Linux Networking Mastery Series Part 6: Network Services and Servers

in #computernetworks3 months ago (edited)

Welcome back to Linux Networking Mastery!
So far we've covered the core building blocks:

  • Part 1 – network stack basics and inspection tools
  • Part 2 – interface and IP configuration (temporary + persistent via Netplan, nmcli, systemd-networkd)
  • Part 3 – routing tables, static/policy routing, namespaces, simple router setup
  • Part 4 – name resolution, systemd-resolved, per-link/global DNS, troubleshooting
  • Part 5 – firewalls with nftables, firewalld, ufw, stateful rules

Now we put those pieces to work by configuring and hardening real network services.

This post focuses on four common, practical services:

  • SSH (secure remote access – with strong hardening)
  • Web server (lightweight Nginx setup)
  • File sharing (NFS for Linux-to-Linux, Samba for cross-platform)
  • DHCP server (simple internal network assignment)

We'll emphasize security best practices (especially relevant in 2026 with ongoing brute-force threats), use modern defaults, and tie back to previous parts (firewall rules, DNS, routing).

1. Secure Remote Access: SSH Server Hardening

SSH is the #1 way to manage Linux servers remotely — and the #1 attack target.

Basic Setup & Hardening Best Practices (2026)

  1. Install (usually pre-installed):

    sudo apt install openssh-server    # Debian/Ubuntu
sudo dnf install openssh-server    # Fedora/RHEL

  2. Edit /etc/ssh/sshd_config (use drop-in file for cleanliness: /etc/ssh/sshd_config.d/99-hardening.conf):

    # Disable password auth – use keys only
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

# Disable root login
PermitRootLogin no

# Restrict to specific users/groups (optional but recommended)
AllowUsers alice bob
# or AllowGroups wheel sshusers

# Change default port (obscurity + reduces noise)
Port 2222

# Limit login grace time & max auth tries
LoginGraceTime 30
MaxAuthTries 3

# Enable key-based auth only
PubkeyAuthentication yes

# Modern crypto (disable weak ciphers)
Ciphers chacha20[email protected],[email protected]
MACs hmac-sha2-512[email protected],hmac-sha2-256[email protected]
KexAlgorithms curve25519-sha256,[email protected]

  3. Generate & deploy key pair (on client):

    ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/mykey
ssh-copy-id -i ~/.ssh/mykey.pub -p 2222 user@server

  4. Restart SSH:

    sudo systemctl restart sshd

  5. Firewall rule (from Part 5):

    • nftables: tcp dport 2222 ct state new accept
    • firewalld: sudo firewall-cmd --permanent --add-port=2222/tcp
    • ufw: sudo ufw allow 2222/tcp

  6. Install & configure Fail2Ban (brute-force protection):

    sudo apt install fail2ban    # or dnf install fail2ban

    Create /etc/fail2ban/jail.d/sshd.local:

    [sshd]
enabled = true
port    = 2222
filter  = sshd
logpath = %(sshd_log)s
maxretry = 3
findtime = 10m
bantime  = 1h
# Optional: banaction = nftables-multiport  (modern backend)

    sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

2. Web Server: Lightweight Nginx Setup

Nginx is fast, modern, and preferred for new deployments.

sudo apt install nginx    # Debian/Ubuntu
sudo dnf install nginx    # Fedora/RHEL

Basic site in /etc/nginx/sites-available/my-site:

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/my-site/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Enable:

sudo ln -s /etc/nginx/sites-available/my-site /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Firewall: allow 80 & 443 (add HTTPS later with certbot/Let's Encrypt).

3. File Sharing: NFS (Linux-to-Linux) & Samba (Cross-Platform)

NFSv4 (preferred for modern Linux):

Server install:

sudo apt install nfs-kernel-server

Export in /etc/exports:

/srv/nfs/share  192.168.100.0/24(rw,sync,no_subtree_check,sec=sys)

sudo exportfs -ra
sudo systemctl restart nfs-kernel-server

Firewall: allow from trusted subnet tcp/udp 2049

Client mount:

sudo mount -t nfs4 server:/srv/nfs/share /mnt/nfs

Samba (for Windows/Linux/Mac):

sudo apt install samba

Basic share in /etc/samba/smb.conf:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   security = user

[public]
   path = /srv/samba/public
   browsable = yes
   writable = yes
   guest ok = yes
   read only = no

sudo smbpasswd -a user    # for authenticated shares
sudo systemctl restart smbd

Firewall: allow 445/tcp, 139/tcp (or just 445 for modern clients)

4. DHCP Server Setup (dnsmasq – simple & lightweight)

Install:

sudo apt install dnsmasq

Basic /etc/dnsmasq.conf:

interface=enp2s0          # LAN interface
dhcp-range=192.168.100.50,192.168.100.150,12h
dhcp-option=3,192.168.100.1   # gateway
dhcp-option=6,1.1.1.1,8.8.8.8 # DNS

sudo systemctl restart dnsmasq

Firewall: allow udp 67,68 from LAN

(For more advanced needs use isc-kea – emerging standard in 2026.)

Hands-On Exercises

  1. Harden SSH on a test VM: disable password auth, change port, add Fail2Ban, test key login & brute-force simulation.
  2. Set up Nginx with a static HTML page; allow via firewall.
  3. Export an NFS share; mount from another Linux box.
  4. Configure a simple Samba guest share; access from Windows/Linux.
  5. Run dnsmasq as DHCP on a LAN interface; verify client lease with ip addr.

Warning: Test services in VM/lab; misconfigured shares/firewalls can expose data.

What's Next?

In Part 7 we'll shift to visibility: monitoring connections (ss), capturing packets (tcpdump), performance testing (iperf), bandwidth tools, and systematic troubleshooting workflows.

#tcpip #linux #linuxadmin #networkadmin
3 months ago in #computernetworks by
$0.00
  • Payout Declined
7 votes
Reply 2
Sort:  
  • Trending