Setting up and creating a virtual network system that simulates a real-world company, including core services such as DNS, web server, NTP, authentication server, and FTP, along with Suricata .
there are 2 separate physical machines,
win11 and mate24
2 main machines are connected to each other via a home router and get their IP addresses from it.
all VMs are in Bridged mode (home router is acting as DHCP server) and they can communicate with each other in 192.168.1.x .
this is a basic visual diagram of the lab:
(Blue lines: Virtual Machines)
(Red lines: Physical Hosts)
just only a brief summary of configs and settings and test for each machine and service:
Control Node
This is my main machine,
serving as the central control node for my lab and also running my virtual servers.
im using WSL to have better connectivity with my machines.
WSL, by default, is in a private network created by Windows, but I need it to be in the same network as my nodes, so I set it to Mirrored:
for this i must change (or add) .wslconfig file:
now WSL has the same ip address as my Windows 11:
I use MobaXterm to access all of my nodes by establishing SSH connections:
virtual machines:
physical machines:
i use Ansible to manage my nodes because its agentless and its way more easier than other alternatives.
ive divided my nodes into 4 groups, and this is
my inventory list, hosts:
after sharing my WSL public key to all nodes, its time to
using ping module to check the connectivity from control node to all machines:
pong is received.
Control Node is ready.
Nginx
i have 3 sample websites to test and configure:
1 - sina-personal-page.slab
2 - webtest.slab
3 - nginx-default.slab
html files at /var/www:
config files at /etc/nginx/sites-available:
server blocks for each virtual host:
and like this for other ones.
i used server_name directive to get help from my DNS server because all hosts are serving at 192.168.1.10.
access_log and error_log for logging and to be used by syslog in next phases.
and location block for matching specific URIs. (in case of not found URI it will return 404)
creating sym link for sites and enabling them:
now final conf check:
configs looks good, now time to check the sites.
because im using ubuntu server i dont have GUI so i use lynx to view my sites in terminal:
nginx-default.slab
webtest.slab
now a check from my other machine with GUI:
Web Server is ready.
BIND
my lab zone name is slab.
named.conf.local:
db.slab for resolving IPs and db.192 for reverse queries.
then, database files:
db.slab:
db.192:
and now, a check for config and db files:
now a test from other machines, for example from 192.168.1.10:
or with a basic script to test them all at once:
or from win11:
Name Server is ready.
LDAP
after installing the OpenLDAP packages, slapd & ldap-utils, i run dpkg-reconfigure slapd command to renew the configs.
then defining my hierarchy:
Key LDAP Values:
DNS Domain Name ---> slab
Organization Name ---> SLAB
Database Backend ---> MDB (Modern Database)
Organizational Units (OU):
i must create a logical structure for organizing users and groups, so i need a LDIF (LDAP Data Interchange Format) file:
base.ldif:
and now :
ldapadd -x -D "cn=admin,dc=slab" -W -f base.ldif
-x: to enable simple auth instead of other ways
-D "cn=admin,dc=slab" : to specify the DN (Distinguished Name) and the name of the user who is performing the command
-W : ask password for DN
-f base.ldif : read from base.ldif file
now my directory is set up.
Users and Groups:
i have 4 groups and 5 users for my lab:
groups ---> webadmins, itadmins, fileusers, devs
users ---> sina, jay, s-admin, user1, user2
each of users and groups has its own .ldif file:
object classes that i used:
inetOrgPerson : a fundamental object class for representing people within an organization
cn : Common Name, user full name
sn : Surname, user last name
posixAccount : for integrating LDAP users with Linux based systems
uid : user login name
uidNumber : unique numerical ID for the user
gidNumber : primary group number for the user
homeDirectory : path to the user home directory
loginShell : default shell for the user
shadowAccount : for more advanced password management
shadowLastChange : date of the last password change
shadowMax : maximum number of days a password is valid before it expires
other .ldif files to add users to groups:
Verifying the Directory:
using the ldapsearch command to search and retrieve information from LDAP server and final check:
ldapsearch -x -W -D "cn=admin,dc=slab" -b "dc=slab"
Server side is ready.
after installing the required packages, libnss-ldap, libpam-ldap, ldap-utils, nslcd
and set the values:
ldap server URI: ldap://192.168.1.30/
ldap search base: dc=slab
bind DN: cn=admin,dc=slab
its time to configure name server swith:
/etc/nsswitch.conf:
and NSLCD (a service that handles LDAP lookups for a system):
/etc/nslcd.conf:
now updating PAM config and enabling Unix authentication and LDAP Authentication:
client settings are finished, now a test for resolving users and groups data and switching to other users:
it working fine.
and like this, other nodes are set to use this server for authentication.
LDAP Server is ready.
SAMBA
/etc/samba/smb.conf :
after modifying the share object, its time to create the smbuser and set password for that with smbpasswd command,
and then a test file and permission and user check:
now verify connection and do some change from windows side:
and after entering the credential for smbuser:
and now once again to check the upload from windows side:
and another check from another machine:
File Server is ready.
NTP
after installing the chrony its time to modify the config file, /etc/chrony/chrony.conf:
now server is reeady, for clients i just need to tell each machine to use mate24 as their ntp server.
an example of client configuration at /etc/chrony/chrony.conf:
now for the rest of the nodes, i use ansible to aviod config them one by one:
client_ntp.yaml is my play for this task:
now running this with:
ansible-playbook -i hosts client_ntp.yaml
now a check from another machines:
Time Server is ready.
Suricata
this is a separate personal project and is not related to the LPIC-2 topics, so i dont get into the details.