Network Architecture
Comprehensive network architecture documentation for MDHosting Ltd infrastructure, detailing topology, firewall rules, IP addressing, traffic routing, and security zones.
Overview
MDHosting's network architecture is designed with security, reliability, and GDPR compliance as primary objectives. All infrastructure is hosted with Hetzner in Germany, providing:
- Single Provider Simplicity: All servers within Hetzner's Germany datacentre network
- GDPR Compliance: EU-based hosting with strong data protection
- Low Latency: <50ms to major UK cities
- Redundancy: Multiple DNS servers, separated concerns
- Security Isolation: Logical separation of services
Key Architecture Principles: - Defence in depth with multiple security layers - Least privilege access across all systems - Service separation (hosting, DNS, management) - Automated security controls (CSF, Fail2Ban) - Monitoring and logging for visibility
Network Topology
High-Level Architecture
graph TB
Internet[Internet<br/>Global Clients]
subgraph "Hetzner Germany Datacentre"
subgraph "DNS Layer"
NS1[ns1.mdhosting.co.uk<br/>CX22 - 2 vCPU, 4GB RAM<br/>Primary DNS Server]
NS2[ns2.mdhosting.co.uk<br/>CX22 - 2 vCPU, 4GB RAM<br/>Secondary DNS Server]
end
subgraph "Hosting Layer"
EU1[eu1.cp<br/>CPX31 - 4 vCPU, 8GB RAM<br/>~30 Client Accounts<br/>AlmaLinux 8 + cPanel]
end
subgraph "Planned: Monitoring Layer"
WAZUH[Wazuh SIEM<br/>Security Monitoring<br/>Log Aggregation]
end
end
subgraph "Admin Access"
ADMIN[System Administrator<br/>SSH Keys + VPN Planned]
end
Internet -->|DNS Queries :53| NS1
Internet -->|DNS Queries :53| NS2
Internet -->|HTTP :80, HTTPS :443| EU1
Internet -->|SMTP :25, :587, :465| EU1
Internet -->|IMAP :993, POP3 :995| EU1
EU1 -.->|Zone Updates| NS1
EU1 -.->|Zone Updates| NS2
ADMIN -->|SSH :custom ports| NS1
ADMIN -->|SSH :custom ports| NS2
ADMIN -->|SSH :custom ports| EU1
ADMIN -->|cPanel :2083| EU1
EU1 -.->|Logs & Alerts| WAZUH
NS1 -.->|Logs & Alerts| WAZUH
NS2 -.->|Logs & Alerts| WAZUH
classDef hetzner fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef monitoring fill:#27ae60,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef admin fill:#8e44ad,stroke:#2c3e50,stroke-width:2px,color:#fff
class NS1,NS2,EU1 hetzner
class WAZUH monitoring
class ADMIN adminService Distribution
| Server | Role | Services | Public Ports | Admin Ports |
|---|---|---|---|---|
| eu1.cp | Client Hosting | Apache, nginx, MySQL, PHP, Exim, Dovecot, cPanel | 80, 443, 25, 587, 465, 993, 995, 110 | 2083, 2087, SSH (custom) |
| ns1.mdhosting.co.uk | Primary DNS | cPanel DNS (PowerDNS planned) | 53 (TCP/UDP) | SSH (custom) |
| ns2.mdhosting.co.uk | Secondary DNS | cPanel DNS (PowerDNS planned) | 53 (TCP/UDP) | SSH (custom) |
IP Addressing and Network Configuration
Public IP Addresses
Sensitive Information
Exact IP addresses are not documented in this public repository for security reasons. IP addresses are referenced as [SERVER-IP] below and stored securely in password manager.
IP Address Allocation:
- eu1.cp: [EU1-IP] - Primary hosting server
- ns1.mdhosting.co.uk: [NS1-IP] - Primary DNS server
- ns2.mdhosting.co.uk: [NS2-IP] - Secondary DNS server
IP Address Management: - All servers have static public IPv4 addresses - IPv6 available but not currently configured - DNS A records point to respective server IPs - Reverse DNS (PTR) configured for email deliverability
Network Interfaces
Standard Configuration (All Servers):
eth0: Primary network interface
- Public IP address
- Gateway: Hetzner network gateway
- MTU: 1500 (standard)
- Speed: 1 Gbps
Localhost:
lo: Loopback interface (127.0.0.1)
- Used for local service communication
- Database connections (MySQL localhost)
- Internal service APIs
DNS Configuration
DNS Nameservers for Servers: - Primary: Hetzner DNS (provided by datacentre) - Secondary: Public DNS fallback (e.g., 1.1.1.1, 8.8.8.8)
DNS Zones Hosted: - mdhosting.co.uk - ~30 client domains - All zones replicated across ns1 and ns2
Firewall Configuration
CSF (ConfigServer Security & Firewall)
MDHosting uses CSF on all servers for stateful packet filtering and intrusion prevention.
CSF Features Enabled: - Stateful Packet Inspection (SPI) - Login Failure Daemon (LFD) - automatic IP blocking - Connection tracking - Port flood protection - Synflood protection - ICMP rate limiting - Process monitoring
Firewall Rules - eu1.cp (Hosting Server)
Inbound Rules:
| Port | Protocol | Service | Access |
|---|---|---|---|
| 80 | TCP | HTTP | Public |
| 443 | TCP | HTTPS | Public |
| 25 | TCP | SMTP (incoming mail) | Public |
| 587 | TCP | SMTP (submission) | Authenticated |
| 465 | TCP | SMTPS (SSL) | Authenticated |
| 993 | TCP | IMAPS (SSL) | Authenticated |
| 995 | TCP | POP3S (SSL) | Authenticated |
| 110 | TCP | POP3 | Authenticated (discouraged) |
| 2083 | TCP | cPanel (HTTPS) | Admin only (IP restricted) |
| 2087 | TCP | WHM (HTTPS) | Admin only (IP restricted) |
| [Custom] | TCP | SSH | Admin only (key auth) |
| 53 | TCP/UDP | DNS (for AXFR queries) | ns1, ns2 only |
Outbound Rules: - Allow all established connections - Allow HTTP/HTTPS (for updates, Let's Encrypt) - Allow SMTP to MX records (outgoing mail) - Allow DNS queries - Allow NTP (time synchronisation)
Blocked by Default: - All other inbound ports (DROP) - MySQL port 3306 (no remote access) - FTP ports 20, 21 (SFTP preferred) - All inbound ICMP except from trusted IPs
CSF Configuration Highlights:
# Connection tracking
LF_IPSET = 1
CONNLIMIT = 80;50 # 80 connections per IP, 50 to port 80
# Synflood protection
SYNFLOOD = 1
SYNFLOOD_RATE = 100/s
SYNFLOOD_BURST = 150
# Port flood protection
PORTFLOOD = "22;tcp;5;300,80;tcp;100;5,443;tcp;100;5"
# Login failure daemon (LFD)
LF_SSHD = 5 # Block after 5 SSH failures
LF_CPANEL = 5 # Block after 5 cPanel login failures
LF_TRIGGER = 5 # Permanent block after 5 triggers
# Process monitoring
PT_LIMIT = 10 # Alert on 10 processes from one user
Firewall Rules - ns1 and ns2 (DNS Servers)
Inbound Rules:
| Port | Protocol | Service | Access |
|---|---|---|---|
| 53 | UDP | DNS Queries | Public |
| 53 | TCP | DNS Zone Transfers (AXFR) | eu1.cp, ns1/ns2 only |
| [Custom] | TCP | SSH | Admin only (key auth) |
Outbound Rules: - Allow HTTP/HTTPS (for updates) - Allow DNS queries - Allow NTP (time synchronisation)
DNS-Specific Restrictions: - Zone transfers only from authorised IPs (eu1.cp) - No recursive queries (DNS recursion disabled) - Query rate limiting enabled
Port Configuration
Standard Service Ports
Web Services:
Email Services:
25/tcp - SMTP (incoming mail from internet)
587/tcp - SMTP Submission (authenticated client sending)
465/tcp - SMTPS (SSL, authenticated)
993/tcp - IMAPS (SSL, secure IMAP)
995/tcp - POP3S (SSL, secure POP3)
110/tcp - POP3 (discouraged, use 995)
143/tcp - IMAP (blocked, use 993)
DNS Services:
Management Services:
Non-Standard Ports
SSH Port Security
SSH runs on custom high-numbered ports (>10000) on all servers to reduce automated attack surface. Exact port numbers stored in password manager and SSH configs.
Rationale for Non-Standard Ports: - Reduces automated brute force attempts by 99%+ - Clears logs of noise from port scanners - Forces attackers to enumerate services - Combined with key-only auth and Fail2Ban
Network Security Zones
Logical Security Segmentation
MDHosting employs logical security zones despite single-provider infrastructure:
1. Public Services Zone
Purpose: Internet-facing services accessible to all clients
Services: - Web servers (Apache/nginx) - DNS resolvers (ns1, ns2) - Email services (SMTP, IMAP, POP3)
Security Controls: - CSF firewall with strict rules - Rate limiting on all services - Fail2Ban automatic blocking - TLS/SSL encryption enforced
Risk Profile: High (internet-exposed)
2. Management Zone
Purpose: Administrative access and control interfaces
Services: - SSH access - cPanel/WHM interfaces - System administration tools
Security Controls: - IP whitelisting (where practical) - SSH key authentication only (passwords disabled) - Non-standard ports - Session timeout enforcement - Two-factor authentication (planned for ApisCP)
Risk Profile: Medium (restricted access, high privileges)
3. Data Zone
Purpose: Persistent data storage and databases
Services: - MySQL/MariaDB databases - Client file storage - Email mailboxes - Backup repositories
Security Controls: - No direct internet access - Local connections only - Application-level access control - Encrypted backups - Daily automated backups
Risk Profile: Critical (contains all customer data)
4. Monitoring Zone (Planned)
Purpose: Security monitoring and log aggregation
Services: - Wazuh SIEM - Centralised logging - Alerting and notification
Security Controls: - One-way log collection (no command execution) - Isolated from production services - Encrypted log transport
Risk Profile: Low (read-only access to logs)
Zone Communication Matrix
| From Zone | To Zone | Allowed | Protocol | Purpose |
|---|---|---|---|---|
| Public Services | Internet | Yes | HTTP/HTTPS, SMTP, DNS | Serve clients |
| Internet | Public Services | Yes | HTTP/HTTPS, SMTP, DNS | Client requests |
| Management | Public Services | Yes | SSH, cPanel | Administration |
| Public Services | Data Zone | Yes | MySQL (local), Filesystem | Data access |
| Data Zone | Internet | No | - | No direct access |
| Public Services | Monitoring (planned) | Yes | Syslog, API | Log shipping |
| Monitoring | Public Services | No | - | Read-only |
DNS Architecture
Current DNS Setup (cPanel DNS)
Primary/Secondary Configuration:
graph LR
Internet[Internet DNS Queries]
subgraph "Current Architecture"
EU1[eu1.cp<br/>cPanel DNS Master<br/>Zone Management]
NS1[ns1.mdhosting.co.uk<br/>cPanel DNS Slave<br/>Public Queries]
NS2[ns2.mdhosting.co.uk<br/>cPanel DNS Slave<br/>Public Queries]
end
Internet -->|DNS Queries| NS1
Internet -->|DNS Queries| NS2
EU1 -->|AXFR Zone Transfer| NS1
EU1 -->|AXFR Zone Transfer| NS2
NS1 <-.->|Zone Sync| NS2
classDef master fill:#f39c12,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef slave fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
class EU1 master
class NS1,NS2 slaveHow It Works: 1. Zone changes made on eu1.cp via cPanel 2. eu1.cp notifies ns1 and ns2 of changes 3. ns1 and ns2 request zone transfer (AXFR) from eu1.cp 4. Public DNS queries served by ns1 and ns2 5. eu1.cp is exposed as SOA (Start of Authority)
Issues with Current Setup: - eu1.cp IP exposed in SOA record (potential attack vector) - cPanel DNS lacks modern features (DNSSEC) - Zone management tied to cPanel interface - £480/year cPanel licensing cost
Planned DNS Architecture (PowerDNS Hidden Master)
Hidden Master Configuration:
graph LR
Internet[Internet DNS Queries]
subgraph "Planned Architecture Q2 2025"
HM[Hidden Master<br/>PowerDNS Authoritative<br/>Not publicly listed]
NS1P[ns1.mdhosting.co.uk<br/>PowerDNS Slave<br/>Public Queries]
NS2P[ns2.mdhosting.co.uk<br/>PowerDNS Slave<br/>Public Queries]
end
ADMIN[Admin<br/>Zone Management<br/>PowerDNS API]
Internet -->|DNS Queries| NS1P
Internet -->|DNS Queries| NS2P
HM -->|AXFR/IXFR| NS1P
HM -->|AXFR/IXFR| NS2P
NS1P -.->|Notify| HM
NS2P -.->|Notify| HM
ADMIN -->|API Calls| HM
classDef hidden fill:#e74c3c,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef public fill:#27ae60,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef mgmt fill:#8e44ad,stroke:#2c3e50,stroke-width:2px,color:#fff
class HM hidden
class NS1P,NS2P public
class ADMIN mgmtBenefits: - Hidden master not exposed to internet - DNSSEC support for enhanced security - API-driven zone management - Modern features (IXFR incremental transfers) - No cPanel licensing dependency - Better performance and scalability
Migration Timeline: - Q2 2025: Deploy PowerDNS hidden master - Q2 2025: Migrate zones to PowerDNS - Q2 2025: Enable DNSSEC - Q2 2025: Decommission cPanel DNS
DNS Query Flow
Current Flow:
1. Client queries example.com A record
2. Client's resolver queries root servers
3. Root servers refer to .com TLD servers
4. TLD servers refer to ns1.mdhosting.co.uk or ns2.mdhosting.co.uk
5. ns1 or ns2 responds with authoritative answer
6. Response cached by client's resolver (TTL-based)
DNS Record Types Used: - A: IPv4 addresses (most common) - AAAA: IPv6 addresses (planned) - MX: Mail exchange records - CNAME: Canonical name aliases - TXT: SPF, DKIM, DMARC records - NS: Nameserver records - SOA: Start of authority
Traffic Routing and Flow
Web Traffic Flow (HTTP/HTTPS)
1. Client Browser
↓ DNS Resolution
2. ns1 or ns2 (DNS query for domain)
↓ Returns [EU1-IP]
3. Client Browser connects to [EU1-IP]:443
↓ TLS Handshake
4. CSF Firewall (eu1.cp)
↓ Connection Tracking
5. Apache/nginx Virtual Host Matching
↓ Routes to correct website
6. PHP Application (WordPress, etc.)
↓ Database Query (if needed)
7. MySQL/MariaDB (localhost:3306)
↓ Result Set
8. PHP Application
↓ Render Response
9. Apache/nginx
↓ HTTP Response
10. Client Browser
Performance Optimizations: - Keep-alive connections enabled - HTTP/2 support (via nginx) - Gzip compression enabled - Static asset caching - Let's Encrypt certificate caching
Email Traffic Flow (Inbound)
1. Sender's Mail Server
↓ DNS MX Lookup
2. ns1 or ns2 (returns MX: mail.domain.com → [EU1-IP])
↓
3. Sender connects to [EU1-IP]:25
↓ SMTP Connection
4. CSF Firewall (eu1.cp)
↓ SPF Check, RBL Check
5. Exim (SMTP Server)
↓ SpamAssassin Scan
6. SpamAssassin
↓ Spam Score
7. Exim (delivery decision)
↓ Route to mailbox
8. Dovecot (IMAP/POP3 Storage)
↓ Store in maildir
9. Client Mail Application (IMAP:993)
↓ Fetch Messages
10. User's Device
Email Security Checks: - SPF (Sender Policy Framework) validation - DKIM (DomainKeys Identified Mail) verification - RBL (Real-time Blackhole List) checks - SpamAssassin content filtering - Greylisting (optional, not currently enabled) - Rate limiting per sender
Email Traffic Flow (Outbound)
1. Client Mail Application
↓ SMTP Submission (port 587)
2. Authenticate with username/password
↓ TLS Required
3. CSF Firewall (allows authenticated)
↓
4. Exim (SMTP Submission)
↓ DKIM Signing
5. Exim applies DKIM signature
↓ SPF Alignment
6. DNS Lookup for recipient MX
↓
7. Connect to recipient's mail server
↓ Deliver via SMTP
8. Recipient's Mail Server
Outbound Security: - Authenticated SMTP required (no open relay) - TLS encryption enforced - DKIM signing for all outbound mail - SPF records published - DMARC policy published - Rate limiting to prevent abuse
SSH Administrative Access
1. Administrator's Device
↓ SSH Client
2. SSH Key Loaded (private key)
↓ Connect to [SERVER-IP]:[Custom Port]
3. CSF Firewall
↓ Check IP (whitelist if configured)
4. Fail2Ban
↓ Check for previous failed attempts
5. SSH Daemon (sshd)
↓ Public Key Authentication
6. Verify SSH Key (authorized_keys)
↓ Key Valid
7. Shell Access Granted
↓
8. Interactive Shell (bash)
SSH Security: - Password authentication disabled - SSH key authentication only - Non-standard port (reduces attacks) - Fail2Ban blocks repeated failures - IP whitelisting (where practical) - SSH version 2 only (v1 disabled)
Network Performance
Bandwidth Allocation
| Server | Monthly Bandwidth | Average Usage | Peak Usage |
|---|---|---|---|
| eu1.cp (Hosting) | 20 TB | ~2 TB (10%) | ~5 TB (25%) |
| ns1 (DNS) | 20 TB | <100 GB (<1%) | <500 GB (<3%) |
| ns2 (DNS) | 20 TB | <100 GB (<1%) | <500 GB (<3%) |
Bandwidth Monitoring: - Hetzner provides bandwidth graphs - cPanel bandwidth tracking per account - No overage charges (included in server cost) - Alerts configured for 80% usage
Latency Measurements
From UK (London): - DNS queries to ns1/ns2: <10ms - HTTPS to eu1.cp: 15-25ms - SMTP to eu1.cp: 15-25ms
From Germany (Falkenstein DC): - All services: <5ms (same datacentre)
From US East Coast: - All services: 80-100ms
Network Quality
Packet Loss: <0.1% (Hetzner SLA) Jitter: <5ms Uptime: 99.98% (measured)
Network Monitoring
Current Monitoring
Server-Level Monitoring: - cPanel server status (CPU, RAM, disk, bandwidth) - Load average monitoring - Disk space alerts (80% threshold) - Service status monitoring (Apache, MySQL, Exim)
Network-Level Monitoring: - Basic uptime checks (HTTP, DNS) - No comprehensive network monitoring currently deployed
Planned Monitoring (Wazuh Deployment)
Network Monitoring Capabilities: - Real-time traffic analysis - Intrusion detection (IDS) - Anomaly detection - Connection tracking and logging - Firewall log analysis
Metrics to Track: - Connections per second by service - Bandwidth usage by service - Failed connection attempts - Blocked IPs (Fail2Ban, CSF) - SSL/TLS handshake failures
Alerting Thresholds: - Connection rate >1000/sec (potential DDoS) - Failed SSH attempts >10/min from single IP - Bandwidth usage >80% monthly allocation - Service downtime >5 minutes
See Security Monitoring for comprehensive monitoring documentation.
VPN and Secure Access
Current Access Method
SSH Key-Based Access: - All administrative access via SSH with key authentication - Keys generated with Ed25519 algorithm (modern, secure) - Private keys stored on administrator devices only - No VPN currently deployed
SSH Key Management: - Keys rotated annually - Old keys revoked immediately - Separate keys per administrator (if team expands) - Keys never shared via email or insecure channels
Planned: VPN Access
Use Case for VPN: - Secure access to management interfaces - IP whitelisting without exposing home IP - Encrypted tunnel for sensitive operations - Access from untrusted networks
VPN Technology Options: - WireGuard (modern, fast, secure) - OpenVPN (mature, well-supported) - Tailscale (WireGuard-based, easy management)
Implementation Timeline: Q3 2025 (after ApisCP migration)
Network Troubleshooting
Common Issues and Resolution
Issue 1: DNS Resolution Failures
Symptoms: - Domains not resolving - DNS queries timing out - "Server not found" errors
Diagnosis:
# Check DNS server status
systemctl status named # or systemctl status pdns for PowerDNS
# Test DNS resolution
dig @[NS1-IP] example.com
dig @[NS2-IP] example.com
# Check zone files
named-checkzone example.com /var/named/example.com.db
# Check firewall
csf -g [CLIENT-IP] # Check if IP is blocked
Common Causes: - DNS service stopped - Zone file syntax errors - Firewall blocking port 53 - Incorrect nameserver configuration
Resolution:
- Restart DNS service: systemctl restart named
- Fix zone file syntax
- Whitelist IP if incorrectly blocked
- Verify NS records point to correct IPs
Issue 2: SSH Connection Refused
Symptoms: - "Connection refused" when connecting via SSH - Timeout when connecting to SSH port - Locked out after failed attempts
Diagnosis:
# Check SSH service (from console/rescue)
systemctl status sshd
# Check firewall rules
csf -g [YOUR-IP]
grep [YOUR-IP] /etc/csf/csf.deny
# Check Fail2Ban
fail2ban-client status sshd
fail2ban-client get sshd banned
Common Causes: - SSH service stopped - IP blocked by Fail2Ban or CSF - Wrong port number - Firewall rule misconfiguration
Resolution:
- Start SSH service: systemctl start sshd
- Unblock IP: csf -dr [YOUR-IP] or fail2ban-client set sshd unbanip [YOUR-IP]
- Verify correct custom port
- Check SSH is listening: netstat -tlnp | grep sshd
Issue 3: Website Not Loading (HTTP/HTTPS)
Symptoms: - 502 Bad Gateway - 503 Service Unavailable - Connection timeout
Diagnosis:
# Check Apache status
systemctl status httpd
# Check nginx status (if proxy)
systemctl status nginx
# Check resource usage
top
df -h # Disk space
free -m # Memory
# Check Apache error log
tail -f /usr/local/apache/logs/error_log
# Check virtual host configuration
httpd -S # List all virtual hosts
Common Causes: - Apache or nginx stopped - Out of disk space - Out of memory - PHP-FPM pools exhausted - Database connection failures
Resolution:
- Restart web server: systemctl restart httpd
- Free up disk space (clear logs, old backups)
- Restart PHP-FPM if stuck
- Check MySQL connection: mysql -u root -p
- Review error logs for specific errors
Issue 4: Email Delivery Failures
Symptoms: - Outbound email not delivered - Inbound email bouncing - "Relay access denied" errors
Diagnosis:
# Check Exim status
systemctl status exim
# Check mail queue
exim -bp
# Check Exim logs
tail -f /var/log/exim_mainlog
# Test SMTP connection
telnet [EU1-IP] 25
telnet [EU1-IP] 587
# Check SPF/DKIM records
dig TXT example.com
dig TXT default._domainkey.example.com
Common Causes: - Exim service stopped - IP on RBL (blacklisted) - SPF/DKIM misconfiguration - Authentication failures - Disk quota exceeded
Resolution:
- Restart Exim: systemctl restart exim
- Check RBL status and request delisting
- Verify SPF and DKIM records
- Clear mail queue if stuck: exim -qff
- Check disk quotas: repquota -a
Issue 5: High Network Traffic / DDoS
Symptoms: - Slow response times - High bandwidth usage - Connection timeouts - Server load spike
Diagnosis:
# Check current connections
netstat -an | grep :80 | wc -l
netstat -an | grep :443 | wc -l
# Check top IP connections
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
# Check CSF connection tracking
csf -t
# Check bandwidth usage
vnstat -h # Hourly
vnstat -d # Daily
# Check Apache access log for patterns
tail -f /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -n
Common Causes: - DDoS attack (volumetric or application-layer) - Legitimate traffic spike - Bot traffic - Single IP making many requests
Resolution:
- Block attacking IPs: csf -d [IP] "DDoS attack"
- Enable connection rate limiting in CSF
- Contact Hetzner for volumetric DDoS mitigation
- Implement caching (Cloudflare, Varnish)
- Rate limit at Apache level (mod_evasive)
Network Diagnostic Commands Reference
DNS Testing:
dig @[NS1-IP] example.com # Query specific nameserver
host example.com [NS1-IP] # Alternative DNS lookup
nslookup example.com [NS1-IP] # Interactive DNS lookup
Connectivity Testing:
ping [SERVER-IP] # Basic connectivity
traceroute [SERVER-IP] # Path to server
mtr [SERVER-IP] # Combined ping/traceroute
telnet [SERVER-IP] [PORT] # Test specific port
nc -zv [SERVER-IP] [PORT] # Netcat port test
Network Interface Status:
ip addr show # IP addresses and interfaces
ip route show # Routing table
ip link show # Link status
ethtool eth0 # Interface details
Active Connections:
netstat -tulpn # Listening ports
netstat -an | grep ESTABLISHED # Active connections
ss -s # Socket statistics
lsof -i :[PORT] # What's using a port
Firewall Status:
csf -l # List CSF rules
csf -g [IP] # Check if IP is allowed/blocked
iptables -L -n -v # List iptables rules
fail2ban-client status # Fail2Ban status
Network Security Best Practices
Ongoing Security Measures
1. Regular Security Audits: - Monthly firewall rule review - Quarterly network penetration testing (planned) - Annual comprehensive security assessment - CSF configuration review after changes
2. Access Control: - Maintain SSH key inventory - Rotate SSH keys annually - Review and remove unused keys immediately - IP whitelist for sensitive services
3. Monitoring and Logging: - Enable connection logging on all services - Centralised log aggregation (Wazuh planned) - Set up alerts for suspicious activity - Regular log review (weekly)
4. Patch Management: - Apply OS security updates within 7 days - Apply critical patches within 24 hours - Test patches in staging before production (when possible) - Maintain package update schedule
5. Incident Response: - Document network baseline for anomaly detection - Maintain incident response procedures - Test incident response quarterly - Keep emergency contact information current
See Incident Response Procedures for comprehensive incident handling.
Documentation Maintenance
Review Schedule: - Monthly: Firewall rules, active connections, bandwidth usage - Quarterly: Network architecture diagram, DNS configuration - Annually: Complete network documentation review
Update Triggers: - New server added or removed - Firewall rule changes - DNS architecture changes (PowerDNS migration) - Security incident affecting network - Service migration or reconfiguration
Document Status: ✅ Complete - Comprehensive network architecture documentation Last Updated: January 2026 Next Review: April 2026 Document Owner: Matthew Dinsdale (Director) Contact: admin@mdhosting.co.uk
This document provides detailed network architecture, security configuration, and troubleshooting procedures for MDHosting Ltd infrastructure. It should be reviewed quarterly and updated when network changes occur.