Nextelco:Phase2

=Define configuration details of all network devices = In the following Figure shows how different components of the network are interconnected.



Based on the interconnection schema the following sections show which are the configuration requirements defined for each component.

Application Server
The application server is based on Debian GNU/Linux 7.5 (wheezy). It is really important to be sure that the Application Server is as much as possible protected. For more information visit: Together with the basic Debian installation these are the services that we will need (list of tools):
 * Debian security
 * SSH (openssh-server 1.6.0)
 * DHCP (isc-dhcp-server 4.2.2) DHCP server DebianHelp
 * DNS (bind9 1.9.8.4) Bind9
 * MySQL (mysql-server 5.5)
 * APACHE2 (apache2 2.2.22) WikiDebian DebianHelp
 * FreeRADIUS (freeradius 2.1.12) web
 * daloRADIUS More options
 * NTP (ntp 1.4.2.6) Some examples
 * SYSLOG

SSH server configuration
SSH service provides the possibility to connect and set up the application server remotely. For security reasons, it is really important to deny all connection request coming from other networks. Additionally Root access and Password based authentication should be denied. These are the configuration setting we applied to increase SSH service security:

Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile     %h/.ssh/authorized_keys IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
 * 1) Package generated configuration file
 * 2) See the sshd_config(5) manpage for details
 * 1) What ports, IPs and protocols we listen for
 * 1) Use these options to restrict which interfaces/protocols sshd will bind to
 * 2) ListenAddress ::
 * 3) ListenAddress 0.0.0.0
 * 1) HostKeys for protocol version 2
 * 1) Privilege Separation is turned on for security
 * 1) Lifetime and size of ephemeral version 1 server key
 * 1) Logging
 * 1) Authentication:
 * 1) Don't read the user's ~/.rhosts and ~/.shosts files
 * 1) For this to work you will also need host keys in /etc/ssh_known_hosts
 * 1) similar for protocol version 2
 * 1) Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 * 2) IgnoreUserKnownHosts yes
 * 1) To enable empty passwords, change to yes (NOT RECOMMENDED)
 * 1) Change to yes to enable challenge-response passwords (beware issues with
 * 2) some PAM modules and threads)
 * 1) Change to no to disable tunnelled clear text passwords
 * 1) Kerberos options
 * 2) KerberosAuthentication no
 * 3) KerberosGetAFSToken no
 * 4) KerberosOrLocalPasswd yes
 * 5) KerberosTicketCleanup yes
 * 1) GSSAPI options
 * 2) GSSAPIAuthentication no
 * 3) GSSAPICleanupCredentials yes
 * 1) UseLogin no
 * 1) MaxStartups 10:30:60
 * 2) Banner /etc/issue.net
 * 1) Allow client to pass locale environment variables
 * 1) Set this to 'yes' to enable PAM authentication, account processing,
 * 2) and session processing. If this is enabled, PAM authentication will
 * 3) be allowed through the ChallengeResponseAuthentication and
 * 4) PasswordAuthentication.  Depending on your PAM configuration,
 * 5) PAM authentication via ChallengeResponseAuthentication may bypass
 * 6) the setting of "PermitRootLogin without-password".
 * 7) If you just want the PAM account and session checks to run without
 * 8) PAM authentication, then enable this but set PasswordAuthentication
 * 9) and ChallengeResponseAuthentication to 'no'.

DHCP server configuration
DHCP service provides IP addresses to different clients located in different subnets. In order to distinguish between subnets is necessary that the relay agent which is asking for an IP address has the correct IP address. This is the server configuration (may change in the future):

# # # ddns-update-style none; option domain-name "example.org"; option domain-name-servers ns1.example.org, ns2.example.org; default-lease-time 600; max-lease-time 7200; log-facility local7; subnet 192.168.1.0 netmask 255.255.255.0 { } subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.3 192.168.2.4; option domain-name-servers 8.8.8.8; option routers 192.168.2.1; } #} #} #} #} #} #} #} # } #  } #  } #  } #}
 * 1) Sample configuration file for ISC dhcpd for Debian
 * 1) The ddns-updates-style parameter controls whether or not the server will
 * 2) attempt to do a DNS update when a lease is confirmed. We default to the
 * 3) behavior of the version 2 packages ('none', since DHCP v2 didn't
 * 4) have support for DDNS.)
 * 1) option definitions common to all supported networks...
 * 1) If this DHCP server is the official DHCP server for the local
 * 2) network, the authoritative directive should be uncommented.
 * 3) authoritative;
 * 1) Use this to send dhcp log messages to a different log file (you also
 * 2) have to hack syslog.conf to complete the redirection).
 * 1) No service will be given on this subnet, but declaring it helps the
 * 2) DHCP server to understand the network topology.
 * 1) subnet 10.152.187.0 netmask 255.255.255.0 {
 * 1) This is a very basic subnet declaration.
 * 1) subnet 10.254.239.0 netmask 255.255.255.224 {
 * 2)  range 10.254.239.10 10.254.239.20;
 * 3)  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
 * 1) This declaration allows BOOTP clients to get dynamic addresses,
 * 2) which we don't really recommend.
 * 1) subnet 10.254.239.32 netmask 255.255.255.224 {
 * 2)  range dynamic-bootp 10.254.239.40 10.254.239.60;
 * 3)  option broadcast-address 10.254.239.31;
 * 4)  option routers rtr-239-32-1.example.org;
 * 1) A slightly different configuration for an internal subnet.
 * 2) subnet 10.5.5.0 netmask 255.255.255.224 {
 * 3)  range 10.5.5.26 10.5.5.30;
 * 4)  option domain-name-servers ns1.internal.example.org;
 * 5)  option domain-name "internal.example.org";
 * 6)  option routers 10.5.5.1;
 * 7)  option broadcast-address 10.5.5.31;
 * 8)  default-lease-time 600;
 * 9)  max-lease-time 7200;
 * 1) Hosts which require special configuration options can be listed in
 * 2) host statements.   If no address is specified, the address will be
 * 3) allocated dynamically (if possible), but the host-specific information
 * 4) will still come from the host declaration.
 * 1) host passacaglia {
 * 2)  hardware ethernet 0:0:c0:5d:bd:95;
 * 3)  filename "vmunix.passacaglia";
 * 4)  server-name "toccata.fugue.com";
 * 1) Fixed IP addresses can also be specified for hosts.   These addresses
 * 2) should not also be listed as being available for dynamic assignment.
 * 3) Hosts for which fixed IP addresses have been specified can boot using
 * 4) BOOTP or DHCP.   Hosts for which no fixed address is specified can only
 * 5) be booted with DHCP, unless there is an address range on the subnet
 * 6) to which a BOOTP client is connected which has the dynamic-bootp flag
 * 7) set.
 * 8) host fantasia {
 * 9)  hardware ethernet 08:00:07:26:c0:a5;
 * 10)  fixed-address fantasia.fugue.com;
 * 1) You can declare a class of clients and then do address allocation
 * 2) based on that.   The example below shows a case where all clients
 * 3) in a certain class get addresses on the 10.17.224/24 subnet, and all
 * 4) other clients get addresses on the 10.0.29/24 subnet.
 * 1) class "foo" {
 * 2)  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
 * 1) shared-network 224-29 {
 * 2)  subnet 10.17.224.0 netmask 255.255.255.0 {
 * 3)    option routers rtr-224.example.org;
 * 1)  subnet 10.0.29.0 netmask 255.255.255.0 {
 * 2)    option routers rtr-29.example.org;
 * 1)  pool {
 * 2)    allow members of "foo";
 * 3)    range 10.17.224.10 10.17.224.250;
 * 1)  pool {
 * 2)    deny members of "foo";
 * 3)    range 10.0.29.10 10.0.29.230;

Return to Technology page.