---
# System prepended metadata
title: 'LAN PROJECT Part 1: DNS, DHCP and FTP Servers on Ubuntu 22.04 LTS'
---
# LAN PROJECT Part 1: DNS, DHCP and FTP Servers on Ubuntu 22.04 LTS
[TOC]
## VM Structures
We're using VMware Workstation 16.2.x with the following machines:
#### Running on Ubuntu 22.04 LTS server
Download:
https://releases.ubuntu.com/jammy/ubuntu-22.04.2-live-server-amd64.iso
#### Netplan configuration for ns1 and ftp
```shell
# This is the network config written by 'subiquity'
network:
ethernets:
ens32: ~#Internal Network
dhcp4: true
ens34: #WAN Network
dhcp4: true
version: 2
```
#### Netplan configuration for dhcp1
```shell
# This is the network config written by 'subiquity'
network:
ethernets:
ens32:
dhcp4: false
addresses:
- 192.168.174.10/24
nameservers:
addresses: [192.168.174.20]
search: [ data.eibanez.cf ]
ens34:
dhcp4: true
version: 2
```
#### Netplan configuration for hosts
```shell
# This is the network config written by 'subiquity'
network:
ethernets:
ens32: ~#Internal Network
dhcp4: true
version: 2
```
#### MAC Address
You can check your MAC Address from the machine's Network Adapter -> Advanced Configuration
Alternatively log in into your machine and run the following command
```shell
ip a
```
#### Network planification
dhcp1 ens32: 192.168.174.10 - 00:0C:29:57:59:10
ns1 ens32: 192.168.174.20 - 00:50:56:3C:2F:B8
ftp1 ens32: 192.168.174.30 - 00:0c:29:fb:8e:67
host1 ens32: 192.168.174.10 - 00:50:56:39:A8:2D
host2 ens32: 192.168.174.10 - 00:50:56:3A:C0:CF
## DHCP Server
First let's change our hostname
```shell
sudo hostnamectl set-hostname dhcp1
```
Then we'll update our repositories
```shell
sudo apt update
```
We install the isc-dhcp-server
```shell
sudo apt install isc-dhcp-server
```
Now we can change the configuration file
```shell
sudo nano /etc/dhcp/dhcpd.conf
```
This is what our dhcpd.conf file would look like
```shell
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# option definitions common to all supported networks...
# option domain-name "eibanez.cf";
# option domain-name-servers ns1.data.eibanez.cf;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# A slightly different configuration for an internal subnet.
subnet 192.168.174.0 netmask 255.255.255.0 {
range 192.168.174.100 192.168.174.199;
option domain-name-servers ns1.data.eibanez.cf;
option domain-name "data.eibanez.cf";
option subnet-mask 255.255.255.0;
option routers 192.168.174.2;
option broadcast-address 192.168.174.255;
default-lease-time 600;
max-lease-time 7200;
}
# Reserving addresses through the MAC address for our machines
host ns1 {
hardware ethernet 00:50:56:3C:2F:B8;
fixed-address 192.168.174.20;
}
host dhcp1 {
hardware ethernet 00:0C:29:57:59:10;
fixed-address 192.168.174.10;
}
host ftp1 {
hardware ethernet 00:0c:29:fb:8e:67;
fixed-address 192.168.174.30;
}
host host1 {
hardware ethernet 00:50:56:39:A8:2D;
fixed-address 192.168.174.100;
}
host host2 {
hardware ethernet 00:50:56:3A:C0:CF;
fixed-address 192.168.174.101;
}
```
We can check our configuration file using this command
```shell
dhcpd -t -cf /etc/dhcp/dhcpd.conf
```
Now we can restart the service and check if it's working
```shell
sudo systemctl enable isc-dhcp-server
sudo systemctl restart isc-dhcp-server.service
sudo systemctl status isc-dhcp-server
```
We can also check our logs using journalctl
```shell
journalctl -u isc-dhcp-server
```
## DNS Server
### Setup of Bind9
First let's change our hostname
```shell
sudo hostnamectl set-hostname ns1
```
Then we'll update our repositories
```shell
sudo apt update
```
To begin the installation process, open the terminal and execute the following command:
```shell
sudo apt install bind9 bind9utils bind9-doc
```
### Configuration files
#### named.conf.options
Let's modify our options file
```shell
sudo nano /etc/bind/named.conf.options
```
We'll uncomment and add the following lines
```shell
options {
directory "/var/cache/bind";
recursion yes; # enables recursive queries
allow-recursion { localnets; };# Allow recursion to local network
listen-on { 192.168.174.20; }; # ns1 private IP address
allow-transfer { none; }; # disable zone transfers by default
forwarders { # Cloudflare forwarders
1.1.1.1;
1.0.0.1;
};
dnssec-validation auto;
listen-on-v6 { any; };
};
```
#### named.conf.local
Let's modify our local file
```shell
sudo nano /etc/bind/named.conf.local
```
Let's add our primary and reverse zones
```shell
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
# Primary Zone
zone "data.eibanez.cf" {
type primary;
file "/etc/bind/zones/db.data.eibanez.cf"; # Zone file path
};
zone "174.168.192.in-addr.arpa" {
type primary;
file "/etc/bind/zones/db.174.168.192"; # Reverse zone 192.168.174.0/24 subnet
};
```
### Zone Files
#### /etc/bind/zones Directory
Create the directory:
```shell
sudo mkdir /etc/bind/zones
```
Copy the local file to the zone directory:
```shell
sudo cp /etc/bind/db.local /etc/bind/zones/db.data.eibanez.cf
```
Edit the zone file:
```shell
sudo nano /etc/bind/zones/db.data.eibanez.cf
```
Define the Start of Authority (SOA) using the FQDN of your primary DNS server (ns1). Increment the serial value +1:
```shell
;
$TTL 604800
@ IN SOA ns1.data.eibanez.cf. root.data.eibanez.cf. (
3 ; Serial
```
We'll delete the last 3 entries as they're the localhost ones.
Specify the NS records that point to your DNS server:
```shell
; name servers - NS records
IN NS ns1.data.eibanez.cf.
```
Add the A records for your DNS server and clients:
```shell
; name servers - A records
ns1.data.eibanez.cf. IN A 192.168.174.20
; 192.168.174.0/24 - A records
dhcp1.data.eibanez.cf. IN A 192.168.174.10
ftp1.data.eibanez.cf. IN A 192.168.174.30
host1.data.eibanez.cf. IN A 192.168.174.100
host2.data.eibanez.cf. IN A 192.168.174.101
```
#### Reverse Zone File
Copy the example file to create the reverse zone:
```shell
sudo cp /etc/bind/db.127 /etc/bind/zones/db.174.168.192
```
Edit the reverse zone file:
```shell
sudo nano /etc/bind/zones/db.174.168.192
```
Increment the serial value in the SOA record and add FQDN:
```shell
@ IN SOA ns1.data.eibanez.cf. root.data.eibanez.cf. (
2 ; Serial
```
Add the NS records for your DNS servers:
```shell
; name servers - NS records
IN NS ns1.data.eibanez.cf.
```
Add the PTR records for the IP addresses in your zone (192.168.174.0/24):
```shell
; PTR Records
10 IN PTR dhcp1.data.eibanez.cf. ; 192.168.174.10
20 IN PTR ns1.data.eibanez.cf. ; 192.168.174.20
30 IN PTR ftp1.data.eibanez.cf. ; 192.168.174.30
100 IN PTR host1.data.eibanez.cf. ; 192.168.174.100
101 IN PTR host2.data.eibanez.cf. ; 192.168.174.101
```
### Final Configuration
To ensure the configuration files are correct, run the following commands:
```shell
sudo named-checkconf
sudo named-checkzone data.eibanez.cf /etc/bind/zones/db.data.eibanez.cf
sudo named-checkzone 174.168.192.in-addr.arpa /etc/bind/zones/db.174.168.192
```
Restart the BIND service:
```shell
sudo systemctl restart bind9
```
Allow Bind9 through UFW Firewall:
```shell
sudo ufw allow Bind9
```
And you should be done!
```shell
sudo systemctl status bind9
```
We can always check our logs with Journalctl
```shell
journalctl -u named
```
## FTP Server
### Initial setup of PROFTPD
Setting our hostname
```shell
sudo hostnamectl set-hostname ftp1
```
Updating our repositories
```shell
sudo apt update
```
Now we can begin the installation
```shell
sudo apt -y install proftpd
```
If we want to implement tls/sftp we'll also install the crypto mod
```shell
sudo apt -y install proftpd-mod-crypto
```
Now we can check if the service is running through systemctl
```shell
sudo systemctl status proftpd
```
Logs with journalctl
```shell
journalctl -u proftpd
```
Correct configuration syntax with proftpd -t
```shell
proftpd -t
```
### User management
PROFTPD will use the regular UNIX users as the method of authentication.
We can create a new user with this command:
```shell
sudo adduser ftp1
```
We'll log with the user
```shell
su ftp1
```
Place a few things to play with in it's home directory
You can quit this user's session with the command:
```shell
exit
```
We can also modify their home directory with this command where **/var/www/** is the path to the new home.
```shell
sudo usermod -m -d /var/www/ username
```
### Use of FTP
We can log from our network using the command:
```shell
ftp ftp1@192.168.174.30
```
You'll be prompted for the password
Once inside you can type **help** to get the commands
**dir** or **ls** is used to see what's inside our directory
**delete** erases a file
**cd** to change directories
**put** uploads a file from the host directory
**get** downloads a file
**exit** to leave ftp
### Auto-signed certificates
To enable FTPS and SFTP we need encryption, we can get an auto-signed certificates through one of these commands:
1. Install SSL in case we don't have it
```shell
sudo apt-get install openssl -y
```
2. **Gencert**
```shell
sudo proftpd-gencert
```
or
2. **OpenSSL**
```shell
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt
```
Change the permissions on these files
```shell
sudo chmod 0600 /etc/ssl/private/proftpd.key
sudo chmod 0600 /etc/ssl/certs/proftpd.crt
```
### Configuration files
#### proftpd.conf
This is the general configuration file, we'll modify it using the following command:
```shell
sudo nano /etc/proftpd/proftpd.conf
```
##### Enable TLS
Uncomment this line
```shell
Include /etc/proftpd/tls.conf
```
##### Enable SFTP
Uncomment this to enable SFTP:
```shell
Include /etc/proftpd/sftp.conf
```
##### Anonymous users
We could activate anonymous users uncommenting the following lines:
```shell
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
#
#
# DenyAll
#
#
#
# # Uncomment this if you're brave.
# #
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask022 022
# #
# # DenyAll
# #
# #
# # AllowAll
# #
# #
#
```
#### sftp.conf
Modify the file
```shell
sudo nano /etc/proftpd/sftp.conf
```
Uncomment these lines
```shell
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key
```
#### tls.conf
Modify the file
```shell
sudo nano /etc/proftpd/sftp.conf
```
To get TLS working we have to uncomment these lines
```shell
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSOptions AllowClientRenegotiations
TLSRequired on
```
#### modules.conf
##### TLS Activation
Uncomment these lines
```shell
# Install proftpd-mod-crypto to use this module for TLS/SSL support.
LoadModule mod_tls.c
# Even these modules depend on the previous one
LoadModule mod_tls_fscache.c
LoadModule mod_tls_shmcache.c
```
##### SFTP Activation
Uncomment these lines
```shell
# Install proftpd-mod-crypto to use this module for SFTP support.
LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c
```
### TLS testing
Once the required configuration files of proftpd.conf, tls.conf and modules.conf have been modified we can restart and check our service
```shell
sudo systemctl restart proftpd.service
sudo systemctl status proftpd.service
```
Now since we enabled TLSRequired On we won't be able to connect through normal ftp
We can install ftp-ssl to connect securely
```shell
sudo apt install ftp-ssl
```
Now we can connect using the command ftp-ssl **server name**
```shell
ftp-ssl ftp1
```
We'll be prompted by the user name and password
### SFTP Testing
We'll test our connection with the sftp command:
```shell
sftp ftp1@192.168.174.30
```
We'll accept the key by typing **yes** and enter the password
## Hosts
Since we're in a private network we only have to enable dhcp4 in our netplan
```shell
sudo nano /etc/netplan/00-installer-config.yaml
```
And we set dhcp to **true**
```shell
# This is the network config written by 'subiquity'
network:
ethernets:
ens32: ~#Internal Network
dhcp4: true
version: 2
```
Now we can check our connection through this command
```shell
ip a
```
We can confirm that our DNS is working properly through the following commands
```shell
resolvectl status
```
```shell
nslookup ftp1
```
```shell
dig dhc1.data.eibanez.cf
```
```shell
host 192.168.174.30
```
