Group Project

Title: Network Administration Project

Overview: Students in groups of at most three members will be required to build, document, and
demonstrate a TCP/IP network, configured with essential network services and additional
enhancements.
Criteria for assessment:
1. The network and its services work as intended
2. The report documents the system and indicates a correct understanding of how the
network components fit into the whole.
3. Presentation of work-in-progress and project management
Maximum points for an enhancement will only be achieved when it is successfully implemented
(criteria 1) and properly documented (criteria 2). A template for reporting on each enhancement is
provided. Note that all screenshots must include the student ID number of the owner in the
hostname, email address, or logfile entries.

Due dates: Week 7 Base System Presentation

Week 12, 13 Group Work-In-Progress Presentations
Week 14 Report

Individual Component
Everyone needs to do an individual demonstration of their base system around mid -semester. To
prepare for the demonstration, add your TP number as a user in /home/vmail/mail-pwd, and send
yourself some test emails. The demonstration simply requires you to show your inbox in
Squirrelmail.
Everyone needs to do an individual enhancement for their base system. There are a number of
options listed below for enhancements to the base system, and each group member needs to
choose one for their individual work. The rest will be available for the group to work on together.
The project management component requires you to show one group member as the owner of the
enhancement, no matter how many group members work on it or when. The project management
component will be assessed through the information you provide in your report plus your
individual reflections on the teamwork of your group. The individual reflections are from you
alone, and must be submitted separately.

Group Component
There are a number of options listed below for enhancements to the base system, and once each
group member chooses one for individual implementation, the rest will be available for the group
to work on together. The group is free to choose any combination, and a special scenario devised
by the group can be proposed to your lecturer, who will be happy to advise on its suitability and
help you refine it if necessary.
The minimum number of enhancements done by the group is 3, including one required
enhancement: (a) using stunnel for communication between servers and (b) using the mail
submission port.

1
Remember, maximum points for an enhancement will only be achieved when it is successfully
implemented (criteria 1) and properly documented (criteria 2). The project management
component requires you to show one group member as the owner of the enhancement, no matter
how many group members work on it or when.

Screenshots used to document enhancements must show the student ID of the owner in the
command prompt, logfile messages, or email address. Details of how to do this are in the
Resources Document and Report Template.

Documentation should be organized as a set of steps that were followed to implement the
enhancement, with a focus on pitfalls and obstacles encountered and overcome – if there is a
resource that is sufficient, refer to it with some critical evaluation (how complete is it? how close
is their system to our system? what’s missing?) rather than copy/paste into your report.
The group presentation is intended to help you finish your project successfully. It is essential to
have a draft of your report to review. The presentation will be informal, focused on the tasks you
have chosen, the progress you have made, obstacles overcome, and outstanding issues to be
resolved (no powerpoint required).

2
1. Cross-System Multitail
a) Use one easy method to setup Multitail to show the postfix logfiles on the Gateway and
the Mailserver in separate windows, and demonstrate using email via telnet
b) Use a different easy method to setup Multitail to show the postfix logfiles on the
Gateway and the Mailserver in a single window with different colors, and demonstrate
using email via telnet

2. Basic VPN
a) Setup openvpn using static keys
b) Have two sets of config files, one for tun and one for tap

3. SSH Key Management

a) Reconfigure one of the Multitail above to use authentication via keys and ssh-agent
b) Reconfigure openvpn to use signed keys

4. iptables
a) Add the six “Rules for things that no proper TCP stack should be processing” from the
IPTables Quick Reference section -p --protocol tcp but use a LOG target
b) Use hping2 and Multitail to show the rules are working

5. SUDO
Choose one server and
a) Change the startup display to show a random fortune in color each time a user logs in
rather than the command summary and root login
b) Allow no root access: force users to use sudo
c) Have different color prompts for normal users and root
when you move to Ubuntu, you will want to manage sudo!

6. IDS – This one counts as two (double weight)

a) Setup snort
b) Use multitail and hping2 to demonstrate triggering a specific snort rule
c) How is information about known attacks compiled into rules?
This requires extra research – Start Early!

7. Protocol Analysis
Use tcpflow to capture the dialog between the browser and the webserver when
a) you access the default monkey webpage. How can you recover the images?
b) you access a mailbox in squirrelmail. How many requests are made? How many servers
are involved?

3
8. Migrate to Net-R
a) Clone and reconfigure your TinyNet servers as Net-R servers
b) Reconfigure DNSMASQ to hand out static addresses to servers rather than dynamic ones
c) Describe the Net-R automatic traffic generation system

9. Port Knock
a) Use the Netcat and Named Pipes technique to set up a reverse shell
b) Use knockd and hping2 to control availability (activate/deactivate)

10. Ettercap
a) Use two Net-R hosts, and change the index.html on one of them to say
“Substitute webserver has answered your request – Frown and Be Worried”
b) Demonstrate before and after ARP & DNS cache poisoning with Ettercap
(can also do this with two TinyNet No-Role hosts)

11. LDAP – The missing piece of our enterprise network

a) Setup the LDAP sever with two domains (o= and dc=)
b) Configure dovecot and squirrelmail to use LDAP
c) Get LDAP using stunnel

12. Virtual Servers

a) In monkey.conf set up two virtual servers (VirtualHost) for them, and disallow serving
web pages from user home directories. Add cnames to dnsmasq.
b) Put the the webserver VirtualHost DocumentRoot directories on a new VM NFS mount.
c) Set up two normal users and add directories under their home directories for their web
pages and CGI scripts on the NFS server, and give them ssh access.
d) Configure the system so users cannot access the VirtualDocumentRoot directories, and
set up a cron job to automatically move files from home directories to the proper
VirtualDocumentRoot