TECHNOLOGY PARK MALAYSIA

CT106-3-2-SNA

System and Network Administration

UC2F1908IT

TITLE: Network Administration Project

HAND-OUT DATE: 13 SEPTEMBER 2019

HAND-IN DATE: 20 DECEMBER 2019

Lecturer: Dr Thomas Patrick O’Daniel

Name and TP Number:

Arshad Chungyen Lo (TP 044657)

Joshua Ryan (TP 054655)

Siti Nur Aishah Binti Abdul Mutalib (TP047602)

Group Project
Title: Network Administration Project

Due dates: Week 12 - Presentation; Week 14 - Report

Each group member needs to choose one enhancement for their individual work. The minimum
number of enhancements done by the group is 3, including one required enhancement: (a) using
stunnel for communication (b) using https:// for the connection to the host browser, and (c) using the
mail submission port.

There a page here for each of the enhancements. Maximum points for an enhancement will only be
achieved when it is successfully implemented (criteria 1) and properly documented (criteria 2).
Marking is points_Earned / points_Attempted, so fully completed enhancements are worth more
than partially completed ones.

Please make sure the individual enhancements are clearly identified.

Screenshots used to document enhancements must show the student ID of the owner in
The
thework-in-progress
command prompt,presentation is intended
logfile messages, to help
or email you finish your project successfully. You should
address.
have a1.draft of your
Login report ready for the presentation.
as root
2. Edit /etc/HOSTNAME
Change the hostname to your student ID number and server, like this:
Tp024680-mh.net-c.tinynet.edu
3. Edit /etc/dnsmasq. d/cnames
Change the old name to the new name everyplace it appears
4. Reboot
(dnsmasq will register the new name when the host asks for an IP)

1
Table of Content
1.0 Group Enhancement 3
1.1 Secure Webmail 3
1.1.1 Objective – what this does for the system 3
1.1.2 List the relevant configuration files, and for each one briefly describes what was
done 3
1.1.3 Screenshot of browser Trusted Root CA store (with TinyNetCA) 3
1.1.4 Screenshot of mailbox in squirrelmail Monkey Homepage (with https:// in the
URL) 4
1.1.5 Screenshot of listening ports 4
1.1.6 Any Outstanding/Unresolved Issues 4

2.0 Individual Enhancement 5

2.1 Cross-System Multitail 5
2.1.1 Objective 5
2.1.2 Configuration files and screenshots of the test 5
2.1.3 Obstacles encountered, obstacles overcome 11
2.1.4 Any Outstanding/Unresolved Issues 11
2.2 LDAP 12
2.2.1 Objective – what this does for the system 12
2.2.2 List the relevant configuration files, and for each one briefly describe what was
done 12
2.2.3 Screenshots of tests, with explanations 20
2.2.4 Obstacles encountered, obstacles overcome 24
2.2.5 Any Outstanding/Unresolved Issues 24
2.3 Migrate to Net-R 25
2.3.1 Configuration files and screenshots of tests 25
2.3.2 Describe the Net-R automatic traffic generation system 31
2.3.3 Obstacles encountered, obstacles overcome 33
2.3.4 Any Outstanding/Unresolved Issues 33
2.4 Sudo 34
2.4.1 Fortune 34
2.4.2 Disabling root 36
2.4.3 Changing color prompts for different users 38
2.5 iptables 39
2.5.1 Objectives 39
2.5.2 Implementations 39
2.5.3 Testing 40

Reference 44

2
1.0 Group Enhancement

1.1 Secure Webmail

Owner: Arshad Chungyen Lo (TP044657)

1.1.1 Objective – what this does for the system

Adding a secure layer on the mail and monkey webpage. The original setup does not
1.1.2 List any
include the relevant
form of configuration
security layerfiles,
like and
SSLfor
or each one But
HTTPS. briefly describes
after adding what was done
the certificate
all webpages will be secure. Too bad that we can’t login after the certificate is
All we need is
implemented. Thetoresult
download
will bethe
badcertificate from the my-TinyNet website and add it
LDAP server.
1.1.3
intoScreenshot of browser
the current browserTrusted
in yourRoot CA store (with
computer, TinyNetCA)
e.g.: Google Chrome under trusted
certificate. Like mine the certificate immediately verified by my anti-virus.

3
1.1.4 Screenshot of mailbox in squirrelmail Monkey Homepage (with https:// in the URL)

1.1.5 Screenshot of listening ports

1.1.6 Any Outstanding/Unresolved Issues

SSH connection to the browser is unpredictable and unreliable

4
2.0 Individual Enhancement

2.1 Cross-System Multitail

Owner: Siti Nur Aishah Binti Abdul Mutalib(TP047602)

2.1.1 Objective

Multitail is a perfect tool to observe any impact of the tests conducted. This is the list of what
Multitail can do:

● View one or more files on your screen in separate windows.

● Combine files with a different colour for each one so that you can easily understand
the file of line.

● Incorporated scan function

2.1.2 Configuration files and screenshots of the test

A. Use one easy method to setup Multitail to show the postfix logfiles on the Gateway
and the Mailserver in separate windows, and demonstrate using email via telnet.

Multitail with SSH

5
The first step is to start and login to both Gateway and MailHost VMs. Go to mc.

Next, go to /etc/ssh/ssh_config and press F4 to edit the script. Do the same step for
MailHost server too.

6
Add these following line in the script:

Host *

ControlPath /tmp/ssh-%r@%h:%p

ControlMaster auto

# ControlPersist 10m

Press F2 to save the changes and repeat it on MailHost server.

Type netstat -tulp and make sure that rc.sshd is running for both Gateway and
MailHost server.

7
In Gateway server, type:

ssh [email protected]

then yes

type the password which ‘toor’

Press ALT+F2 to open new terminal and login once more.

Multitail /var/log/postfix.log -1 “ssh [email protected] tail -f

/var/log/postfix.log”

8
 The output display the initial status of postfix.log in both gateway and mailhost
server. Then, send an email through Squirrelmail and it will display the final status of
postfix.log in both gateway and mailhost.

The press CTRL+C to exit the multitail.

B. Use a different easy method to setup Multitail to show the postfix logfiles on the
Gateway and the Mailserver in a single window with different colours, and
demonstrate using email via telnet

Multitail with NetCat

The first step is to start and log in to both Gateway and MailHost VMs.

9
In MailHost server, type these following command line:

Mkfifo /tmp/foo

Ln -s /bin/bash /bin/rbash

Cat /tmp/foo |bsdnc -lkv 23432 |/bin/rbash l>/tmp/foo &

It is to create configuration file.

While, in Gateway server, type these following command line:

Multitail -ci yellow /var/log/postfix.log -ci red -L “echo ‘tail /var/log/postfix.log’

|nc 192.168.76.173(IP address from MailHost) 23432”

It will display the postfix.log file in colours that have been set.

10
 The output displays the initial status of postfix.log in both Gateway and Mailhost
server. Then, send an email through Squirrelmail and it will display the final status of
postfix.log in both Gateway and Mailhost.

2.1.3 Obstacles encountered, obstacles overcome

While typing those long command line, it can a bit confusing and I have an error where the
postfix.log file did not appear because of the mistake while typing. But, it has been resolved
after carefully check the command line to not make any mistake.

2.1.4 Any Outstanding/Unresolved Issues

The VMs cannot be connected to Squirrelmail, thus the final status of postfix.log file do not
display on the screen.

11
2.2 LDAP

Owner: Arshad Chungyen Lo (TP044657)

2.2.1 Objective – what this does for the system

Setting up the LDAP with multiple domains create a hierarchical structure for storing
2.2.2 List the relevant configuration files, and for each one briefly describe what was done
information. In this task, the system creates organizational units, individuals and
resources in the network. By configuring dovecot, users can use LDAP to access
squirrelmail and the connection will be more secure with stunnel encryption.
Enable LDAP service by making LDAP file executable

/etc/rc.d/rc.ldap

- We make the LDAP service available by chmod and apply the proper permissions for
the service. The command used is

chmod 755 /etc/rc.d/rc.ldap

- Restart rc.ldap service to apply the changes to the settings.

/etc/rc.d/rc.ldap stop

/etc/rc.d/rc.ldap start

Configure LDAP domain

file

12
/etc/openldap/slapd.conf

- We need to configure the LDAP file to let the LDAP service know how to handle stuffs.
- Therefore, we made changes to the /etc/openldap/slapd.conf file as follows:

access to *

by dn="cn=LDAPAdmin,o=tinynet.edu" write

by self-write

by * read

Creating the First DIT (o=tinynet.edu), “o=” is our first domain.

/etc/openldap/topclass.ldif

- We need to make the First DIT or domain of the LDAP service with “o=” format by
making changes to the /etc/openldap/topclass.ldif file as follows:

dn: cn=LDAPAdmin,o=tinynet.edu

objectClass: organizationalRole

objectclass: simpleSecurityObject

cn: LDAPAdmin

description: LDAP Administrator

userPassword: {PLAIN}slapmesilly

- Then, we need to tell the program to add the First DIT or domain that we

configured earlier in the file. We simply execute the code as follows:

%ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f

/etc/openldap/topclass.ldif

13
- Next, we need to add some user data into the First DIT or domain. This can be

done by executing the code as follows:

%ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f

/etc/openldap/userdata.ldif

Creating the Second DIT (dc=tinynet,dc=edu), “dc=” is our second domain

/etc/openldap/topclass.ldif

- After the First DIT or domain has been added to the system, we need to make the

second domain with “dc=” format. - We can do it by making changes to the

/etc/openldap/topclass.ldif file and edit as

follows:

dn: dc=tinynet,dc=edu

objectClass: top

objectClass: dcObject

objectClass: organization

o: MyTinyNet

dc: tinynet

description: LDAP Root

- The code snippets above is for the LDAP Root.

dn: cn=LDAPAdmin,dc=tinynet,dc=edu

1
objectClass: organizationalRole

objectClass: simpleSecurityObject

cn: LDAPAdmin

description: LDAP Administrator

userPassword: {PLAIN}slapmesilly

- The code snippets above is for the LDAP admin user.

dn: ou=UserNetA,dc=tinynet,dc=edu

ou: UserNetA

objectClass: top

objectClass: organizationalUnit

description: User on Net-A

- The code snippets above is for the user that is using LDAP service.

- We configured UserNet-B and UserNet-C section same as the UserNet-A.

Editing the details for users

/etc/openldap/userdata.ldif

- We need to change the user account information so that they are using the format

“dc=” same as the second DIT. We can do this by editing the

“etc/openldap/userdata.ldif” file as follows:

1
dn: cn=Barbara Jensen,ou=UserNetA,dc=tinynet,dc=edu

dc: tinynet

ou: UserNetA

cn: Barbara Jensen

- Then, we need to tell the program to create the Second DIT or domain that we

have configured in the LDAP file by executing the code as follows:

%ldapadd -x -D “cn=LDAPAdmin,dc=tinynet,dc=edu” -w slapmesilly -f

/etc/openldap/topclass.ldif

Configuring Dovecot

/etc/dovecot/dovecot.conf

- Now, we need to configure Dovecot service to use LDAP service. We can do it

by editing the /etc/dovecot/dovecot.conf file and uncomment this section of the

coding as shown below:

passdb ldap {

# Path for LDAP configuration file

args = /etc/dovecot/dovecot-ldap.conf

userdb ldap {

1
# Path for LDAP configuration file

args = /etc/dovecot/dovecot-ldap.conf

passdb passwd-file {

args = /home/vmail/mail-pwd

userdb static {

args = uid=vmail gid=vmail

- These lines of codes are telling the system where to look for the LDAP

configuration file and file used to store password in the system.

Changing the dovecot default address to LDAP server address

/etc/dovecot/dovecot-ldap.conf

- We need to tell the program to access the LDAP server address so that the

Dovecot service can use LDAP service. - We can do it by editing the

/etc/dovecot/dovecot-ldap.conf file and change the

localhost address to the LDAP server as follows:

hosts = ldap.tinynet.edu

1
Create a configuration file for Second DIT or domain

/etc/dovecot/dovecot-ldap-dc.conf

- Although the proper LDAP server address have been configured in the previous

file, the second DIT or domain is yet to be configured. Therefore, we need to

configure the Second DIT to use LDAP service.

- We make a copy of /etc/dovecot/dovecot-ldap.conf and rename it as

/etc/dovecot/dovecot-ldap-dc.conf.

- We proceed to edit the file and changing the domain to format “dc=” as shown

below:

#Make sure this matches something in the directory or slapd.conf

dn = dn=LDAPAdmin,dc=tinynet,dc=edu

dnpass = slapmesilly

#LDAP search base: where to start searching through the directory

base = dc=tinynet,dc=edu

scope = subtree

Configure Squirrelmail in WebServer

var/www/squirrelmail/config_svr_ldap.php

1
- Squirrelmail is also required to use LDAP service in this task. - Therefore, we can do it
by editing the /var/www/squirrelmail/config_svr_ldap.php

file by adding the lines below $ldap_server[0] as follows:

$ldap_server[1] = Array(

‘host’ => ‘ldap.tinynet.edu’,

‘base’ => ‘dc=tinynet,dc=edu’

);

/config_plugins.php

- We need to tell squirrelmail to use the LDAP plugin.

- We can do it by editing the /config_plugins.php file in the squirrelmail directory

by uncommenting the following line:

# 3rd party –

# allows users to search the Directory Servers by name and

# lookup phone numbers, addresses, and other data

#$plugins[8] =’ldapquery’;

Configuring stunnel

/etc/rc.d/rc.stunnel

- Stunnel is required for LDAP in this task. By doing this, LDAP service can run

more securely with stunnel running.

- We can do it by making /etc/rc.d/rc.stunnel executable

1
 chmod 755 /etc/rc.d/rc.stunnel

- Then, we need to get stunnel working by editing the /rc.stunnel file and

make changes as follows:

/usr/sbin/stunnel $LINE to /etc/stunnel $LINE

After all the steps above are done, the LDAP is now properly set up with two domains,

(o=) and (dc=). Dovecot service and squirrelmail are also able to use LDAP service

when running. Stunnel is also available for LDAP to use and makes the data

transmission more secure.

2.2.3 Screenshots of tests, with explanations

(ldapsearch, squirrelmail address book, mail TO someone in the LDAP database)

Creating the First DIT in topclass.ldif

2
The program adds the top level of First DIT

Adding the user data into the First DIT

Creating the Second DIT in topclass.ldif

2
2
Configure config_svr_ldap.php file to make squirrelmail uses LDAP

Configuring config_plugins.php to enable LDAP plugin.

2
 Configuring rc.stunnel file to make stunnel uses LDAP

2.2.4 Obstacles encountered, obstacles overcome

None
2.2.5 Any Outstanding/Unresolved Issues

Some but was able to mitigate the problem from referencing the internet

2
2.3 Migrate to Net-R

Owner: Siti Nur Aishah Binti Abdul Mutalib (TP 047602)

2.3.1 Configuration files and screenshots of tests

A. Clone and reconfigure your TinyNet servers as Net-R servers

Cloning TinyNet server as Net-R servers

The first step is to clone the ToClone server to three machines which are Gateway
NetR, MailHost NetR and Webserver NetR by right-clicking the particular server and
the drop-down menu will appear as shown in the diagram. Click “Clone…”.

2
The next step is to rename all the three machines to Gateway NetR, MailHost NetR
and Webserver NetR. There is no need to change all the setting and just click button
“Clone”.

These are all three machines that have been cloned.

Reconfigure Net-R servers

Go to setting page of one of the server and click the “Storage” tab. We need to change
the “TinyNetConfig.iso” to “NetRconfig.iso” by downloading it from http://my-
tiny.net/ website.

2
Click the disk icon and choose “NetRconfig.iso” to insert the file in the optical drive.
Click “OK”. Repeat the same steps to the other two VMs.

Start one of the servers and go to Midnight Commander by typing mc at the shell
prompt. Head to /mnt/hdc and press “Enter” at SetupMenu option.

2
 Choose “Net-r Domain Server” and press “Enter” for the Gateway NetR VM. This is
to configure Gateway NetR as the domain server for NetR machines. “Quit” and
reboot the machine.

Meanwhile, choose “Net-r Host” for the other two VMs which are MailHost NetR and
Webserver NetR.

Assign the hostname to the other two VMs and for this particular assignment, assign it
as tp-mailhost or tp-webserver. “Quit” and reboot the two machines.

B. Reconfigure DNSMASQ to hand out static addresses to servers rather than dynamic
one

2
In order to hand out static addresses to the MailHost and Webserver, the configuration
needs to be done in the domain server of Net-R machines which is Gateway NetR. Go
to /etc/dnsmasq.conf and press F4 to edit.

In the “DHCP - addresses”, uncomment and change the following line:

dhcp-host = net:netR, nrh1, 192.168.234.56, infinite

to

dhcp-host = net:netR, tp047602-mailhost, 192.168.234.57, infinite

dhcp-host = net:netR, tp047602-webserver, 192.168.234.58, infinite

2
The two-line above is for the configuration of IP addresses for Net-R host servers.
The configuration is only done in the domain server only which is Gateway NetR
VM. After the configuration of dnsmasq, reboot all the three VMs in order to get the
result of the configuration.

The following screenshots are the result of the successful configuration of NetR
servers:

i. Gateway NetR

ii. MailHost NetR

iii. Webserver NetR

3
 These images show the distinct IP addresses of each NetR servers which are
192.168.234.57 for MailHost and 192.168.234.58 for Webserver.

2.3.2 Describe the Net-R automatic traffic generation system

The figure above is the example of communication between two hosts of Net-R
server. It can be view by pressing Alt+F8 key. Every host that will join the server will
add their own message to the same subnet and affecting the traffic according to my-
tiny.net(2018).

3
To check how the traffic generation works, go to /var/net-r to check the script.

These are the configuration files and brief explanation of what has been done:

i. autologin.sh

Allows otto auto login. When otto is logged in, it will automatically activate
the rogue network immediately.

ii. cplist.sh

When generating or deleting a DHCP lease the dnsmasq must run this file.

iii. mklist.sh

The function of this file is to send the traffic to a list of Net-R machines.

iv. sendloop.sh

This script is intended to create a loop that will continue to send random
messages. It works by taking the * sendmsg.sh script to create endless
generation of traffic and constantly loops it.

v. sendmsg.sh

The script that gives the other Net-R machines random messages. The random
messages are sent in the form of "figlet" and "fortune."

3
 vi. shomsg.sh

This file is used to read other Net-R machines ' messages.

vii. stopmsg.sh

The file aims to stop sending the other Net-R machines random messages.

2.3.3 Obstacles encountered, obstacles overcome

The IP address and subnet mask for both MailHost and Webserver did not appear on the
screen. It is because I have cloned a wrong server and the problem have been resolved after
the right server have been cloned following the proper steps.

2.3.4 Any Outstanding/Unresolved Issues

There are no outstanding or unresolved issues for this enhancement.

3
2.4 Sudo

Owner: Joshua Ryan (TP 054655)

2.4.1 Fortune

To show random fortunes on startup, we need to first install Fortune from TinyNet.iso

1. First we add TinyNet.iso into the vm. Then in the system we open it from /mnt/hdc

2. Choose Install other packages and pick Games

3. Go to /etc/issue and delete the entire text (to remove the login summary and root login)

4. Create a file in /etc/profile.d, name it anything.sh. Inside the file write the following code
to display the fortune text. (note: in this example the color is set to 01;35m which is bold
purple)

3
5. Change the settings on chmod to be executable

6. Now every time a user logs in it will display the Fortune text

Outcome:

3
2.4.2 Disabling root

In the system we will make root inaccessible to users to maintain the security of the system.
Forcing users to use Sudo

1. First we need to make a new user using adduser. Enter the name and specify the group as
wheel

2. Go to /etc/sudoers and click F4 to edit the file.Under the defaults specifications, add the
line Defaults edit=/usr/bin/mcedit:/usr/bin/vi

3. Under the user privilege specification, uncomment the %wheel lines. This is to enable the
group wheel to run all the commands

3
4. To disabled root access, type in the command passwd -l root (-l means lock). The system
will display Password changed which means the root has been successfully locked.

Outcome:

Users must use sudo to login for any commands, Su is disabled.

3
2.4.3 Changing color prompts for different users

Go to /etc/profile under the section of set a default shell prompt, change the code statements
to the following. The code changes the normal user’s prompt to green and the root user’s
prompt to red

3
2.5 iptables

Owner: Joshua Ryan (TP 054655)

2.5.1 Objectives
a) Add the six “Rules for things that no proper TCP stack should be processing” from
the IPTables Quick Reference section -p --protocol tcp but use a LOG target
b) Use hping2 and Multitail to show the rules are working

2.5.2 Implementations

Iptables is a netfilter system built in linux that implements firewall and routing
capabilities within the kernel. This means a machine running linux has the ability to act as a
firewall or router for the system.

1. To setup the iptables, we need to run the following commands:

Iptables -A INPUT -p tcp –tcp-flags ALL NONE -j LOG –log-level aler –log-prefix “iptables
ALL NONE”

Iptables -A INPUT -p tcp –tcp-flags FIN,SYN FIN,SYN -j LOG –log-level aler –log-prefix
“iptables FIN,SYN FIN,SYN”

Iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST-j LOG –log-level aler –log-prefix
“iptables SYN,RST SYN,RST”

Iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST-j LOG –log-level aler –log-prefix
“iptables FIN,RST FIN,RST”

Iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j LOG –log-level aler –log-prefix
“iptables FIN, ACK FIN”

Iptables -A INPUT -p tcp –tcp-flags ACK,URG ACK -j LOG –log-level aler –log-prefix
“iptables ACK,URG ACK”

2. To make sure this is run every time, we write this in the anything.sh script earlier

3
3. To list out the iptables we can use the command iptables -L

2.5.3 Testing

To test we using multitail using the following commands

Testing rule 1 (ALL NONE): multitail /var/log/syslog “hping2 192.168.56.101”

4
Testing rule 2 (FI,SYN FIN,SYN): multitail /var/log/syslog “hping2 -F -S 192.168.56.101”

Testing rule 3 (SYN,RST SYN,RST): multitail /var/log/syslog “hping2 -S -R

192.168.56.101”

4
Testing rule 4 (FIN,RST FIN,RST): multitail /var/log/syslog “hping2 -F -R 192.168.56.101”

Testing rule 4 (FIN,RST FIN,RST): multitail /var/log/syslog “hping2 -F -R 192.168.56.101”

4
Testing rule 5 (FIN,ACK FIN): multitail /var/log/syslog “hping2 -F 192.168.56.101”

Testing rule 6 (ACK,URG URG): multitail /var/log/syslog “hping2 -U 192.168.56.101”

4
Reference

1. MyTinyNet, 2018. MultiTail. [Online] Available at:

https://www.my-tiny.net/L10-mtail.htm [Accessed 10 December 2019].
2. MyTinyNet, 2018. Net-R Basic Setup. [Online] Available at: http://www.my-
tiny.net/net-r/NR01-base.htm [Accessed 14 December 2019].
3. MyTinyNet, 2018. iptables. [Online] Available at:
http://www.my-tiny.net/net-r/NR01-base.htm [Accessed 14 December 2019].
4. MyTinyNet, 2018. hping2. [Online] Available at:
http://www.my-tiny.net/net-r/NR01-base.htm [Accessed 14 December 2019].
5. MyTinyNet, 2018. User accounts. [Online] Available at: http://www.my-tiny.net/net-
r/NR01-base.htm [Accessed 14 December 2019].
6. MyTinyNet, 2018. Script I/O. [Online] Available at:
http://www.my-tiny.net/net-r/NR01-base.htm [Accessed 14 December 2019].
7. Brown, K. (2017). The Beginner’s Guide to iptables, the Linux Firewall. [online]
How-To Geek. Available at:
https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewa
ll/ [Accessed 17 Dec. 2019].