

the MailServer.

Change the config_svr_adrs.php to point at localhost on webserver for squirrel mail.

Screenshot of mailadmin mailbox in squirrelmail

9
Sending mail by using Telnet

The domain of WebServer

10
Login screen for Squirrelmail

Mailbox for Squirrelmail

Showing the inbox.

11
Any Outstanding/Unresolved Issues
Everything went smoothly. We did follow instructions which were given during lab
classes.
Value [5]
1. On your WebServer, set up two virtual servers (VirtualHost) in addition to the
webmail
2. Set up two normal users
3. Configure the system so users cannot serve web pages or run cgi scripts from their
home directories, and cannot access the virtual server document root, but can
upload files for web/cgi (hint-use a staging area, permissions like /tmp and
/home/vmail, and cron)

Task Owner:

Objective – what this does for the system

This task required to set up two virtual servers (VirtualHost) and setting up two normal
users in the system. By doing so, the webmail will serve different files in different
locations. The users will also not be able to run cgi scripts from their home directories
and access the virtual server document root, but they can upload files for web/cgi.

12
List the relevant configuration files, and for each one briefly describe what was done
Setup two virtual servers
/usr/monkey/monkey.conf
- First, we need to configure the /usr/monkey/monkey.conf file in the WebServer
machine to set up virtual servers (VirtualHost).
3. We edit the file by adding the lines as shown below:
<Virtualhost>
VirtualServerName original.tinynet.edu
VirtualDocumentRoot /var/www/example/htdocs
VirtualScriptAlias /cgi-bin/ /var/www/example/scripts/
VirtuaForceGetDir off
</Virtualhost>

<Virtualhost>
VirtualServerName alice.tinynet.edu
VirtualDocumentRoot /var/monkey/htdocs/alice
VirtualScriptAlias /cgi-bin/ /var/monkey/htdocs/alice/scripts/
VirtuaForceGetDir off
</Virtualhost>

<Virtualhost>
VirtualServerName bob.tinynet.edu
VirtualDocumentRoot /var/monkey/htdocs.bob
VirtualScriptAlias /cgi-bin/ /var/monkey/htdocs/bob/scripts/
VirtuaForceGetDir off
</Virtualhost>

- When the file is edited, we now have 2 virtual servers available, they are called
“alice” and “bob”.

13
Configuring file path for VirtualDocumentRoot
/var/monkey/htdocs
- Now, we need to satisfy this line in the monkey configuration file:
VirtualDocumentRoot /var/monkey/htdocs/alice (VirtualHost for “alice”)
- To do this, we go to /var/monkey/htdocs/directory and create 2 new directories
inside it. They are called </alice> and </bob>.
- Change the permission of both directories with chmod, make it unreadable,
inexecutable and unsearchable by others
- Change the owner and group for the directory by using Ch0wn to change the
owner name and group name to nobody

By doing the steps as shown above, the users will not be able to access the virtual server
document root. Sticky bit is also required to prevent the users from deleting and
executing the document root.

Configuring path for VirtualScriptAlias

/var/monkey/htdocs/alice & /var/monkey/htdocs/bob
- After the DocumentRoot path has been configured, the directory for scripts also
need to be configured, we need to satisfy this line in the monkey configuration
file:
VirtualScriptAlias /cgi-bin/ /var/www/example/scripts/
- To do this, we go to /var/monkey/htdocs/username directory, and add new
directories </scripts> in each folder. We do this inside both </alice> and </bob>
directories.
- Change the permission and the owner and group of the directory by using chmod
and ch0wn and configure them as the document root.

By doing the steps as shown above, the users will not be able to run cgi scripts from their
home directories.

Setting permission for home directories of the users

14
/home/username/
- In this task, the users in the machine cannot serve web pages or run cgi scripts
from their home directories. The best way to do this is to deny user access to their
home directories.
- To do this, we go to /home/username, we change the owner of both </alice> and
</bob> by using ch0wn command, we set the owner name and group name to
nobody.

By changing the owner of the home directories to nobody, the user cannot access their
home directories, thus cannot serve web pages or run cgi scripts from their home
directories.

Setup a staging area

/var/tmp/
- A staging area is required for the user to upload files for web/cgi. The best way to
do this is setting up the staging area in /var/tmp/ directory.
- We go to /var/tmp/ directory and add two new directories inside it, we called
them </alice> and </bob>.
- We set up proper permission by using chmod for these directories.

By adding directories of the users in tmp, the users can upload files for web/cgi/

Adding normal users in the system

- Two normal users are needed in this task. Therefore, we need to create users in
the machine manually.
- We can create user account by executing the “adduser” command.
- We created 2 normal user accounts inside the Webserver machine, they are
“alice” and “bob”.

Creating cron job

/etc/cron.hourly/

15
 - Create a shell scripts in the directory: (the purpose of this shell script is to tell the
program to check for the availability of htdocs in var/monkey directory)
- We created a shell script named “sitepages” and coded it as follows:
#!/bin/sh
mv -f /opt/sitetemp/* /var/monkey/htdocs
- After the shell script has been created and moved to the /etc/cron.hourly/
directory, we need to tell the system to create a new cron job by executing the
code as follows:
crontab -e
59 * * * * /etc/cron.hourly/sitepages

The system will run hourly cron jobs at 59 minutes after the hour, basically executing the
sitepages scripts that we created every hour.

After all the steps above are done, the WebServer has two virtual servers (VirtualHost)
set up and running, the user can choose to login as “root” or login as normal users that we
created, “alice” and “bob”, and the normal users cannot cannot serve web pages or run
cgi scripts from their home directories, and cannot access the virtual server document
root, but can upload files for web/cgi.

Screenshots of tests, with explanations

Directory for two users

16
Demonstration of using user “alice” to login with “alice1” as the password.

17
User “alice” cannot access home directory in /home/username/

User “alice” cannot access the /var/monkey/htdocs directory, which is the document root

The system lists out the active cron jobs by executing %crontab -u root -l command

18
The last line showing that the system will check for the availability of sitepages script
every hour.

Obstacles encountered, obstacles overcome

None.

Best References
www.my-tiny.net
http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/
https://www.cyberciti.biz/tips/howto-run-cron-job-nth-week-day.html

19
Value [5]
Choose one server and
1. Allow no root access: force users to use sudo (like ubuntu)
2. Limit ssh access to only some users and no root logins
3. Have different color prompts for normal users and root

Task Owner:

Objective – what this does for the system

SSH, also known as Secure Shell, is a protocol used to securely log onto remote system.
It allows a user to login to a system from other machines remotely. For security purposes,
it should be restricted to normal users and only certain users such as administrator can
use the SSH feature. In this task, the access to SSH for root logins has been disabled and
only two users will be able to access SSH. The system will also force users to use sudo
before the users execute any command. Different color prompts are also implemented for
users and root. In this case, the root will have red colour prompt and normal users will
have green colour prompt.

List the relevant configuration files, and for each one briefly describe what was done
Create normal users in the system (MailHost)
- In this task, multiple user accounts are required to set up in the system to carry
out the functions.
- We created three normal user accounts in the system. We created the user
accounts by execute %adduser command and enter the user details as follows:
#user account 1: kenneth; password: kenneth1
#user account 2: richard; password: richard1
#user account 3: raouf; password: raouf1
- After the %adduser command and all the required information has been entered,
the system will now have three user accounts set up and ready to use.

20
Make changes to sudoers
/etc/sudoers
- We need to force the users to use sudo features (like Ubuntu).
- To do this, we need to go to /etc/sudoers and edit the file as follows:
# User privilege specification
root ALL=(ALL) ALL
kenneth ALL=(ALL) ALL
richard ALL=(ALL) ALL
raouf ALL=(ALL) /usr/sbin/monkey -D
- We configured user “raouf” to have access to /usr/sbin/monkey -D only to make
the output to have significant difference with the other users.

By changing the /etc/sudoers file, the system will force the users to use sudo.

Limit the access of SSH

/etc/ssh/sshd_config and /etc/rc.d/rc.sshd
- In this task, the SSH service must be limited to only some users and no root
logins.
- To make this happen, we need to edit /etc/ssh/sshd_config file as follows:
# Authentication:
PermitRootLogin no
AllowUsers kenneth richard
- After the changes as mentioned above are done, SSH service will deny all root
login and only allow user “kenneth” and “richard” to access SSH service.
- Next, we need to get SSH service running in the system.
- To do that, we set the permission of SSH file, that is /etc/rc.d/rc.sshd bu using
Chmod to make the service executable.
- To make the changes take place, we need to restart the service. We restart SSH
service by executing:
%/etc/rc.d/rc.sshd stop

21
 %/etc/rc.d/rc.sshd start

By doing the steps as above, only user “kenneth” and “richard” can access SSH service.
The root logins have also been disabled as well.

Setting up color prompts for each user type

/etc/profile
- In this task, different colour prompts are needed to differentiate the user type that
logged in into the system.
- To make it happen, we go to /etc/profile and edit the file as follows:
# Set a default shell prompt
…
else
# PS1='\u@\h:\w\$ ' # commented this line
if [ "`id -u`" = "0" ]; then
PS1='[\[\033[01;31m\]\u@\h \[\033[01;34m\]\W\[\033[00m\]]# '
else
PS1='[\[\033[01;32m\]\u@\h \[\033[01;34m\]\W\[\033[00m\]]$ '
fi
fi

From the steps above, the command is basically telling the system to verify the type of
the user logged in. If the user ID is = 0 (root), the system will use red colour (01;31m) as
the colour prompts. If the user ID is not = 0 (not root, other users), the system will use
green colour (01;32m) as the colour prompts.

By doing all the steps above, the system (MailHost) will not allow any root access and
will force users to use sudo (like ubuntu). SSH service is also limited to permitted user
access only and no root logins. The system will also show red colour prompts when user
logged in as root account and green colour prompt if the user logged in as normal user
account.

22
Screenshots of tests, with explanations
Output of sudo

We set up the /etc/sudoers like this

We setup “raouf” to have only /usr/sbin/monkey -D to demonstrate sudo in action.

23
Output of user “raouf” trying to access midnight commander as root.

Output of user “raouf” trying to access monkey script.

The colour prompt for “root” is red.

24
The colour prompt for other users are green.

Root login cannot access SSH service

25
User “raouf” trying to access SSH service by logging in as root.

Users that specified in the “AllowUsers” in SSH configuration file, “kenneth” in this
case, can use SSH service

Output of access granted when logging in as authorized user specified in sshd_config file.

26
Obstacles encountered, obstacles overcome

The colour prompts of the users will be red no matter what type of users logged in. There
were minor typing mistakes in the file. Overcame the problem by retyping the command.

Best References

https://www.digitalocean.com/community/tutorials/how-to-use-ssh-to-connect-to-a-
remote-server-in-ubuntu
https://linuxacademy.com/blog/linux/linux-commands-for-beginners-sudo/
http://www.my-tiny.net/M09-usrmgt.htm
http://www.my-tiny.net/M10-prompt.htm

27
Value [5]
1. Setup SASL plaintext authentication
2. Explain which authentication mechanisms may be more suitable for specific
configurations

Task Owner:

Objective – what this does for the system

SASL, also known as Simple Authentication and Security Layer, is used for security
authentication and data security in internet protocols. In this task, SASL plaintext
authentication is responsible to collect credentials and verify authentication.

List the relevant configuration files, and for each one briefly describe what was done
Configure Postfix
/etc/postfix/main.cf
- We need to configure the file for postfix to make Postfix service uses SASL
plaintext authentication mechanism. In our case, we are using MailHost server to
demonstrate the application of SASL plaintext authentication.
- To do this, we go to Postfix configuration file, that is /etc/postfix/main.cf and edit
the file as follows:
#smtpd directives
smptd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

#smtpd_recipient_restrictions:
permit_mynetworks

28
 permit-sasl_authenticated
reject_unauth_destination

Making changes to the main.cf file as above to setup SASL authentication service for
postfix. After the changes has been made, SASL authentication service is now able to run
on postfix properly. The broken_sasl_auth_clients configuration option lets Postfix
repeat the AUTH statement in a form that these broken clients understand (Postfix SASL
Howto), the output will be similar to this:

The system will repeat “AUTH PLAIN LOGIN”.

Configure Dovecot
/etc/dovecot.conf
- After Postfix have been configured, we need to configure Dovecot service to use
SASL plaintext authentication as well. This is because we had specified this line
in the Postfix configuration file:
smtpd_sasl_type = dovecot

- To do this, we go to Dovecot configuration file, that is /etc/dovecot.conf file and

edit the file as follows:
auth default {
mechanisms = plain login
passdb shadow {
}
userdb password {
}

29
 user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

The path line indicates that the system will place the Dovecot SASL socket
in /var/spool/postfix/private/auth directory. Mode = 0660 limits read and write
permission, and only available for user and group postfix only. Mechanisms = plain login
provides plain and login as mechanisms for the Postfix SMTP server. Making changes to
the dovecot.conf file as above, SASL authentication service is available for dovecot
service by using “plain login” mechanisms.

Get SASL service running

- After all the configuration for Dovecot and Postfix are done, we need to get
SASL authentication service running in the system.
- We can do this by making the SASL authentication service, that is in
/etc/rc.d/rc.saslauthd and make it executable by using chmod command. We also
need to make Dovecot service executable as well.
- After that, we need to restart Dovecot service and start SASL authentication
service to let the changes take place.
etc/rc.d/rc.dovecot stop
etc/rc.d/rc.dovecot start

After restarting the services required, SASL plaintext authentication should be working
on the system.

30
2. Types of authentication mechanisms

Security Socket Layer (SSL)

Security Socket Layer, also known as SSL, is a standard security technology that
operates in the transport layer of the network. SSL is responsible for establishing
encrypted and secure link between the web server and the browser. It will make the
information private and integral while the data is passing between the web server and the
browser. SSL has 3 basic sub protocols. Handshake protocol, Record protocol and Alert
protocol.
Handshake protocol is used to communicate between the client and the server
using an SSL-enabled connection. The four phases of handshake protocol consist of
establish security capabilities, server authentication and key change, client authentication
and key exchange and Finish.
Record protocol provides confidentiality and message integrity for the records
being sent. It accepts messages from the higher layer and split it into multiple parts.
Lastly, alert protocol when errors are detected by either the client or the server, the
detecting party sends an alert message to the other party. Both parties close the SSL
immediately if the error is fatal. Transmission from both the ends are also terminated,
before that both parties will destroy the session identifiers, secret and keys associated
with the connection.

Internet Protocol Security (IPSec)

Internet Protocol Security also known as IPSec is a framework for a set of
protocols for security at the network or packet processing layer of network
communication. IPSec is said to be the most useful for implementing virtual private
networks. Advantages of IPSec is that the security arrangement can be handled without
requiring changes to individual user computers.

31
 There are two choices of security services provided by IPSec: Authentication
Header (AH), which essentially allows authentication of the sender of data and
Encapsulating Security Payload, this supports both authentication of the sender and
encryption of data as well. The specific information associated with these services is
inserted into the packet in a header that follows the IP packet header. ISAKMP/ Oakley
protocol can be selected as separate key protocols.

Kerberos Service
Kerberos Service also known as Kerberos authentication protocol provides a
mechanism for authentication and for mutual authentication between a client and a server
or between one server and another server. Users, machines and services using Kerberos
need only trust the KDC, which runs as a single process and provide two services: an
authentication service and a ticket granting service.
KDC tickets provide mutual authentication, allowing nodes to prove their identity to one
another in a secure manner. Kerberos also uses conventional shared secret cryptography
to prevent packets travelling across the network from being read or changed and to
protect message from attacks. To start the Kerberos authentication process, the initiating
client sends a request to an authentication server for access to a service. The initial
request will be sent as plain text as no sensitive information in included in the request.

32
Screenshots of tests, with explanations
Creating user account “kenneth” with “kenneth1” as password

Configuring user information for “kenneth” at /etc/postfix/sasl_passwd in client server

side to match the user account information in the server side.

Output of SASL testing

User information for “kenneth” stored in the SASL database

33
Generating the base64 encoded authentication information for user “kenneth”

Testing the authentication with telnet services and postfix by using information of user
“kenneth”

Testing out SASL plaintext authentication with squirrelmail and login as user “kenneth”

34
Output for successfully log into the squirrelmail with user “kenneth”

35
Log file for dovecot that shows the evidence of SASL plaintext authentication while
logging into squirrelmail. The location of the log file is in /var/log/dovecot.IMAP

We can see from the file that user “kenneth” logged in the Dovecot service and using
“method=PLAIN”. This indicates the SASL plaintext authentication took place in the
authentication phase.

36
Obstacles encountered, obstacles overcome

The system unable to execute “%testsaslauthd” command, overcame by rebooting the

virtual machine. We also faced obstacles when verifying the authentication key with
another machine. We overcame this by executing the code “echo -ne
‘\0username\0password’ | openssl base64” to generate the encryption key for user
“kenneth” in base64 format.

Best References

http://www.my-tiny.net/L14-ssl.htm
https://www.arschkrebs.de/slides/surviving_cyrus_sasl-handout.pdf
http://www.postfix.org/SASL_README.html
https://wiki.archlinux.org/index.php/Postfix_with_SASL
https://www.centos.org/docs/5/html/CDS/ag/8.0/Introduction_to_SASL-
Authentication_Mechanisms.html

37
Value [5]
1. Demonstrate xinetd port forwarding (outlined in RHL-RG 15.4.3.3)
2. For both telnet and tftp
3. Explain how telnet and tftp are useful for working with a cisco router or switch

Task Owner:

Objective – what this does for the system

Xinetd stands for Extended Internet Daemon. Xinetd listens for incoming requests
over tinynet network and launches the appropriate service for that request. Requests are
made using port numbers as identifiers and xinetd usually launches another daemon to
handle the request.
Xinetd allows me to restrict connection to specific IP addresses and to specify TCP
ports and server IP address on which to listen. Xinetd configuration can be customized
according to our needs on the system.

List the relevant configuration files, and for each one briefly describes what was done

Using mc to open telnet file under /etc/xinetd.d working directory and then add bind
192.168.76.101 to locate the host. Choose a port number for host as we use the default

38
port 23. Add redirect 192.68.56.191 23 demonstrates that the redirected host will be
192.168.56.192 on port 23.

Using mc to open tftp file under /etc/xinetd.d working directory. Change disable =
yes to disable = no because we intend to set up tftp service. Bind the service with the IP
address of the gateway server, then specify the port number that we will be using (in this
case, we choose default port number 69).

Screenshots of tests, with explanations

root@if0m1nc is the host that requests for redirecting telnet service, while
192.168.76.101 is the IP of gateway server. Then make sure it is using port 23 as we have
configured. The system displays login option to if0m1na which is the host with IP
address of 192.168.56.191.

39
 Enter tftp 192.168.76.101 69 to specify the destination and the port that the service
will be using. Next, the output shows that we are successfully connected to the host via
tftp service.

Obstacles encountered, obstacles overcome

We cannot retrieve any files from redirected destination using tftp service.

How telnet and tftp are useful for working with a cisco router

Telnet allows network administrators to access the console on a router and issue
commands there. It simplifies the process of configuring the network. The TCP/IP
Telnet app allows system admins to remotely communicate with a device. Telnet with
IP network sends and receives the data remotely, rather than a specialized cable and
physical port on the device that is the case when directly connected computer with the
device in first configuration setup for not connected device. The Telnet application
calls a Telnet client and the device that listens for commands and replies to them a
Telnet server.
Tftp can help network administrators to move or update configuration files with
ease. Tftp helps regular backups of Cisco router configuration files and keep copies in
a safe place. If there is a serious failure that damages a router’s hardware or software,
the configuration will be destroyed. However, using tftp to backup the last working
configuration file, system administrators can usually get a router working again within
minutes of fixing any hardware problems

Best References

Network Insider, 2010. Configuring Cisco Router Port Forwarding. [Online]

40
Available at: http://www.network-insider.net/port-forward.html
[Accessed 9 December 2017].
41
Value [10]
1. Use one easy method to setup Multitail to show the postfix logfiles on the
Gateway and the Mailserver in separate windows, and demonstrate using email
via telnet
2. Use a different easy method to setup Multitail to show the postfix logfiles on the
Gateway and the Mailserver in a single window with different colors, and
demonstrate using email via telnet

Task Owner:

Objective – what this does for the system

In Linux administration, watching log files is key to troubleshooting problems on a

Linux system. In some trouble shooting instances it is necessary to follow more than
one log file. Multitail can wind up with two terminal windows open and display them
in one single window.

List the relevant configuration files, and for each one briefly describe what was done

Iptables -A INPUT -p tcp –tcp-flags ALL NONE -j LOG –log-level

Alert –log-prefix
Multitail /var/log/syslog/ -rc 1 -ci green -L “hping -c 1 -p 80 -s5050 -F
192.168.56.101”
/var/log/stunnel/log /var/log/sys.log
Echo “check” >>/etc/multitail.conf

Screenshots of tests, with explanations

42
Obstacles encountered, obstacles overcome

Use a different easy method to set up the multitail

No references can be found

Best References

43
Multitail Bonus [5]
1. Reconfigure one of the above to use authentication via keys and sshagent

Task Owner:

Objective – what this does for the system

List the relevant configuration files, and for each one briefly describe what was done

Screenshots of tests, with explanations

Obstacles encountered, obstacles overcome

Best References

44
Value [10]
1. Setup openvpn using static keys
2. Have two sets of config files, one for tun and one for tap

Task Owner:

Objective – what this does for the system

Using the generated key to encrypt the connection between server and client in tiny
net. It implements virtual private network techniques for creating secure point to point
connection in bridged configurations.

List the relevant configuration files, and for each one briefly describe what was done
General Configuration

Change the current working directory to where the config CD is located and then run
the SetupMenu file.

45
Choose the install other packages sections and then press enter

46
 Skip down to the openvpn section.

Hit enter and wait for the installation process to be completed.

Key and Certificate Generation

Change the working directory to /usr/doc/openvpn-2.0.9/easy-ra/vars and clean all of

the existing configuration files there before building a new certificate and a static key for
openvpn service.

47
 Fill up the blanks following the give instruction and then the certificate and key is
generated. Both server and client should run the same certificate authority keys and
certificate. These sets of files should be shared between both server and client so that
they can generate server and client keys and certificates for authentication.

48
 Changing current working directory to /usr/doc/openvpn-2.0.9/easy-rsa and then
entering ./build-key-server server to generate a set of server keys and certificates. Type y
when signing the certificate is required(basically we don’t get a choice as we must key in
y to continue).

Changing current working directory to /usr/doc/openvpn-2.0.9/easy-rsa and then

entering ./build-dh as this command will generate a Diffie-Hellman encryption key which

49
encrypts the communication between clients and server.
Complete the same steps for client , but change ./build-key-server server to ./build-
key-client client for generating a set of key and certificate for clients.
Copy the ca certificates and keys to clients as they have to match to set up the
communication.
Server Configuration Files

In server.conf, port 1194 defines the port that openvpn listens on. Uncommented
proto tcp defines which server we use and in this case, we use TCP (tun setup) because it
will create a routed IP tunnel for tun service. ca, cert, dh and key are files that we
generated in previous steps. Server configures server mode and supplies a VPN subnet
and the server will take 10.8.0.1 for itself as default. Keepalive causes ping-like message
to be sent back and forth over the link so that each side knows when the other side has
gone down. 10 20 defines that pinging every 10 seconds, assuming that remote peer is
down if no ping is received during a 120 seconds time period. Comp-lzo enables
compression on the VPN link. Persist options will intend to avoid accessing certain
resources on restart. Status outputs a short status file including current connections and
rewrite the file openvpn-status.log every minute.
Client Configuration Files

50
 Client specifies the role of client for that particular machine. Remote defines the
internet protocol and port of the server. Nobind defines that the client do not need to be
binded to a specific local port number. The rest of the configurations are identical to the
server.conf.

Tun setups

51
 make a directory called /dev/net and make a nod to /dev/net/tun
TAP Setups
Copy a set of tun configurations and rename them to tap-server.conf and tap-
client.conf as they have many similarities.

In tap-server.conf, we changed dev tun to dev tap0 as we use TAP interface. Change
proto tcp to proto udp as TAP interface sends udp packets but not tcp packets. We add
server-bridge to set the IP address 192.168.8.4 for the bridge interface that shares with
eth0 interace of openvpn server and then define the IP range from 128 to 254 as usable

52
IPs for clients.

In tap-client.conf, we changed dev tun to dev tap as we use TAP interface for clients.
Change proto tcp to proto udp as TAP interface sends udp packets but not tcp packets.

Screenshots of tests, with explanations

Tun Testing

Start the server by entering openvpn server.conf. Initialization sequence completed

means that the openvpn service is successfully deployed on the server side.

53
 Changing the current working directory to where we save the client.conf on the client
side and entering openvpn client.conf to start the openvpn service. Initialization sequence
completed means that the openvpn service is successfully deployed on the client side.

Once the client starts openvpn service, the server will display a few lines of output
showing a client is connected.

54
 Now, pinging server from the client is working. IP packets can be sent over to the
server using openvpn service.
TAP Testing

Make /dev/net directory before starting configuration and make a nod on tun
interface so that openvpn recognizes the initialization of tun/tap interface. This process
should be done on both server and client.

Enter ./bridge-start under /usr/doc/openvpn-2.0.9/sample-scripts working directory to

initialize the bridge interface bro0 and tap interface tap0 so now the tap0 is opened and
persist state is set to on.

Start openvpn service on server by entering openvpn tap-server.conf under working

directory where the file is located. Initialization sequence completed means that the

55
server-side openvpn service is deployed.

Start openvpn service on client by entering open tap-client.conf under working

directory where the file is located.

Initialization sequence completed means that the client-side openvpn is deployed

and tap0 interface has an IP range from 192.168.8.128 to 192.168.8.254 that is ready to
be assigned to clients.

56
 Once the client side starts the openvpn, a list of outputs indicating a client with an IP
192.168.76.183 has established the connection.

Because of the success establishment, the client can ping the bridge interface of the
server by entering its IP address which is 192.168.8.4.

Obstacles encountered, obstacles overcome

Error messages indicated that /dev/net files or directories do not exist on my system,
so I looked it up on the internet and then I found out that I must create device node and

57
tun/tap driver for openvpn service.
When aprogram opens /dev/net/tun, driver creates and registers corresponding net
device.
At last, I created the directory by entering mkdir /dev/net and created device node
by entering /dev/net/tun c 10 200.

Best References
Christoph, 2004. Re: [Openvpn-users] openVPN can't find /dev/net/tun. [Online]
Available at: https://openvpn.net/archive/openvpn-users/2004-04/msg00136.html
[Accessed 18 December 2017].

OpenVPN Technologies, Inc., 2015. Ethernet Bridging. [Online]

Available at: https://openvpn.net/index.php/open-
source/documentation/miscellaneous/76-ethernet-bridging.html
[Accessed 18 December 2017].

OpenVPN Technologies, Inc., 2015. HOWTO. [Online]

Available at: https://openvpn.net/index.php/open-
source/documentation/howto.html#examples
[Accessed 18 December 2017].

58
value [10]
1. Setup a VM using the TinyNet-gcc image
2. Install the asciiart package from the configuration CD
3. Compile the toilet source code
4. Demonstrate using shell scripts

Task Owner:

Objective – what this does for the system

This task allows users to use asciiart package and creates ASCII art from plain text.

List the relevant configuration files, and for each one briefly describe what was done
Setup GCC virtual machine
- Setup a new virtual machine by using TinyNet-gcc.iso
- Make the virtual machine to have 320MB memory
- Make the virtual machine to have 500MB dynamically allocated hard drive
storage
- Install liloinst.sh as the base operating system for the virtual machine

Install required packages

TinynetConfig.iso
- Install games and ascii packages from the TinynetConfig.iso

Executing ascii art

1. Figlet art
The system will print out user specified input word with figlet art.
- For example, when we are executing %figlet hello, the output is like this:

59
The system print out “hello” using figlet art.

2. Fortune art
The system will print out random facts stored in the package.
- For example, when we are executing %echo -e "\e[01;32m"; fortune |boxes; echo
-e "\e[00m", the system will print out something like this:

The system will print out a random fact in green colour (01;32m)
3. Caesar art
The system will print out the user input word by using Caesar art.
- For example, when we are executing %echo abc|caesar 3, the system will print out the
next 3 word of the user input, in this case it is “def”.
- %echo abc|caesar (print "cde")
- %echo -e "\e[01;32m"; fortune |caesar 4 |boxes; echo -e "\e[00m" (print random fortune
stuffs with caesar format) like this:

Install ASCII files

/opt/
- In this task, we require 3 files from the ascii package. They are toilet, sl and

60
 Libcaca.
- We can find toilet-0.3.tar.gz, sl-5.02.tar.gz and Libcaca-0.99.beta19.tar.gz in the
/opt/ directory.
- As the files are compressed, we need to extract them. We open the content
inside the file and extract them in the same /opt/ directory.
- As the result, we will have 3 files available in the /opt/ directory. They are
/libcaca-0.99.beta19, /sl-5.02, /toilet-0.3
- Then, we need to let the system configure all 3 of the files by using %make
command

Configuring libcaca build

/opt/
- We need to compile the Libcaca source code.
- We can do this by copying the Template.SlaxBuild inside the /opt/ directory and
rename it to "libcaca.build".
- Then, we configure the Libcaca file by editing libcaca.build as follows
PRGNAM=libcaca # replace with name of the application
VERSION=0.99.beta19 # replace with version of the application
SRCFN=.tar # replace with source archive type

Make changes by uncommenting the section under “#automake Build Options”

- We also added these lines for cleaner build
--disable-csharp \
--disable-java \
--disable-python \
--disable-ruby

# Copy program documentation into the package

for i in AUTHORS THANKS COPYING NEWS NOTES; do
- After that, we execute the libcaca.build file by using %./libcaca.build
- The system will pop out a lot of words while configuring, we just need to wait

61
 until the system finish configuring the file.

Configuring toilet build

/opt/
- This task required us to compile the toilet source code. Before we start doing this,
we need to make sure that the “libcaca.build” has been configured properly.
- We can compile the toilet source code by copying Template.SlaxBuild in the /opt/
directory and rename it to "toilet.build".
- Then, we configure the Toilet file by editing toilet.build as follows
PRGNAM=toilet # replace with name of the application
VERSION=0.3 # replace with version of the application
SRCFN=.tar.gz # replace with source archive type

Make changes by uncommenting the section under “#automake Build Options”

# Copy program documentation into the package

for i in COPYING NEWS README TODO; do
- After that, we execute the toilet.build by using %./toilet.build
- The system will also shows up a lot of words just like when we were configuring
the libcaca.build. We just need to wait until the system finish configuring the file.

Testing toilet.build
/root/
- To test that whether we have properly configured the toilet source code, we can
tell the system to run a shell script by using the component stored in toilet source
code.
- We can do it by creating a new “toiletscript.sh” shell scripts by using “cat >”
command
- We configured the shell script to contain the following code
$ while true;
do echo "$(date '+%D %T' | toilet -f term -F border --gay)";

62
 sleep 1;
done
- The code above is telling the system to display the system time and date every
second by using toilet component.
- We need to set the permission for the shell script to make the shell script
executable.
- After that, we can test out the shell script by executing the shell script with the
command %./toiletscript.sh

When the toiletscript.sh is executed, the system will display the time date every second,
as shown below:

Screenshots of tests, with explanations

Printing “hello” with figlet

Output for boxes with “boy” style.

63
Output for boxes with “cat” style.

Output for fortune and boxes

64
Output for Caesar, fortune and boxes

Output for steam locomotive

Output for toiletscript.sh

65
Obstacles encountered, obstacles overcome

The system unable to run the toiletscript.sh shell script. Overcame by recreating a new
shell script file and set proper chmod permission.

Best References

http://www.my-tiny.net/L18-aart.htm
http://www.my-tiny.net/L20-make.htm
https://www.linux.com/learn/linux-tips-fun-figlet-and-toilet-commands

66
Value [10]
1. Setup the LDAP sever with two domains (o= and dc=)
2. Configure dovecot and squirrelmail to use LDAP
3. Get LDAP using stunnel

Task Owner:

Objective – what this does for the system

Setting up the LDAP with multiple domains create a hierarchical structure for storing
information. In this task, the system creates organizational units, individuals and
resources in the network. By configuring dovecot, users can use LDAP to access
squirrelmail and the connection will be more secure with stunnel encryption.

List the relevant configuration files, and for each one briefly describe what was done
Enable LDAP service by making LDAP file executable
/etc/rc.d/rc.ldap
- We make the LDAP service available by chmod and apply the proper permissions
for the service. The command used is
chmod 755 /etc/rc.d/rc.ldap
- Restart rc.ldap service to apply the changes to the settings.
/etc/rc.d/rc.ldap stop
/etc/rc.d/rc.ldap start

Configure LDAP domain file

/etc/openldap/slapd.conf
- We need to configure the LDAP file to let the LDAP service know how to handle
stuffs.
- Therefore, we made changes to the /etc/openldap/slapd.conf file as follows:
access to *

67
 by dn="cn=LDAPAdmin,o=tinynet.edu" write
by self write
by * read

Creating the First DIT (o=tinynet.edu), “o=” is our first domain.

/etc/openldap/topclass.ldif
- We need to make the First DIT or domain of the LDAP service with “o=” format
by making changes to the /etc/openldap/topclass.ldif file as follows:
dn: cn=LDAPAdmin,o=tinynet.edu
objectClass: organizationalRole
objectclass: simpleSecurityObject
cn: LDAPAdmin
description: LDAP Administrator
userPassword: {PLAIN}slapmesilly
- Then, we need to tell the program to add the First DIT or domain that we
configured earlier in the file. We simply execute the code as follows:
%ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f
/etc/openldap/topclass.ldif
- Next, we need to add some user data into the First DIT or domain. This can be
done by executing the code as follows:
%ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f
/etc/openldap/userdata.ldif

Creating the Second DIT (dc=tinynet,dc=edu), “dc=” is our second domain

/etc/openldap/topclass.ldif
- After the First DIT or domain has been added to the system, we need to make the
second domain with “dc=” format.
- We can do it by making changes to the /etc/openldap/topclass.ldif file and edit as
follows:
dn: dc=tinynet,dc=edu
objectClass: top

68
 objectClass: dcObject
objectClass: organization
o: MyTinyNet
dc: tinynet
description: LDAP Root
- The code snippets above is for the LDAP Root.

dn: cn=LDAPAdmin,dc=tinynet,dc=edu
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: LDAPAdmin
description: LDAP Administrator
userPassword: {PLAIN}slapmesilly
- The code snippets above is for the LDAP admin user.

dn: ou=UserNetA,dc=tinynet,dc=edu
ou: UserNetA
objectClass: top
objectClass: organizationalUnit
description: User on Net-A
- The code snippets above is for the user that is using LDAP service.
- We configured UserNet-B and UserNet-C section same as the UserNet-A.

Editing the details for users

/etc/openldap/userdata.ldif
- We need to change the user account information so that they are using the format
“dc=” same as the second DIT. We can do this by editing the
“etc/openldap/userdata.ldif” file as follows:
dn: cn=Barbara Jensen,ou=UserNetA,dc=tinynet,dc=edu
dc: tinynet
ou: UserNetA

69
 cn: Barbara Jensen

- Then, we need to tell the program to create the Second DIT or domain that we
have configured in the LDAP file by executing the code as follows:
%ldapadd -x -D “cn=LDAPAdmin,dc=tinynet,dc=edu” -w slapmesilly -f
/etc/openldap/topclass.ldif

Configuring Dovecot
/etc/dovecot/dovecot.conf
- Now, we need to configure Dovecot service to use LDAP service. We can do it
by editing the /etc/dovecot/dovecot.conf file and uncomment this section of the
coding as shown below:
passdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}
passdb passwd-file {
args = /home/vmail/mail-pwd
}
userdb static {
args = uid=vmail gid=vmail
}
- These lines of codes are telling the system where to look for the LDAP
configuration file and file used to store password in the system.

Changing the dovecot default address to LDAP server address

/etc/dovecot/dovecot-ldap.conf

70
 - We need to tell the program to access the LDAP server address so that the
Dovecot service can use LDAP service.
- We can do it by editing the /etc/dovecot/dovecot-ldap.conf file and change the
localhost address to the LDAP server as follows:
hosts = ldap.tinynet.edu

Create a configuration file for Second DIT or domain

/etc/dovecot/dovecot-ldap-dc.conf
- Although the proper LDAP server address have been configured in the previous
file, the second DIT or domain is yet to be configured. Therefore, we need to
configure the Second DIT to use LDAP service.
- We make a copy of /etc/dovecot/dovecot-ldap.conf and rename it as
/etc/dovecot/dovecot-ldap-dc.conf.
- We proceed to edit the file and changing the domain to format “dc=” as shown
below:
#Make sure this matches something in the directory or slapd.conf
dn = dn=LDAPAdmin,dc=tinynet,dc=edu
dnpass = slapmesilly

#LDAP search base: where to start searching through the directory

base = dc=tinynet,dc=edu
scope = subtree

Configure Squirrelmail in WebServer

var/www/squirrelmail/config_svr_ldap.php
- Squirrelmail is also required to use LDAP service in this task.
- Therefore, we can do it by editing the /var/www/squirrelmail/config_svr_ldap.php
file by adding the lines below $ldap_server[0] as follows:
$ldap_server[1] = Array(
‘host’ => ‘ldap.tinynet.edu’,
‘base’ => ‘dc=tinynet,dc=edu’

71
 );

/config_plugins.php
- We need to tell squirrelmail to use the LDAP plugin.
- We can do it by editing the /config_plugins.php file in the squirrelmail directory
by uncommenting the following line:
# 3rd party –
# allows users to search the Directory Servers by name and
# lookup phone numbers, addresses, and other data
#$plugins[8] =’ldapquery’;

Configuring stunnel
/etc/rc.d/rc.stunnel
- Stunnel is required for LDAP in this task. By doing this, LDAP service can run
more securely with stunnel running.
- We can do it by making /etc/rc.d/rc.stunnel executable
chmod 755 /etc/rc.d/rc.stunnel
- Then, we need to get stunnel working by editing the /rc.stunnel file and make
changes as follows:
/usr/sbin/stunnel $LINE to /etc/stunnel $LINE

After all the steps above are done, the LDAP is now properly set up with two domains,
(o=) and (dc=). Dovecot service and squirrelmail are also able to use LDAP service when
running. Stunnel is also available for LDAP to use and makes the data transmission more
secure.

72
Screenshots of tests, with explanations
Creating the First DIT in topclass.ldif

The program adds the top level of First DIT

Adding the user data into the First DIT

73
Creating the Second DIT in topclass.ldif

Editing the user data in userdata.ldif

74
The program adds the Second DIT

Configuring the dovecot.conf to make dovecot use LDAP

75
Change localhost address to LDAP server

Configuring dovecot-ldap-dc.conf file for LDAP user information

Configure config_svr_ldap.php file to make squirrelmail uses LDAP

76
Configuring config_plugins.php to enable LDAP plugin.

77
Configuring rc.stunnel file to make stunnel uses LDAP

Obstacles encountered, obstacles overcome

None.

Best References

http://www.my-tiny.net/L11-slapd.htm
http://www.my-tiny.net/L12-ldif.htm
http://www.my-tiny.net/L13-ldap.htm
http://www.my-tiny.net/L14-ssl.htm
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-LDIF-example1.html
https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server

78
Value [10]
1. Put the Dovecot mail directory and the webserver VirtualHost DocumentRoot
directories on a new VM NFS mount
2. Set up the webpage staging area and VirtualHost users on the NFS server, and
allow them ssh access to the staging area.
3. Run the staging area to document root cron jobs on the NFS server.

Task Owner:

Objective – what this does for the system

Network File System, also known as NFS, is a client and server application that lets
computer user view, and provide the ability to store and update files on a remote
computer like they are using their own computer. Users can access the files and make
changes any time using any computer as long as the NFS service is available on all the
machines.

List the relevant configuration files, and for each one briefly describe what was done
Finding the required files
/home/vmail/ and /var/monkey/htdocs/
- First, we need to locate the directories for Dovecot mail and VirtualHost
DocumentRoot. The location of these files are as follows:
Dovecot mail directory: /home/vmail/ (MailHost)
VirtualHost DocumentRoot: /var/monkey/htdocs/ (WebServer)

Configuring exports file

/etc/exports
- After the location of the required directories have been confirmed, we need to go
to /etc/exports file to tell the system what files and the path to the files for
exporting to another server.

79
 - For WebServer (VirtualHost DocumentRoot)
We edit the files by typing in as follows:
/var/monkey/htdocs *(ro,sync,no_root_squash,no_subtree_check)
The * in the file indicates that all the files in that directory is visible to others and
can be mounted to the NFS server. “ro” permission indicates that the file can be
read and visible to all other users.
- For MailHost (Dovecot mail directory)
We edit the files by typing in as follows:
/home/vmail/ *(rw,sync,no_root_squash,no_subtree_check)
“rw” permission indicates that the file can be read and write.

Make the NFS service executable

- After configuring the paths for exporting files, we need to get the NFS service
running in our system. To do this, we execute the command as follows for all
machines:

chmod 755 indicates that the owner can read, write and execute, while the group
and others can read and execute only.
- When the commands are executed on all the machines, NFS service is now
running on all machines properly.

Checking the available directories for mounting

- When all the configurations are done, we can check the available directories for
mounting by executing the code in the gateway machine as follows:
1. showmount -e 192.xx.xx.xx(ip address for WebServer and MailHost)
The command above will show the available directories for mounting in all
connected machines. In our case, the available directories are /var/monkey/htdocs
* (VirtualHost DocumentRoot) and /home/vmail * (Dovecot mail).
2. rpcinfo -p 192.xx.xx.xx(ip address for WebServer and MailHost)
The command above will show the available ports in the NFS services in all the
machines.

80
Mounting the files to NFS server
- When we need to mount files to the NFS server (gateway), we can do it by
executing the command as follows
mount 192.xx.xx.xx: /var/monkey/htdocs /home (example of mounting
DocumentRoot files to /home directory of NFS server (gateway)
The program will mount the DocumentRoot files, in this case,
/var/monkey/htdocs/ and its content to the /home directory on the NFS server
(gateway).

Set up staging area and add new user account

- We need to set up a staging area on the NFS server (gateway). Therefore, we used
/var/tmp/ for the staging area and created a directory called “raouf” for user
account “raouf”. We also set proper permissions to the staging area.
- We created a new user account in the NFS server (gateway) called “raouf” with
“raouf1” as password. We used the “adduser” command to add user account
“raouf”.

Set up new VirtualHost

/usr/monkey/monkey.conf
- Create a new VirtualHost by editing the /usr/monkey/monkey.conf file and edit it
as follows:
<Virtualhost>
VirtualServerName raouf.tinynet.edu
VirtualDocumentRoot /var/monkey/htdocs.raouf
VirtualScriptAlias /cgi-bin/ /var/monkey/htdocs/raouf/scripts/
VirtuaForceGetDir off
</Virtualhost>

Allow user to use SSH service to access the staging area

/etc/ssh/sshd_config

81
 - We need to allow the user “raouf” to access the staging area /var/tmp/ by using
SSH service. To do this, we need to go to /etc/ssh/sshd_config and edit the file as
follows:
# Authentication:
AllowUsers raouf
- After that, we need to restart the SSH service to let the changes take place. We
restart the services by executing
%/etc/rc.d/rc.sshd stop
%/etc/rc.d/rc.sshd start
- User “raouf” is now able to access the staging area by using SSH service

Set up cron job to run the staging area

/etc/cron.hourly
- We set up a shell script by naming it as “stagearea” and tell the system that we
need to execute the staging area by typing the required code in the file.
- After the shell script has been set up, we created a new cron job by executing the
code as follows:
crontab -e
47 * * * * var/tmp/ /etc/cron.hourly/stagearea
- The system will now run the stagearea shell script every 47 minutes after an hour.

After all the steps above are done, the system is now able to mount files with NFS server
(gateway) from the available directories mentioned. The system will also have a staging
area and VirtualHost users can access the staging area with SSH service. The cron job is
also running every hour.

82
Screenshots of tests, with explanations
/etc/exports file for stating VirtualHost DocumentRoot directory.

/etc/exports file for stating Dovecot mail directory.

Output when starting /etc/rc.d/rc.nfsd and /etc/rc.d/rc.rpc services in gateway

83
Output when starting /etc/rc.d/rc.nfsd and /etc/rc.d/rc.rpc services in MailHost

Showing list of available mount directories in gateway, VirtualHost Document Root for
WebServer (var/monkey/htdocs) and Dovecot mail directory in MailHost (/home/vmail).

Information for rpc services when executing rpcinfo -p ipaddress

Output of user account “raouf” able to access SSH service.

84
User “raouf” able to access the staging area (/var/tmp) by using SSH.

Evidence of cron service running on the NFS server and will run the staging area to
document root every hour.

85
Obstacles encountered, obstacles overcome

The NFS server was unable to mount the files from another machine. The problem
overcame by changing the directories of the files that needs to be mounted and set the
permission of the folders properly.

Best References

https://www.slothparadise.com/how-to-connect-virtual-machines-and-setup-nfs-server-
part-1/
https://docs.vmware.com/en/VMware-
vSphere/6.5/com.vmware.vsphere.html.hostclient.doc/GUID-4A89D6DA-ACD4-4D53-
BE25-F7022C0B4A35.html

86
Value [20]
1. Setup ISC DHCP and Bind
2. Replace dnsmasq with dynamic updates in the ISC configuration

Task Owner:

Objective – what this does for the system

DHCP stands for Dynamic Host Configuration Protocol is a network protocol that
enables a server to automatically assign an IP address to a computer from a defined range
of numbers (i.e., a scope) configured for a given network.

List the relevant configuration files, and for each one briefly describe what was done

Install the DHCP and BIND package by mount the config cd that is located in
/mnt/hdc/modules/isc working directory.

Go to working directory /var/name/caching-example and find the file called

named.conf, then change the settings based on samples listing there.

87
 Go to working directory /var/named/caching-example and then copy and rename the
file localhost.zone to zone.example.con which is the file that we will use later in the
setup.

88
 Two zones will be created according to the sample file.

Change the domain-name to our own. Change the routers to direct to out destination
subnet.

Screenshots of tests, with explanations

Enter /etc/rc.d/rc.bind to start the bind servicer and a short line of output will be
displayed to indicate the process status.
Enter dhcpd -q tho to start the DHCP service.

89
 At last, a list of existing clients will be displayed with either their port number or IP
addresses.

Obstacles encountered, obstacles overcome

It is quite difficult to find relative configurations for DHCP server as we are using
old verison slacksware which is not compatible to most Debian distributions out there
and sometimes the system does not recognize the file properly as I have to reinstall it
over and over in order to settle down the non-existing files issue.

Best References

Digital Ocean, 2014. How To Configure BIND as a Private Network DNS Server on
Ubuntu 14.04. [Online]
Available at: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-
as-a-private-network-dns-server-on-ubuntu-14-04
[Accessed 01 December 2017].

90
Value [20]
1. Setup snort
2. Use multitail and hping2 to demonstrate recognised attacks
3. How is information about known attacks compiled?

Task Owner:

Objective – what this does for the system

Snort is an intrusion detection system (IDS) which performs detection and analysis on
network traffic by performing real-time traffic analysis and packet logging. multitail and
hping2 is used to generate the traffic and demonstrate recognized attacks.

List the relevant configuration files, and for each one briefly describe what was done

Snort is a package that is included in the TinyNetConfig.iso which is used to install all
the enhancement packages in our system. To do so, we need to access to our
TinyNetConfig.iso by cd /mnt/hdc then ./SetupMenu and choose Snort to install it.

Next, we need to comment all the rules in the configuration file by accessing etc/snort
directory and selecte the snort.conf to edit that. That is done as the snort will not work if
there is any rule not existing in the system. We need also to include 4 new rules which
are:

include $RULE_PATH/gpl-back~r.rules
include $RULE_PATH/gpl-ddos.rules
include $RULE_PATH/http.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/other.rules
the rules file is under etc/snort/rules

91
Then, in /etc/snort, we need to confirm that the following paths point to the right
directories.
var RULE_PATH /rules
var PREPROC_RULE_PATH /preproc_rules

Screenshots of tests, with explanations

To run Snort, we need to write the following command
snort -c /etc/snort/snort.conf -A console
it is used to log the attack. In the next figure, there is no any attack being done.

In the next figure, DDoS attack is being done using hping tool from the gateway (the
attacking machine) to the web server.

92
The command description is (-c = count/number of packets, -d = data size /size of packet,
-S sets the SYN flag, -w = window size (default is 64), -p = port number, --rand-source =
random source address mode)

Next figure shows how snort is working with this attack

93
Obstacles encountered, obstacles overcome

There are two obstacles that we faced while setup snort.

The first obstacle is after installing the snort package and it indicates that there is an Error
while loading shared libraries: libmysqlclient.so.15: cannot open shared object file: No
such file or directory.

To overcome this issue, we need to copy the libmysqlclient file from its current place as
shown in the previous figure to /usr/lib directory

94
Then, we need to rename libmysqlclint.so.15.0.0 to libmysqlclint.so.15 without the
Zeros.

The second obstacle that we faced is an error that indicated that snort could not find the
dynamicengine and preprocessor libraries

To overcome this issue, we need to copy two folders of snort dynamicengine and process
to usr/local/lib from /usr/lib as following

95
Then, we need to change the libsf_engine.so.0.0.0 to with 000 to libsf_engine.so.

Another thing to be changed is to remove all zeros from the files inside dynamic
processes to look like the following. That can be done by accessing the /usr/local/lib/
snortdynamicpreprocessor and using the command mv for all the files.

How is information about known attacks compiled?

96
 By executing like these attack, the gathered information from these techniques might
be used to do and start other attacks like hping2 flood and DDOS attack and they are able
to mess up and flood the victim machine with many packets that it could be handled.

Best References

https://s3.amazonaws.com/snort-org-
site/production/document_files/files/000/000/129/original/snort_manual.pdf?AWSAcces
sKeyId=AKIAIXACIED2SPMSC7GA&Expires=1513809907&Signature=xAINS9yLgq
6d3GvZe%2BWbA7DF38E%3D

97
View publication stats

Conclusion:
The main objective for this assignment was to help us as IT students to
improve our technical skills and gain an extensive understanding of the basics of
the system and network administration. Different topics were taught and
discussed such as the fundamentals of TCP/IP and the machine’s configuration
and its files. Moreover, we got a good practice using different operating system
which Linux.
We worked as one team in all the assignment phases and without that vital
thing, we were not able to complete this assignment. Each one of use has shown
a great attitude toward the others. We could share our ideas and knowledge together
in a smooth way without any difficulties. The knowledge that we gained from this
assignment with the help of out lecture is extremely valuable and will help us a lot
in our studies and future job.

98