Linux Networking Mastery Series Part 6: Network Services and Servers

Welcome back to Linux Networking Mastery!
So far we've covered the core building blocks:

• Part 1 – network stack basics and inspection tools
• Part 2 – interface and IP configuration (temporary + persistent via Netplan, nmcli, systemd-networkd)
• Part 3 – routing tables, static/policy routing, namespaces, simple router setup
• Part 4 – name resolution, systemd-resolved, per-link/global DNS, troubleshooting
• Part 5 – firewalls with nftables, firewalld, ufw, stateful rules

Now we put those pieces to work by configuring and hardening real network services.

This post focuses on four common, practical services:

• SSH (secure remote access – with strong hardening)
• Web server (lightweight Nginx setup)
• File sharing (NFS for Linux-to-Linux, Samba for cross-platform)
• DHCP server (simple internal network assignment)

We'll emphasize security best practices (especially relevant in 2026 with ongoing brute-force threats), use modern defaults, and tie back to previous parts (firewall rules, DNS, routing).

1. Secure Remote Access: SSH Server Hardening

SSH is the #1 way to manage Linux servers remotely — and the #1 attack target.

Basic Setup & Hardening Best Practices (2026)

1. Install (usually pre-installed):

   sudo apt install openssh-server    # Debian/Ubuntu
   sudo dnf install openssh-server    # Fedora/RHEL
   

2. Edit /etc/ssh/sshd_config (use drop-in file for cleanliness: /etc/ssh/sshd_config.d/99-hardening.conf):

   # Disable password auth – use keys only
   PasswordAuthentication no
   ChallengeResponseAuthentication no
   UsePAM no
   
   # Disable root login
   PermitRootLogin no
   
   # Restrict to specific users/groups (optional but recommended)
   AllowUsers alice bob
   # or AllowGroups wheel sshusers
   
   # Change default port (obscurity + reduces noise)
   Port 2222
   
   # Limit login grace time & max auth tries
   LoginGraceTime 30
   MaxAuthTries 3
   
   # Enable key-based auth only
   PubkeyAuthentication yes
   
   # Modern crypto (disable weak ciphers)
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
   KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
   

3. Generate & deploy key pair (on client):

   ssh-keygen -t ed25519 -C "your@email.com" -f ~/.ssh/mykey
   ssh-copy-id -i ~/.ssh/mykey.pub -p 2222 user@server
   

4. Restart SSH:

   sudo systemctl restart sshd
   

5. Firewall rule (from Part 5):

   • nftables: tcp dport 2222 ct state new accept
   • firewalld: sudo firewall-cmd --permanent --add-port=2222/tcp
   • ufw: sudo ufw allow 2222/tcp

6. Install & configure Fail2Ban (brute-force protection):

   sudo apt install fail2ban    # or dnf install fail2ban
   

   Create /etc/fail2ban/jail.d/sshd.local:

   [sshd]
   enabled = true
   port    = 2222
   filter  = sshd
   logpath = %(sshd_log)s
   maxretry = 3
   findtime = 10m
   bantime  = 1h
   # Optional: banaction = nftables-multiport  (modern backend)
   

   sudo systemctl restart fail2ban
   sudo fail2ban-client status sshd
   

2. Web Server: Lightweight Nginx Setup

Nginx is fast, modern, and preferred for new deployments.

sudo apt install nginx    # Debian/Ubuntu
sudo dnf install nginx    # Fedora/RHEL

Basic site in /etc/nginx/sites-available/my-site:

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/my-site/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Enable:

sudo ln -s /etc/nginx/sites-available/my-site /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Firewall: allow 80 & 443 (add HTTPS later with certbot/Let's Encrypt).

3. File Sharing: NFS (Linux-to-Linux) & Samba (Cross-Platform)

NFSv4 (preferred for modern Linux):

Server install:

sudo apt install nfs-kernel-server

Export in /etc/exports:

/srv/nfs/share  192.168.100.0/24(rw,sync,no_subtree_check,sec=sys)

sudo exportfs -ra
sudo systemctl restart nfs-kernel-server

Firewall: allow from trusted subnet tcp/udp 2049

Client mount:

sudo mount -t nfs4 server:/srv/nfs/share /mnt/nfs

Samba (for Windows/Linux/Mac):

sudo apt install samba

Basic share in /etc/samba/smb.conf:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   security = user

[public]
   path = /srv/samba/public
   browsable = yes
   writable = yes
   guest ok = yes
   read only = no

sudo smbpasswd -a user    # for authenticated shares
sudo systemctl restart smbd

Firewall: allow 445/tcp, 139/tcp (or just 445 for modern clients)

4. DHCP Server Setup (dnsmasq – simple & lightweight)

Install:

sudo apt install dnsmasq

Basic /etc/dnsmasq.conf:

interface=enp2s0          # LAN interface
dhcp-range=192.168.100.50,192.168.100.150,12h
dhcp-option=3,192.168.100.1   # gateway
dhcp-option=6,1.1.1.1,8.8.8.8 # DNS

sudo systemctl restart dnsmasq

Firewall: allow udp 67,68 from LAN

(For more advanced needs use isc-kea – emerging standard in 2026.)

Hands-On Exercises

1. Harden SSH on a test VM: disable password auth, change port, add Fail2Ban, test key login & brute-force simulation.
2. Set up Nginx with a static HTML page; allow via firewall.
3. Export an NFS share; mount from another Linux box.
4. Configure a simple Samba guest share; access from Windows/Linux.
5. Run dnsmasq as DHCP on a LAN interface; verify client lease with ip addr.

Warning: Test services in VM/lab; misconfigured shares/firewalls can expose data.

What's Next?

In Part 7 we'll shift to visibility: monitoring connections (ss), capturing packets (tcpdump), performance testing (iperf), bandwidth tools, and systematic troubleshooting workflows.