Table of Contents

Workload Matrix............................................................................................... 4
Gantt Chart...................................................................................................... 5
Acknowledgement............................................................................................ 6
System Configurations..................................................................................... 7
1.0 Setup Virtual Server & User Access (Lee Win Neng)................................22
1.1 Objectives............................................................................................. 22
1.2 Configuration........................................................................................ 22
1.3 Obstacles.............................................................................................. 28
1.4 References............................................................................................ 28
2.0 User Privilege Configuration (Hea Zhen Yao)............................................29
2.1 Objectives............................................................................................. 29
2.2 Configuration........................................................................................ 29
2.2.1 Configuring SSHD...........................................................................29
2.2.2 Configuring Profile..........................................................................29
2.3 Result.................................................................................................... 30
2.3.1 SSHD Telnet.................................................................................... 30
2.3.2 Colour Prompts............................................................................... 31
2.4 Obstacles.............................................................................................. 31
2.5 Reference.............................................................................................. 31
3.0 SASL Authentication & Encryption (Alex Chung Sheng Feng)...................32
3.1 Objective............................................................................................... 32
3.2 Configuration........................................................................................ 32
3.3 Results.................................................................................................. 35
3.4 Obstacles.............................................................................................. 36
3.5 Suitable encryption protocols used for configuring the mail host.........36
4.0 Port Forwarding, Telnet & TFTP (Liu Yung Peng).......................................39
4.1 Objective............................................................................................... 39
4.2 Configuration........................................................................................ 39
4.2.1 Configure Telnet for xinetd to perform port forwarding...................39
4.3 Try the xinetd port forwarding for telnet...............................................40
4.3.1 Configure TFTP for xinetd port forwarding......................................41
4.3.2 Try xinetd port forwarding for TFTP.................................................42
4.4 How this could work with cisco router or switch..................................................42
5.0 Mounting NFS (Lee Win Neng)..................................................................43
5.1 Objectives............................................................................................. 43
5.2 Configuration........................................................................................ 43
5.3 Obstacles.............................................................................................. 46
5.4 References............................................................................................ 46
6.0 Setup OpenVPN With Certificate Authority (Hea Zhen Yao)......................47
6.1 Objectives............................................................................................. 47
6.2 Configuration........................................................................................ 47
6.2.1 Install OpenVPN.............................................................................. 47
6.2.2 Editing the server.conf and client.conf............................................48
6.2.3 Tun and Tap configuration...............................................................49
6.3 Obstacles.............................................................................................. 49
6.4 Reference.............................................................................................. 49
7.0 Setup OpenVPN (Alex Chung Sheng Feng)...............................................50
7.1 Objective............................................................................................... 50
7.2 Configuration........................................................................................ 50
7.3 Results.................................................................................................. 60
7.4 Obstacles.............................................................................................. 61
8.0 Cosway, Figlet & Toilet (Liu Yung Peng)....................................................62
8.1 Objective............................................................................................... 62
8.2 Configuration........................................................................................ 62
8.2.1 Cowsay........................................................................................... 62
8.2.2 Figlet 2.2.5...................................................................................... 62
8.2.3 Toilet 0.3......................................................................................... 62
8.2.4 Libcaca............................................................................................ 63
8.3 Demonstration of cowsay, figlet and toilet............................................66
8.4 Obstacles and Solutions........................................................................67
9.0 ISC Setup & Configuration (Lee Win Neng)...............................................68
9.1 Objectives............................................................................................. 68
9.2 Configuration........................................................................................ 68
9.3 Obstacles.............................................................................................. 72
9.4 References............................................................................................ 72
10.0 Setup Snort & Demonstration Of Its Functions (Hea Zhen Yao)..............73
10.1 Objectives........................................................................................... 73
10.2 Configuration...................................................................................... 73
 10.2.1 Setting up Snort............................................................................73
10.2.2 Changing the path snort rules......................................................74
10.2.3 Editing Symlink............................................................................. 75
10.2.4 Using hping2 to demonstrate recognized attacks.........................76
10.3 Obstacles............................................................................................ 77
10.4 Reference............................................................................................ 77
11.0 Setup LDAP With FreeRadius & Protocols (Alex Chung Sheng Feng).......78
11.1 Objective............................................................................................. 78
11.2 Configuration...................................................................................... 78
11.3 Results................................................................................................ 79
11.4 Obstacle.............................................................................................. 81
11.5 Protocols used in more typical environments......................................81
12.0 Kerberos, IPTraf & Wireshark (Liu Yung Peng).........................................83
12.1 Objective............................................................................................. 83
12.2 Configuration...................................................................................... 83
12.2.1 Install Kerberos 1.6.3....................................................................83
12.2.2 Preparation................................................................................... 84
12.2.3 Configure Kerberos Server with KDC-AS and TGS.........................85
12.3 Configure Application Server with SSH and Telnet Service..................89
12.4 Demostration by using IPTraf..............................................................90
12.5 Demonstration on Keberos Server (SSH and Telnet)...........................92
12.6 Obstacles and Solution.......................................................................93
Conclusion...................................................................................................... 94
References..................................................................................................... 95

Workload Matrix
No Tasks Percentag (%)
. e
NAME Lee Win Hea Zhen Alex Liu Yung
Neng Yao Chung Peng
Sheng
 Feng
1 Workload Matrix 100 0 0 0
2 Gantt Chart 0 0 0 100
3 Acknowledgement 0 100 0 0
4 System 25 25 25 25
Configurations
5 Question 1 70 10 10 10
6 Question 2 10 70 10 10
7 Question 3 10 10 70 10
8 Question 4 10 10 10 70
9 Question 5 70 10 10 10
10 Question 6 10 70 10 10
11 Question 7 10 10 70 10
12 Question 8 10 10 10 70
13 Question 9 70 10 10 10
14 Question 10 10 70 10 10
15 Question 11 10 10 70 10
16 Question 12 10 10 10 70
17 Documentation 25 25 25 25
18 Conclusion 0 0 100 0

Question-Breakdown Structure
Question 1: Lee Win Neng
Question 2: Hea Zhen Yao
Question 3: Alex Chung Sheng Feng
Question 4: Liu Yung Peng
Question 5: Lee Win Neng
Question 6: Hea Zhen Yao
Question 7: Alex Chung Sheng Feng
Question 8: Liu Yung Peng
Question 9: Lee Win Neng
Question 10: Hea Zhen Yao
Question 11: Alex Chung Sheng Feng
Question 12: Liu Yung Peng

Gantt Chart
Acknowledgement
We would like to express our deepest appreciation to all those who provided me the
possibility to complete this report. A special gratitude I give to our System
Administration Network lecturer, Mr. Shounak Ghosh, whose contribution in stimulating
suggestions and encouragement, helped us to coordinate our project especially in doing
this assignment.

Furthermore a special thanks goes to my team mates, Lee Win Neng, Alex Chung and Liu
Yung Peng, who cooperate with me to configure this assignment and gave suggestion on
how to encounter obstacles met. Last but not least, many thanks again to our Lecturer Mr
Shounak Ghosh whose have invested his full effort in guiding the team in achieving the
goal. We have to appreciate the guidance given by other friends as well as the panels
especially in our project presentation that has improved our presentation skills thanks to
their comment and advices.
System Configurations

First, open the Oracle Virtual Box and click the new button to create a virtual machine on
the computer.

Next, we will insert name for the virtual machine by selecting the type as a Linux
operating system and version of Linux 2.6 (32-bit).
After we insert the name and selecting the type & version, the virtual box will prompt for
the memory size to be used by the virtual machine. We will assigned the memory of
256 MB for the usage of memory in the virtual machine.
In the hard drive, we will select the option of create a virtual hard drive now for the
virtual machine. The file types for the hard drive will be VHD which is Virtual Hard Disk
and click the next button.
In the next part, we will select the option of Fixed Size and assigned manually for the
sizes of hard drive for the virtual machine. The size for the hard drive will be assigned
with 200 MB for the storage of virtual machine.

After the file size allocation, the virtual machines and hard drive will created. We will
require to do some changes on settings in the settings menu on top of the virtual machine.
Firstly, we will change the boot order from Floopy > CD/DVD-ROM > Hard Disk to
Hard Disk > CD/DVD-ROM and untick the Floppy options for the boot order.

Second changes will be perform was inserting the hard drive and ISO files to the virtual
machine. Hard Drive that created just now and the ISO files of TinyNetBase will be
inserted.
Third changes will be perform was selecting the network adapter for virtual machine.
Gateway virtual machine will be turn on 4 adapter and assigned 2nd, 3rd and 4th adapter
with Host-Only Adapter. While all the other virtual machine include of LDAP, Mail
Server and others will be assigned adapter with Host-Only Adapter also.

After that, save the settings changes and click the start button on top of the virtual
machine. The startup progress of virtual machines will showed on the screen of virtual
machine
After the startup progress perform completed, we will require to select the slax options.
We will choose the 4th option which is Slax Text Mode to start the operating system.

After the operating system was started successfully, we will login the virtual machine by
using username and password which is root and toor

Next, we will insert the command of cfdisk for the partition menu of the hard drive.
After the cfdisk command, we will select the first partition and click on the New
button to create a new partition of the hard drive.

The continuous steps after clicking the option of New button will be clicking the
Primary button.
In the next step, we will insert the size of the partition which is 180MB for the first
hard drive partition in the virtual machine.

After the completion steps of hard drive partition, we will select the Bootable option
for the first hard drive to be able to boot when the virtual machine start up.
Next, we will make the second partition of hard drive which is click the new button for
the second partition which located below the first partition.

After clicking of new button, we are require to select Primary button for the next steps
to perform.
After that, we will insert the size of the partition with the remaining hard drive size and
change the type of the partition.
We will change the type for second partition of hard drive from Linux to Linux Swap
by using the filesystem type of 82.
Next, we will insert some command after partition and exiting of the cfdisk interface.

Commands:

- mkswap /dev/hda2
- mke2fs /dev/hda1
- swapon /dev/hda2
- mkdir /mnt /hda1
- mount /dev/hda1 /mnt/hda1
Next, we will go to the midnight commander by using the command of mc and
changing the two sides of directory to /mnt/hda1 and /mnt/hdc for the purpose of
copying files from CD /DVD-ROM to hard drive. We will perform copy action by using
F5 keys from hdc to hda1. The files will copied was boot and slax from to
/mnt/hdc to /mnt/hda1.
After copied completed, we will go to the directory of /mnt/hda1/boot to search and
install the file named as liloinst.sh for the purpose to install the operating system.

After clicking enter of the file named liloinst.sh, the virtual machine will prompt to
press any key to continue. Users are require to press enter button and the installation
progress will be completed.
1.0 Setup Virtual Server & User Access (Lee Win
Neng)
1.1 Objectives
1. Make webmail a virtual server, and set up one more virtual server.
2. Setup two normal users.
3. Configure the system so users cannot surf web pages or run cgi scripts from their
home directories, and cannot access the virtual server document root, but can
upload files for web/cgi.

Webmail are a cloud applications for the users to access the email server for sending and
receiving of email through an online platform. While the web server are require to install
for the users able to access by using HTTP/HTTPS protocols. The access rights of the
users are able to deny by using the configuration of firewall onto the server and the
protocols of HTTP and HTTPS only which provides highly secure encryption and access
rights for the external users.

1.2 Configuration
Configuring of operating system on the virtual machine are require before configuring the
role of the server for further setup and configuration. Before setup the role of server, the
image file of TinyBase.iso will be using for the setup and configuration of the operating
system with the virtual machine. Next, the virtual machine will be rebooted and changed
the image file from TinyBase.iso to TinyConfig.iso for the further configuration of server
role. After rebooted, the diagram of below will be showing and we will select the server
role as a MailHost for the virtual machine to be setup.
After setting up the configuration of MailHost, the next configuration will be create a
system user for the webmail services on the virtual machine.

Configuration Steps:

- groupadd g 55 postdrop
- groupadd g 54 postfix
- groupadd g 56 dovecot
- groupadd g 58 vmail
- useradd g postfix u 54 d /var/spool/postfix c postfix MTA s /bin/false
postfix
- useradd g dovecot u 56 d /etc/dovecot c dovecot IMAP-LDA: -s /bin/false
dovecot
- useradd g vmail u 58 d /home/vmail c dovecot Mail Owner s /bin/false
vmail
After the configuration steps of mail storage, the configuration command will checks for
the postfix to ensure it runs properly.

Configuration Steps:

- mkdir /home/vmail
- mkdr /home/vmail/indexes
- chmod R a+rwxt /home/vmail
- cp /etc/dovecot/mail-pwd /home/vmail
- chown R vmail:vmail /home/vmail
- mkdir /var/run/dovecot
- chown dovecot:dovecot /var/run/dovecot
- cd /etc/postfix
- ./post-install command_directory=/usr/sbin/ create-missing
- ./post-install command_directory=/usr/sbin/ set-permissions
- postmap /etc/postfix/virtual_mailbox
- postmap /etc/postfix/canonical
- postmap /etc/postfix/virtual_alias

After all this configuration and command, webmail had successfully setup. Next, we
will configure the web server on another virtual machine by setting up server roles as
Web Server by using TinyConfig.iso file for the setup configuration.
After settings up the server roles as a Web Server, open the default file of monkey.conf in
the midnight commander. Monkey.conf can be found in the directory of /usr/monkey.

The first diagram was showing the default configuration and command of monkey.conf
files. While the second diagram was showing edited configuration and command onto the
monkey.conf files. We will require to press F4 to edit and the changed command from
Server_root /var/monkey/htdocs to Server_root /var/www.
The first diagram was showing the default configuration and command of monkey.conf
files. While the second diagram was showing edited configuration and command onto the
monkey.conf files. The command was changed from Server-ScriptAlias /cgi-bin/ /
var/monkey/ to Server-ScriptAlias /cgi-bin/ / var/www/.

Next, we are require to change the hash mark in front of the lines that showed in the
diagram below. The first line of the htm files will be assigned with the hash mark while
the second line of the php files will be changed to unassigned hash mark.

After edited of the command and configuration in the files, we need to save the file by
using F2 button and F10 for exit.
After edited of the monkey.conf files, the webpages will be able to access by using
browser on the computer and showing SquirrelMail webpage with the links
192.168.56.153/squirrelmail/src/login.php

Login to the SquirrelMail are require to create a new user for login authentication. First,
create new user by using adduser command with the name and password. All the other
field will not make any changes on the default configuration and settings.

CGI script are strictly limited the user from running the command. So that, we can edit
the Ch0wn command in Midnight Commander (MC) by using F9 hotkeys and setup
into nobody in the Ch0wn under the File. Nobody will limit the user of accessing and
running of the command.
After the configuration, the diagram below showing the permission was denied from
accessing and running the files.

1.3 Obstacles
The obstacles I meet in this question was unable to perform testing on user that able to
make upload action of files onto the web/cgi but it denied the permission of accessing the
files on the virtual machine. So that, we will expected the system will blocking the user
from accessing the files without permission.

1.4 References
(MyTinyNet, 2010)
(MyTinyNet, 2010)
(MyTinyNet, 2010)
2.0 User Privilege Configuration (Hea Zhen Yao)
2.1 Objectives
Choose 1 server to:

a. Allow no root access: force users to use sudo

b. Limit SSH access for some users only and no root logins
c. Have multiple colour prompts for normal users and root

2.2 Configuration
2.2.1 Configuring SSHD
By default SSHD allow all users to use it, thus so allow specific users to able to use
SSHD, sshd_config needs to be configured by editing the sshd_config file. Firstly, go
the Midnight Commander to open SSHD and the just proceed by referring to the diagram
below.

Code
mc --------------------------Open Midnight Commander
AllowUsers-----------------Allow user1 to use sshd

Diagram 2.1: Configuration for SSHD

2.2.2 Configuring Profile

By default prompts colour are white. If you want to change the prompt colour for users
and root, just proceed by referring to the diagram below.
mc------------------------------------------------------------------Open Midnight Commander
/etc/profile-------------------------------------------------------------------Open the directory
PS1= [\[\033[01;31m\]\u@\h \[\033[01;31m\]\W\[\033[00m\]]# --Red Colour Prompt
PS1=[\[\033[01;34m\]\u@\h\[\033[01;34m\]\W\[\033[00m\]]#--Purple Colour Prompt
 Diagram 2.2: Configuration for profile

2.3 Result
2.3.1 SSHD Telnet
By entering the code below, user2 will not be able to access SSH while user1 is able to
access SSH.

Code
user2; 123---------------------------------Login to user2
ssh 192.168.76.181---------------------ssh IP

Diagram 2.3: user2 is unable to access to SSH

user1; 123---------------------------------Login to user1
ssh 192.168.56.197----------------------ssh IP

Diagram 2.4: user1 is able to access to SSH

 2.3.2 Colour Prompts
Login to the either root prompt or normal users prompts to see the colour prompts of each
user.

Code
Root ; toor-------------------------Login to Root
user1 ; 123------------------------Login to user1

Diagram 2.5: Root with Red Prompt

Diagram 2.6: user1 with Purple Prompt

2.4 Obstacles
None

2.5 Reference
(Inkblot, 2010-2014)
3.0 SASL Authentication & Encryption (Alex Chung
Sheng Feng)
3.1 Objective
The main objective of this section is to assign the SASL (Simple Authentication and
Security Layer) which allowing users to authenticate themselves through plaintext
username and passwords to access the mail server.

3.2 Configuration
In order to enable the SASL, the configuration steps are shown and depict as the
following:

Step 1: Configure /etc/postfix/main.cf in the mail host.

In MC mode, go to the /etc/postfix/main.cf to configure the postfix and edit the

following command lines under the ### smtpd directives.

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
Diagram 3.1: Step 1 configuration

Next, scrolling down to the smtpd_recipient_restrictions = section and add the

following lines of command to authorize the network.

permit_mynetworks
permit-sasl_authenticated

Step 2: Configuring the /etc/dovecot/dovecot.conf in the mail host.

Similarly, go to the /etc/dovecot/dovecot.conf to configure the dovecot in MC mode.

Within the curly braces of the auth default under ## Authentication edit the
following command line as follows.

mechanisms = plain login

passdb shadow {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}

Then disable the existing following command lines with a hash (#) symbol within the
curly braces of auth default.

# user = vmail # User running deliver

# socket listen {
# master {
# path = /var/run/dovecot/auth-master
# mode = 0600
# user = vmail # User running deliver
}
}
Diagram 3.2: Step 2 Configuration

Step 3: Create new user under mail host.

After setting up the postfix and dovecot configurations, the mail host is able to add user
with information values stored in the mail hosts with the following steps.

# adduser
Input the information values and password for the new user.
Diagram 3.3: Adding user

Diagram 3.4: Adding user details and password

3.3 Results
Result 1: Login to the SquirrelMail with the new user account.

Moving on, go to the web browser go to the address http:192.168.56.103/squirrelmail/ to

test the new user from step 3 for account access by input the name and password.
Diagram 3.5: Access to the mail

Result 2: View Log files of the mail host

Diagram 3.6: Log files

Go to view the log files in the directory of /var/log/dovecot.IMAP while in MC mode to
prove the user access.

3.4 Obstacles
The IP address for eth0 always in conflict causing failure to access to the URL.

3.5 Suitable encryption protocols used for configuring the mail

host
The appropriate encryption protocols that able to apply in configuring the mail host
would be the Transport Layer Security (TLS) and IPsec.

To define TLS by (Mircosoft, 2003), is a successor to Secure Socket Layer as a

standardized security protocol for encrypt and protect data in a network by utilizing the
HTTPS for web browsing, email and other internet services developed by IETF (Internet
Engineer Task Force). Usually TLS operates in between application layer and transport
layer, and TLS itself consist of the handshake layer and the record layer to provide
encryption and authentication (Microsoft, 2003) Mentioning about encryption, TLS
utilizes both symmetric keys encryption such as DES, AES and RC4. And asymmetric
keys encryption for example the RSA algorithm. While as the authentication, the
handshake for TLS validates each other by utilizing the Certificate Authority (CA) and
HMAC which is a hash algorithm used to validate for data integrity.

Diagram 3.8: TLS handshake and processes. Source: (Google, 1999)

The advantage of using TLS, involves with robust authentication and data integrity as
TLS offers a safe security scheme to secure the network communication while protect
against threats such as replay attacks, man-in-the-middle and so on. Next it provides high
adaptability as TLS able to support majority of the web browsers. In addition, TLS
provides convenience as TLS is applied under the application layer, without client aware
while still able to have a secured communication. (Microsoft, 2003)

While, IPsec is a group of security protocols designed by the IETF (Internet Engineer
Task Force) to offer packet security at the network level. IPsec also known as IP Security,
it involved of many component technologies and encryption process. IPsec is a popular
VPN protocol that functions using the IP protocol and its addressing thus can be
considered a Network Layer VPN protocols. It has 2 algorithms includes of encryption
algorithms and authentication algorithms. Encryption algorithms is to protect data to
avoid review by a third-party while the data transferring from one end to another. IPsec
also come with authentication algorithms which will verify and check the authenticity of
message with the data integrity (D.Janowski, 2003). IPsec functions by creating a
security association that exclusively determine IPsec by security parameter index, a
security protocol AH (authentication header) or ESP (encapsulating security protocol)
and the destination of the IP address. There are 2 type modes that IPsec functions on
which is the transport mode and tunnel mode. In transport mode, the payload of the IP is
encrypted and the IP header is sent as plain text whereas in tunnel mode the entire packet
is encrypted creating a new IP header (Sultan & Shoukat, 2016). The main advantage of
applying IPsec is the Network Layer security provided allowing end-user unable to detect
and helps at monitoring and securing network traffics.
4.0 Port Forwarding, Telnet & TFTP (Liu Yung Peng)
4.1 Objective
1. Configure xinetd port forwarding for telnet and tftp.
2. Demonstrate xinetd port forwarding for telnet and tftp and screenshot it.
3. Explain how xinetd port forwarding for telnet and tftp works on cisco router or
switch.
4. Discuss about configuration of xinetd port forwarding in Cisco devices.

4.2 Configuration
The configuration of telnet is doing in the gateway server by using IP address
192.168.76.101.

A few steps are needed for setting up the telnet as shown in the diagram above.

4.2.1 Configure Telnet for xinetd to perform port

forwarding
1. First, go into mc, and click f3 to edit the file at directory etc/xinetd.d/telnet.
Comment out the Only_from to enable telnet service for the other hosts.
 2. Next, extra configuration bind, port and redirect is added into the telnet by typing
in the necessary information for it.
3. Before we assign a port for it, go to etc/services to find out which service we have
in the host. We decided to use 23 UDP port because telnet is using port 23 to
work. (SpeedGuide, 2015)

Inside the services file we could also found that telnet is using port 23.
4. Bind and Port are added to lock on the specific IP address and the port number we
use in the host. As shown in diagram, IP address used is 192.168.76.101 while
port number is UDP port 23.
5. Locked IP and port will be perform port forwarding to the IP address and port
used by the host according to the given redirection written in the file. In this case,
It is redirect to the IP address 192.168.76.161 by using port 23.

4.3 Try the xinetd port forwarding for telnet

root@if0m1nc is the host that requesting for telnet service, while if0m1na will be the
host that act as the destination of telnet prt forwarding.

Here are the configuration needed for tying the port forwarding for telnet

1. In root@if0m1nc, type in telnet 192.168.76.101 23. This command include

the IP address of gateway server and 23 is the port we are using for telnet service.
2. After waiting for a few seconds, system shows connected to 192.168.76.101
after it requesting for the connection.
3. If the word mention in step 3 is shown, port forwarding for Telnet is done.
 4.3.1 Configure TFTP for xinetd port forwarding

The configuration for TFTP service at gateway server is almost the same with telnet.

1. In the file tftp that could found in directory etc/xinetd.d/tftp, click f4 to edit it.
Comment out Only_from to enable tftp service for other hosts.
2. Also, extra configuration of bind, port and redirect is added into the file.
3. Set P address 192.168.76.101 for bind, and let it use the port 69, which we
could see that port 69 is use for tftp in the services file.

4. After bind and port, type in the IP Address and the port used for the redirected
host. In this case, we use 192.168.56.161 and port number is 69.
 4.3.2 Try xinetd port forwarding for TFTP
1. In root@if0m1nc, enter tftp 192.168.76.101 69. The IP Address is the
gateway server IP while 69 is the port used for tftp.

After typing in the command, user will be get into the tftp mode.
2. Next, try to get file from the server by enter command get /etc/webserverfile
/etc/webserverfile^C to get the file from the directory

This means that the file received successfully.

4.4 How this could work with cisco router or switch

In a cisco router, port 23 is also assigned for UDP and TCP. Port 21 is used for FTP and
69 is used for TFTP. User can either choose to use 21 or 69 for file transferring. For
cisco, port forwarding also known as access-list . (Cisco, 2011) Access-list is a
powerful security function they could set the authority of each network to access to the
services such as FTP, TFP, DHCP, email service pop3 and so on. Only the network that
permit with authorize to use port 23 can use telnet, and same for port 69 or 21.
Additionally, the command for permitting a network in cisco router or switch to use
TFTP service will be like access-list 101 permit udp host 192.168.76.101 host
192.168.76.161 eq tftp.

5.0 Mounting NFS (Lee Win Neng)

5.1 Objectives
1. Put the actual mailstore and http filestore on a separate machine NFS mount
2. Automatically copy the LDAP data files on a scheduled basis to a NFS mount
NFS mounted on a gateway as a sharing files devices that able to gain access by all the
devices connected to the gateway. In the mailstore and filestore, this both files are require
to be store on a separate machine which is mailserver and webserver. In the mailserver,
the files of mailstore will be located at /home/vmail while the files of filestore in
webserver will be located at /var/www.

5.2 Configuration
Before we configure the sharing permission to all the devices able to access, we need to
locate the files of mailstore and filestore in the particular virtual machine. After located of
the files, directory /etc/exports will be opened in webserver and added with a new line
which is /var/www *(rw,sync,no_root_squash,no_subtree_check) to enable the sharing
features in the virtual machine. While the next step will configure the mailserver which
open the directory of /etc/exports after the files was located in the virtual machine. The
file opened in the directory will be added with a new line which is /home/vmail
*(rw,sync,no_root_squash,no_subtree_check) to enable the sharing features in the virtual
machine. The sharing features are enabled to allow any virtual machine connected to the
devices are able to gain access to the files. Edited of the exports file will using F4 keys
and saved of the edited file by using F2 key. The usage of the * symbol was to enable the
sharing features that all the virtual machine able to see the files mounted onto the NFS
server.

WebServer
/var/www *(rw,sync,no_root_squash,no_subtree_check)

MailHost
/home/vmail *(rw,sync,no_root_squash,no_subtree_check)
After the sharing features enabled, we need to enable the NFS service by executing 2
command on the four machine.

Configuration Steps:

- chmod 755 /etc/rc.d/rc.nfsd

- chmod 755 /etc/rc.d/rc.rpc

To turn on the sharing features on the server, we are require to enable and startup the 2
functions which is rc.nfsd and rc.rpc by using start command.

Configuration Steps:

- /etc/rc.d/rc.nfsd start
- /etc/rc.d/rc.rpc start

On the next step after enabled and startup configuration, we able to perform checking on
the shared directory by using the ip address.

Configuration Steps:
 - showmount e ip address of the server

The command of mount are used to mount the files onto the gateway from server. We just
execute the commands and the files will mounted onto the gateway from server.

Configuration Steps:

- mount 192.168.1.104:/var/www/home

To steps to configure the machine for the automatic copy features in LDAP data files to
NFS, edited of the directory /etc/fstab file are require to add extra line for the system to
execute the command. By executing the command, the system will perform automatic
copy features from LDAP files on scheduled basic onto NFS. The directory of
/var/openldap-data was located the LDAP data files. According to default of the system
designed, the system will run in an automatically way on every startup mode.

Configuration Steps:

- 192.168.1.128:/var/openldap-data/home rw,defaults 0 0
On other linux operating system like Ubuntu, we will perform the same edit action of
exports file. Next, the command below will be execute to enable the nfs services in the
linux operating system.

Configuration Steps:

- sudo service nfs-kernel-server start

5.3 Obstacles
Tiny-Net OS images contains some error and bugs when enabling the NFS application
and firewall. NFS application cannot be assigned as a server that create some problems to
setup the NFS and the firewall features cannot be enabled on Tiny-Net as well.

5.4 References
(Slackware Documentation Project, 2015)

(Moghadam, 2007)

(Linux Home Networking, n.a)

6.0 Setup OpenVPN With Certificate Authority (Hea

Zhen Yao)
6.1 Objectives
a. Setup own certificate authority
b. Use the certificate chain with stunnel
 6.2 Configuration
6.2.1 Install OpenVPN
Firstly, use the TinyNetConfig.iso image file to install OpenVPN package.

Diagram 6.1: Setup OpenVPN

Diagram 6.2: Copy files from server side

After the OpenVPN package has been setup, copy dh1024.pem, server.crt, server.key,
tmp-ca.crt in the server side from /user/share/doc/openvpn-2.0.9/sample-keys to
/etc/openvpn/keys. Then, copy the server.conf file from /user/share/doc/openvpn-
2.0.9/sample-config-files to /etc/openvpn.

6.2.2 Editing the server.conf and client.conf

Furthermore, there are a few things needed to edit in the server.conf to reflect the PKI
generated which are ca, cert, key and dh parameters.

Diagram 6.3: server.conf 1 is edited

 Diagram 6.4: server.conf 2 is edited

After that, go to the client side and copy 3 files which is client.crt, client.key and tmp-
ca.crt from /user/share/doc/openvpn-2.0.9/sample-keys to /etc/openvpn/keys. Then, copy
the client.conf file from /user/share/doc/openvpn-2.0.9/sample-config-files to
/etc/openvpn.

Diagram 6.5: Copy files from client side

Furthermore, there are a few things needed to edit in the client.conf to reflect the PKI
generated which are ca, cert and key parameters.

Diagram 6.6: client.conf is edited

 6.2.3 Tun and Tap configuration
Tun and Tap is 2 sets of configuration files. Typing modprobe tun command will run
Tun and Tap. To test the Tun and Tap is currently operating or not, type cat/dev/net/tun.
Tun and Tap is up running when the prompt display File descriptor in bad state by
referring to the diagram below.

Diagram 6.7: Run Tun and Tap

To test whether OpenVPN is operating, type the command openvpn server.conf. Below
the diagram will be display if the OpenVPN is running.

Diagram 6.8: OpenVPN is running

6.3 Obstacles
Unable to examine and use the certificate with stunnel because installation of require too
many requirements.

6.4 Reference
(OpenVPN, n.d.)
7.0 Setup OpenVPN (Alex Chung Sheng Feng)
7.1 Objective
The aim for this section is to provide a secured VPN for between one place and another
through OpenVPN. The OpenVPN is required to setup and configuration is done for the
TUN and TAP servers with its respective configuration file.

7.2 Configuration
Step 1: Setup OpenVPN on the gateway for both server and client

First and foremost, mount the TinyNetConfig.iso image file and run the installation for
the OpenVPN with the following commands for both client and server side.

# cd /mnt/hdc
./SetupMenu
Install OpenVPN

Diagram 7.1: Setup OpenVPN

Step 2: Key generation setup and handshake for OpenVPN.

In order to provide a secured handshake, both client and server required to have the same
Certificate Authority (CA) key generated by OpenVPN which used for authenticate
between the client and the server are directly using the same keys. Therefore, in order to
generate the key and certificate by OpenVPN correctly, both of client and server side are
required to input the following command lines.

/usr/doc/openvpn-2.0.9/easy-rsa/
./vars
./clean-all
./build-ca

Diagram 7.2: Step 2 configuration

Step 3: Configuring the server

After completing step 2 for server, continuing on adding the following command lines in
/usr/doc/openvpn-2.0.9/easy-rsa/.

./build-key-server server
Input Common Name field as server then confirm the certificate with y.
./build-dh and check the dh1024.pem exists in MC mode.
Copy the all of the newly generated keys and certificates of ./keys directory to
/usr/doc/openvpn-2.0.9/sample-config-files/ in MC mode.
Diagram 7.3: Step 3 configuration for server

Diagram 7.4: Step 3 configuration

Diagram 7.5: Check and copy for CA and server.key

Step 4: Configuring the client

Similar to step 3, the client must complete step 2 and add on the following command
lines.

Copy the previously generated ca.key and ca.crt to ./keys of the client.
Go to /usr/doc/openvpn-2.0.9/easy-rsa/ and ./build-key client
Input Common Name field as client then confirm the certificate with y.
Copy the all of the newly generated client keys and certificates of ./keys directory
to /usr/doc/openvpn-2.0.9/sample-config-files/ in MC mode.

Diagram 7.6: Copying the key

Diagram 7.7: Step 4 configuration for client

Diagram 7.8: Step 4 configuration for client

Diagram 7.9: Check and copy for CA and client.key

Step 5: Tun configuration files for server and client

Go to /usr/doc/openvpn-2.0.9/sample-config-files/ and edit the ./server.conf with the

following

;dev tap
dev tun
Check for the ca.crt, server.crt, server.key and dh1024.pem is properly defined.
; server-bridge 192.168.8.8 255.255.255.0 192.168.8.128 192.168.8.254
server 10.8.0.0 255.255.255.0
Diagram 7.10: Step 5 editing tun config files for server

Then for the ./client.conf edit the following lines.

;server
;client
;dev tap
dev tun
remote 192.168.76.101 1194
;remote my-server-2 1194
Check for ca.crt, client.crt and client.key are properly defined.

Diagram 7.11: Step 5 editing tun config files for client

Step 6: Initialization and testing for Tun

Open the server and input the following command lines to create and initialize the tun for
both server and client.

Mkdir /dev/net
Mknod /dev/net/tun c 10 200
Diagram 7.12: Step 6 configuration

After that on the server side, input the following commands.

/usr/doc/openvpn-2.0.9/sample-config-files/

openvpn tun-server.conf

Diagram 7.13: Step 6 server configuration

For the client side, input the following commands.

/usr/doc/openvpn-2.0.9/sample-config-files/

openvpn tun-client.conf
Diagram 7.14: Step 6 client configuration and showing initialization sequence completed

The tun will be tested by client ping 10.8.0.1.

Step 7: Tap configuration files for server and client

Similar with Tun configurations, go to /usr/doc/openvpn-2.0.9/sample-config-files/ and

edit the ./server.conf with the following

dev tap0
;dev tun
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
;server 10.8.0.0 255.255.255.0

Diagram 7.15: Step 7 TAP configuration for server

Go back to normal mode and active the bridge utility under the directory of
/mnt/live/memory/modules with the following command.

activate bridge-utils-1.2-2.lzm

Diagram 7.16: Activate bridge utility command

Next move to ./client.conf, input the following command line

client
;server
dev tap
;dev tun
remote 192.168.76.101 1194
;remote my-server-2 1194
Check for ca.crt, client.crt and client.key are properly defined.

Diagram 7.17: Step 7 TAP configuration for client

Step 8: Initialization and testing for Tap

Previously done by step 6, the initialization already done with the mknod /dev/net/tun c
10 200 command. The configuration that need to be done is initialize the tap0 opened
allowing it to set the persist state to ON.

Server side configuration is done as follows in terminal.

/usr/doc/openvpn-2.0.9/sample-scripts
./bridge-start
/usr/doc/openvpn-2.0.9/sample-config-files/
 openvpn tap-server.conf

Diagram 7.18: Step 8 initialization TAP for server.

Client side of configuration is also done as the following in terminal.

/usr/doc/openvpn-2.0.9/sample-config-files/
openvpn tap-server.conf

Diagram 7.18: Step 8 initialization TAP for client.

Then the test for Tap configuration is done by the client through ping 192.168.8.4 for
br0.
 7.3 Results
The results are shown with TUN and TAP connections are able to ping each other through
OpenVPN.

Diagram 7.19: Tun connection result for server side

Diagram 7.20: Tun connection result for client side

Diagram 7.21: TAP connection result from server side

Diagram 7.22: TAP connection result from client side

7.4 Obstacles
The obstacle faced by configuring the section is the ca.key, ca.crt and dh1024.pem are
not properly defined in the server and client side causing an error where the client is not
able to authenticate with the correct key used.
8.0 Cosway, Figlet & Toilet (Liu Yung Peng)
8.1 Objective
1. Setup a VM machine by using TinyNet-gcc image file
2. Uses cowsay, figlet and toilet package in the VM file.
3. Demonstrate on this VM using scripts and ideas getting from the link provided in
the question.

8.2 Configuration
Before we start, there is some tools need to be downloaded for later use. For example,
cowsay, figlet 2.2.5 and toilet 0.3 are needed to download.

8.2.1 Cowsay

8.2.2 Figlet 2.2.5

8.2.3 Toilet 0.3

 8.2.4 Libcaca

Next, the Virtual machine is setting up with the TinyNet-gcc.iso file.

After that, put all the downloaded file into a USB so that we could copy it from USB into
SLAX. Go to VMs setting, at the option USB user are able to use attach an USB. In this
case, I use my USB Kingston DataTraveller 2.0.
After login into the system with the root account, go to directory /mnt/sda1. User might
able to see the file downloaded before shown in the directory. This means that the VM
has successfully read the file from USB.

Then, we copy all 4 files into SLAX system to the directory /mnt/hda1/slax/modules so
that the package could be used every time the VM operate.
Last, kindly ensure that those file copied is inside the directory

Step require for installation of the 4 files:

1. mnt/sda1 go to the folder where the file in USB assist

2. lzm2dir cowsay-3.03.Izm/ install cowsay package
3. tar xvfz figlet-2.2.5.tar.gz this is to extract figlet-2.2.5.tar.gz
4. cd figlet-2.2.5 This one will go to the extracted folder of figlet2.2.5
5. /configure; make; make install this command compile the package of
figlet2.2.5
6. tar xvfz libcaca-0.99.beta19.tar.gz used for extract tar.gz of libcaca
7. cd libcaca-0.99.beta19.tar.gz used to go to the extracted folder of libcaca
8. /configure; make; make install This one use to compile the packages of
libcaca
9. tar xvfz toilet-0.3.tar.gz extract tar.gz of toilet
10. cd toilet-0.3 go to the extracted folder of toilet
11. /configure; make; make install use this command for compilation of toilet
package
12. reboot reboot the system to makes those changes to system

8.3 Demonstration of cowsay, figlet and toilet

Login page
1. To use cowsay, type in Command= cowsay f dragon-and-cow Hello! Yung
Peng here

2. To use figlet, type in Command = figlet f slant LYCHEEPIE

3. To use toilet, type in Command = toilet F gay F border LycheePie

 4. To use toilet, type in Command = toilet metal Super Mario

8.4 Obstacles and Solutions

While extract and install toilet-0.3, there is an error message keep on prompt out
while we want to install it. It is telling user that system require Libcaca package to
continue the installation of toilet. Libcaca was not a material mention in the Question 8 as
a requirement material to solve the question. Hence a little more research about the uses
of Libcaca has been done. Besides that, while doing installation of figlet 2.2.2, we found
that an error encounter by notifying user about that the front file is unable to open. To
solve this problem, I download another version of figlet which is figlet2.2.5 from its
official website and try to run it. Hopefully, the problem was solved.

9.0 ISC Setup & Configuration (Lee Win Neng)

9.1 Objectives
1. Setup ISC DNS and Bind
2. Replace dnsmasq with dynamic updates in the ISC configuration
ISC, DNS and Bind was using in the configuration of Gateway Virtual Host. Bind was a
software that implemented in the DNS for the network connection. While DNS was the
domain name system that converts the domain name to IP address on the internet. DNS
was a protocol which perform conversion functions between IP addresses and domain
name.

9.2 Configuration
On the first step, we are require to install BIND and DHCP on the virtual machine. The
command showed below will be used to install the files to activate and start the features
of BIND and DHCP.

Configuration Steps:

- cd /mnt/hdc/modules/isc
- ls
- lzm2dir bind-9.8.4_P1-i486-1.lzm /
- lzm2dir dhcp-4.1_ESV_R7-i486-1.lzm /

The first line of the command which is cd /mnt/hdc/modules/isc are used to change the
directory of the command. While lzm2dir bind-9.8.4_P1-i486-1.lzm / and lzm2dir
dhcp-4.1_ESV_R7-i486-1.lzm / are used to install BIND and DHCP programs onto the
Gateway virtual machine.

Next, we will create a private setup of BIND DNS server for the purpose of assigned the
BIND DNS server to be private. The configurations to keep private of the BIND DNS
server was to add new zones in the directory of /etc/named.conf. The configuration
files are located in the directory of /var/name/caching-example. The command of
configuration for the setup of BIND DNS server was showed in the screenshot. The file
of named.conf are require to select and press F4 for the edit process. While press F2
when finish edit to save the files.

Configuration Steps:

- zone example.com in {
allow-transfer {any; }
file caching-example/zone.example.com;
type master;

- zone 1.168.192.in-addr,arpa: {
type master;
file caching-example/192.zone;

In the steps of configuration for the setup of zone files, there are few things must be
focuses on which is the directory and the files selected to copy. First, we will using the
command of /var/name/caching-example to the directory in midnight commander.
Second, we will copy the file named as localhost.zone. We will perform copy action of
the localhost.zone twice for the purpose of renaming in the /etc/ files. The first of
localhost.zone file will be renamed as zone.example.com while another
localhost.zone: files will be renamed as 192.zone.
The configuration of zone.example.com and 192.zone are showed at below.
The last configuration of the virtual machine was create and configure a DHCP server
which using some command in the midnight commander. Files of dhcpd.conf will be
copied from the directory of /usr/doc/dhcpd-4.1-ESV-R7/examples to the directory of
/etc. The configuration of the dhcpd.conf that copied across directory are required to
make configuration to enable its services in the diagram below. By editing of the files
namd as dhcpd.conf, we need to press the F4 key to edit and press the F2 key to save
the files.

Configuration Steps:

- subnet 192.168.1.0 netmask 255.255.255.0 {

option domain-nameexample.com;
option broadcast-address 192.168.1.255;
option domain-name-servers 200.133.0.133, 200.133.1.5;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
range 192.168.1.10 192.168.1.200;
default-lease-time 3600;
max-lease-time 7200;

In the result of configuration, we had perform a testing by using the command on the
gateway. The first diagram was showing the command and steps to start the DHCPD and
BIND server while the second diagram was showing the service running command.

Configuration Steps:

- /etc/rc.d/rc.bind start
 - Dhcpd-q eth0

9.3 Obstacles
Some libraries that are not installed in the Slax system are create problems for the
configuration. Example, DHCPD service unable to search and locate with the library of
libcap.so.2 and libxml2.so.2. With this problems, we had come out with a way to
solve the issue by using Idconfig command onto the terminal and using Izm2dir
command for the installation process.

9.4 References
(Digital Ocean, 2014)

10.0 Setup Snort & Demonstration Of Its Functions

(Hea Zhen Yao)
10.1 Objectives
a. Setup snort
b. Use netcat, hping 2 to demo recognized attacks

10.2 Configuration
10.2.1 Setting up Snort
Firstly, use the TinyNetConfig.iso image file to install snort package
 Diagram 10.1: Setup Snort

Diagram 10.2: Copy the files from /etc/snort and remove .new
 10.2.2 Changing the path snort rules
After the Snort package has been setup, by default all the files within the /etc/snort is a
.new file type so copy the entire files inside /etc/snort and rename them by deleting the
.new. After successfully copied the files, edit a few lines in the snort.conf file. Change
the path to /etc/snort/rules as it will be used to enable a correct path for the system to be
execute on. Then, add an alert command as follow:

Diagram 10.3: Change the path to /etc/snort/rules

Diagram 10.4: The alert shown

Furthermore, user will need to uncomment all the default rules and insert 5 new correct
path way to run the rules files as follow:

Diagram 10.5: Insert the 5 new correct path

Besides, by editing the syslog.conf files that is in /etc referring to the diagram below
will enable snort to alert the user in the snort.log. After editing, restart the file by
typing/etc/rc.d/rc.syslog restart.
 Diagram 10.6: Edit the syslog.conf in /etc

10.2.3 Editing Symlink

By default symlink always direct to the wrong destination thus by editing the symlink,
the libraries files for mysql database that is located in /usr/lib/mysql is able to direct to a
correct destination. After editing, the diagram will appear as follow:

Diagram 10.7: symlink is edited

User will be require to type snort c /etc/snort/snort.conf to run snort. The diagram
below shown is when the snort is successfully operating.
 Diagram 10.8: Snort is successfully running

10.2.4 Using hping2 to demonstrate recognized attacks

The diagram below shows we are using hping2 to generate 5 packet 192.168.76.207
through 80 opened port. User can change the number of packet by change the number on
the code behind.

Diagram 10.9: using hping to generate 5 packet

Furthermore, use the hping command to generate any number of packets to flood the
network, in our case we use 65000 packets. After that, system will be jam thus the user
need to CTRL+C to abort it.

Diagram 10.10: Flood the network with 65000 packet to jam it

 10.3 Obstacles
The obstacles encountered is the internet resources about how to setup snort is extremely
hard to comprehend. To enable snort to be successful, a lot more files will be needed to
be configured. Lastly, the successfulness of using hping2 command to demo a flood
attacks is unknown.

10.4 Reference
(TheGeekStuff, 2010)

11.0 Setup LDAP With FreeRadius & Protocols (Alex

Chung Sheng Feng)
11.1 Objective
Objective of this section is to setup freeradius with LDAP while able to demonstrate the
centralized logins after setting up the freeradius. Remote Authentication Dial-In User
Service (RADIUS) is an access server authentication and accounting protocol which
provides a secure authentication to the server defined by (Cisco, 2006).

11.2 Configuration
Step 1: Install the freeradius

In order to install the freeradius, the image file must be mounted and enters the following
command lines

ls l .mnt/hdc
cd /mnt/hdc
./SetupMenu

Diagram 11.1: Setting up freeradius

Step 2: Enable the LDAP process

In order to run the freeradius properly, LDAP is required to run. Therefore, the following
command lines used in the terminal.

chmod 755 /etc/rc.d/rc.ldap

/etc/rc.d/rc.ldap start
Diagram 11.2: Terminal command line for enabling LDAP

Step 3: Start the Freeradius

After the installation is done and LDAP enabled, the freeradius can be started.

/etc/rc.d/rc.freeradius start

Diagram 11.3: Start freeradius from terminal.

11.3 Results
The freeradius is functional and shown in the following with the command lines in the
terminal as well.

radiusd -d /etc/raddb
Diagram 11.4: Result to prove freeradius is functional.

Diagram 11.5: Centralized access login

Diagram 11.6: htop showing freeradius is running.

11.4 Obstacle
The obstacle faced in this section found in demonstrating the centralized login as there
are little understanding of implementing the freeradius as such to some extent it is hard to
actuate. While the TInynetconfig.iso missing the PPP authentication to operate causing
error to authenticate users.

11.5 Protocols used in more typical environments

In current network adaption, wireless network communication and LAN are considered to
be more typical and actual environments. From (Cisco, 2013) and (Microsoft, 2005), the
RADIUS can be affiliate with EAP (Extensible Authentication Protocols) under the IEEE
802.1X standards or known to be EAPoL (EAP over LAN) which is a port-based
authentication framework for client and server based networks. EAP framework itself
consists of sets authentication protocols including PEAP, EAP-RADIUS, EAP-GTC,
EAP-MSCHAPv2 and other EAP methods. Other protocols such as PAP (Password
Authentication Protocol), were also been used to authenticate the client or even part of
the larger protocol itself such as TTLS (Gast, 2004).
To properly define some of the protocols, PAP is the most common and generic
authentication protocol for point-to-point connectivity and least secure protocol which
supported by storing clear-text passwords, MD5 hash, or NT hash with RADIUS
(DeKok, 2014). While EAP-RADIUS is known to be utilizing EAP messages by the
authenticator to a RADIUS server for authentication which adapts in situation where
RADIUS is the authentication producer where EAP messages are translated into
RADIUS message in between the access server and the RADIUS server while access
server serves as a passing of EAP message (https://msdn.microsoft.com/en-
us/library/bb742489.aspx). The RADIUS server itself processes the EAP message and
uses a RADIUS-formatted EAP message to pass to the access server then sends back to
the access client that provides an open-ended exchange of messages between access
client and the RADIUS server.
12.0 Kerberos, IPTraf & Wireshark (Liu Yung Peng)
12.1 Objective
1. Setup a VM with Kerberos Server (KDC with AS and TGS)
2. Setup an Application server for it.
3. Demonstrate kadmin, klist. kinit by using IPTraf software.
4. Demonstrate Kerverised Applications (SSH and Telnet).

12.2 Configuration
12.2.1 Install Kerberos 1.6.3

First, install Kerberos 1.6.3 from the TinynetConfig.iso on both Kerberos server and
Application Server. After installation finish, type command reboot on both server to
apply the configuration on to those servers.
 12.2.2 Preparation

Configure the IP address, Hostname and Domain Name for both servers under directory
/etc/hosts. The Ip address filled in here must be referred to the IP used at eth0 Interface
and can be checked by entering ifconfig. U can also use command hostname to check
for hostname.

After that, create a new user named lucas. User could also use other words to be the
user name. All the fields such as Full name, Room Number and Home Phone shows after
that can be left blank without fill in any thing because they will be replaced by default
value except password. Set a high security password for yourself in order to create an
system that has Authentication, Authorization and Accountable (AAA).
 12.2.3 Configure Kerberos Server with KDC-AS and TGS

1. Configure the file located in /etc/krb5.conf.

a. Set the default realm to LUCAS.COM.
b. Set kdc to 192.168.1.140 with port 88. According to speedguide, port 88 is
the port that assigned specially for Kerberos to use. (Speedguide, 2014)
The IP setup here is used to distribute Service-Granting-Ticket.
c. After that, set Admin Server by using IP 192.168.1.140 with port 749. This
IP is also used to distribute Ticket-Granting-Ticket.
d. Use lucas.com as the default_domain, which is the lowercase of
Realm.
e. Set gateway and if0m1nc as the domain_realm and make sure that word
lucas.com must be the same as in the /etc/hosts/ file.
f. Set the default, kdc and Admin Servers default log file locations.

2. Step 2 is to set Access Control List for Kerberos Server. Access Control List is
used to give different level of access to different users. Grant more service access
 for Admin, while lesser for normal user. In this case, every user as admin will
have the privileges to toward Kerberos Server. The file is located in directory
/var/krb5kdc/kadm5.acl.

3. After clicking in directory /var/krb5kdc/kadm5.acl, edit configuration file for

kdc
a. Change port assigned for kdc to port 88.
b. Set realm to LUCAS.COM also.
c. Check the directory of database of principal, admins keytab, access
control list file and master keys stash file are given with the correct
directory to prevent error occur in the next steps.

4. After Step1 until Step3 has all done, create Kerberos Database to store all
principals created. We can create new principal by using command kdb5_util
create r LUCAS.COM under directory of /usr/sbin. As shown in the
screenshot, the 4th line shows to user master key. User must remember the master
key for kdc database.
5. Type command kadmin.local in the command prompt. This command is used to
access the database created in step4. After logged into database, use command
addprinc to add new principal into database. Accordint to the screenshot, two
principals added is root/admin and lucas

6. Enter ktadd to create a new keytab file with key attribute kadmin. As shown
in the screenshot, kadmin/admin and kadmin/changepw keytab files are
created successfully in directory /var/krb5kdc/kadm5.keytab.

7. Now, create a host principal for KDC using command addprinc and ktadd.
Ater this has done, a host name host/gateway.lucas.com must be cound in
directory /etc/hosts. If there is not, redo this step and try again.
 8. Until this step, all the principal and privilege setting has been done. Start
Kerberos Database by using command /usr/sbin/krb5kdc and start Admin server
by using command /usr/sbin/dadmind. After that, use command netstate nat |
grep 749 and netstat nat | grep 88 to makes both port 88 and port 749 are
opened and listening.

9. Finally, type in ktutil to make sure all the keytab files are all created
successfully. Type Command rkt /yar/krb5kdc/kadm5.keytab following by
ktutil to continue the progress. All keytab files created in previous steps will be
shown. According to the screenshot, they is 4 principle created. If principal more
than or less than 4 is created, some error happens. Check back to previous steps to
find problems.

12.3 Configure Application Server with SSH and Telnet

Service

1. For SSH, uncomment the GSSAPIAuthentication and change the no behind

become yes. It is used to authenticate the SSH service by using Kerberus ticket
without password input by user.
2. For Telnet, create a new file name/krb5-telnet at the directory /etc/xinetd.d
and comment(#) out the id, protocol, server_args and Only_from. After
that, change the condition of disable become no to cancel the disable uses of
telnet. Besides that, remember to change the path of server to /usr/sbin/telnetd
instead of /usr/sbin/in.telnetd.

3. Copy file /krb5.conf located in Kerberos configuration folder to folder /etc/

Kerberos Database for definition of default realms, kdc, Admin Server,
default domain and domain realms.

4. Lastly, use command kadmin p root/admin to create a local host principal for
the client on KDC. After this command done, Kerberos Server and Admin server
 should be able to start running. Try to login into the server using command
root/admin, and then type addprinc and ktadd to create a new principal
host/if0m1nc.lucas.com.

12.4 Demostration by using IPTraf

As shown in the screenshot above, an access to the server by using kadmin has been
captured. The screenshot shows that UDP packets transferred from IP 192.168.76.183 to
IP 192.168.1.40 by using port 88 which is the port for KDC. The packets has proven that
client is able to access KDC Server successfully.
This screenshot shows the statistics of packets in the eth3 Interface from Server. It clearly
state out the amount of incoming and outgoing packets continuously. This statistic will
keep updating as long as there are clients trying to access kadmin.

This screenshot shows more detail on incoming and outgoing packets by also identify the
hardware addresses from the source. For example the first line shows that the HW
address of the source is 8 which 12 packets out and 1926 of bytes outgoing.

This is the statistic on the server while server is trying to do command klist and kinit.
These command will generate a Service-Granting-Ticket from Ticket Granting Server.
While Server requesting for a ticket, it needs to access from port 88 too. Hence this
screenshot shows that the access of requesting ticket is also captured by IPTraf.
 12.5 Demonstration on Keberos Server (SSH and Telnet)

In Kerberos Server, type the command su -lucas which is used to switch the user
account to lucas. After that, check the tickets held by the user by using command
klist. Use command kinit to request for a ticket is the user is not holding any ticket.
As shown in the demo, after typing klist, it said you have no tickets cached. Hence the
user use command kinit to request for a ticket with the ticket cache:
FILE:/tmp/krb5cc_1000. Then user can type klist again to make sure it is holding a
ticket.

After the ticket has been given, use command ssh lucas@if0m1nc to grain SSH Access
to the destination. But the system tells user that it is not supported GSSAPIAuthentication
access. Hence the ticket is unable to use to authenticate the user, which means that the
user needs to use his password to do authentication. Thats the reason of the system
asking for lucas@if0m1ncs password in the bottom of the picture.
After the ticket has been given, user can also use the command telnet Fxl
lucasif0m1nc.lucas.com to use telnet connection to the destination. Although it can use
telnet to connect to the destination but is was failed to authenticate by ticket. This is
because Kerberos V5 and Encrypt is not supported in this connection. Hence it asking for
password of principle lucas for authentication.

12.6 Obstacles and Solution

The command of IPTraf is one of the main obstacles. We need IPTraf to do the
demonstration of the virtual box but there is a lot of command available for IPTraf. (Java,
2000)Hence finding the suitable of command to use to test connection and screenshot the
correct output becoming one of the obstacles to do this question. Besides that, YouTube is
also help a lot in solving this problem. It is hard to find out the suitable command for
IPTraf. Hence by using the specific keyword searching on YouTube, there were some
useful videos found which helps me to solve this question a lot.

Conclusion

Overall, after establishing Virtual Machines for each sections, we could conclude that we
are able to accomplish each given criteria that are given to fulfill. While in amidst, every
assigned member able to gain understanding of using Slax by doing researches and able
to perceive how the Oracle VM emulates the computer architectures and operating
system and gain more understand regarding to Linux architecture and operating system as
well.

References
Cisco, 2006. How Does RADIUS Work?. [Online]
Available at: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-
authentication-dial-user-service-radius/12433-32.html
[Accessed 8 June 2016].
Cisco, 2011. Port Forwarding (access-list). [Online]
Available at: https://supportforums.cisco.com/discussion/11835581/port-
forwarding-access-list
[Accessed 25 May 2016].
Cisco, 2013. IEEE 802.1X Port-Based Authentication. [Online]
Available at:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/dot1x.html
[Accessed 8 June 2016].
D.Janowski, D., 2003. IPSec and SSL: The Nitty-Gritty. [Online]
Available at: http://www.pcmag.com/article2/0,2817,1202221,00.asp
[Accessed 10 November 2015].
DeKok, A., 2014. Protocol and Password Compatibility. [Online]
Available at:
http://deployingradius.com/documents/protocols/compatibility.html
[Accessed 8 June 2016].
Digital Ocean, 2014. How To Configure BIND as a Private Network DNS Server
on Ubuntu 14.04.. [Online]
Available at: https://www.digitalocean.com/community/tutorials/how-to-
configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04
[Accessed 12 June 2016].
Gast, M., 2004. TTLS and PEAP Comparison. [Online]
Available at: http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
[Accessed 8 June 2016].
Google, 1999. Transport Layer Security for Inbound Mail. [Online]
Available at:
https://www.google.com/support/enterprise/static/postini/docs/admin/en/admi
n_ee_cu/ib_tls_overview.html
Inkblot, 2010-2014. Lab Exercise 5: Testing the eMail service via WebMail.
[Online]
Available at: http://www.my-tiny.net/Lab05_WebMail.htm
[Accessed 30 November 2014].
Java, G. P., 2000. IPTraf User's Manual. [Online]
Available at: http://iptraf.seul.org/2.2/manual.html
[Accessed 11 June 2016].
Linux Home Networking, n.a. Quick HOWTO : Ch29 : Remote Disk Access with
NFS. [Online]
Available at:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch29_:
_Remote_Disk_Access_with_NFS#Table_29.2_Some_Common_NFS_Error_Mess
ages.
[Accessed 11 June 2016].
Microsoft, 2003. Overview of SSL/TLS Encryption. [Online]
Available at: https://technet.microsoft.com/en-
us/library/cc781476(v=ws.10).aspx
Microsoft, 2005. EAP. [Online]
Available at: https://technet.microsoft.com/en-
us/library/cc782851(v=ws.10).aspx
[Accessed 8 June 2016].
Mircosoft, 2003. Introduction (SSL/TLS in Windows Server 2003). [Online]
Available at: https://technet.microsoft.com/en-us/library/cc757054(v=ws.10)
Moghadam, P., 2007. Slackware 12.0 - NFS : Network File System. [Online]
Available at: http://pmoghadam.com/homepage/HTML/slackware-12.0-
nfs.html
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 4: Creating system users and testing the
eMail service. [Online]
Available at: http://www.my-tiny.net/Lab04_MailConfig.htm
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 5: Testing the eMail service via WebMail.
[Online]
Available at: http://www.my-tiny.net/Lab05_WebMail.htm
[Accessed 11 June 2016].
MyTinyNet, 2010. Lab Exercise 9: Creating users and a look at sudo.. [Online]
Available at: http://www.my-tiny.net/Lab09_UsrMgt.htm
[Accessed 11 June 2016].
OpenVPN, n.d. How to OpenVPN. [Online]
Available at: https://openvpn.net/index.php/open-
source/documentation/howto.html
[Accessed 2016 6 11].
Slackware Documentation Project, 2015. NFS - Quick and Dirty Setup.
[Online]
Available at: http://docs.slackware.com/howtos:network_services:nfs-
quick_and_dirty_setup
[Accessed 11 June 2016].
Speedguide, 2014. Port 88 Details. [Online]
Available at: http://www.speedguide.net/port.php?port=88
[Accessed 6 6 2016].
SpeedGuide, 2015. Port 23 detail. [Online]
Available at: http://www.speedguide.net/port.php?port=23
[Accessed 2 June 2016].
Sultan, M. & Shoukat, M., 2016. Academia. [Online]
Available at:
http://www.academia.edu/4036755/IPSec_IP_Security_Protocol_Architecture
[Accessed 1 4 2016].
TheGeekStuff, 2010. 5 Steps to Install and Configure Snort on Linux.. [Online]

Available at: http://www.thegeekstuff.com/2010/08/snort-tutorial/

[Accessed 11 6 2016].