Server networking checklist before go-live

Topic: Networking basics

Before putting a server in production, verify IP and DNS, routing, firewall, and SSH: static or DHCP, resolv.conf or resolved, default route, listening ports, firewall allow SSH and required services only, and a second session test. Use this so you do not ship with wrong IP, open ports, or locked-out SSH. References multiple networking-basics guides.

Intent: Checklist

Quick answer

  • IP and DNS: confirm static or DHCP is correct; /etc/resolv.conf or systemd-resolved has the right nameservers; getent hosts and dig work. Default route and routing table are correct for the environment.
  • Firewall: default deny inbound; allow SSH (and only required service ports); allow established/related; verify with ufw status or nft list ruleset; test from a client that allowed ports work and others do not.
  • SSH: confirm sshd listens on the port you allowed; open a second session and log in before closing the first; document the allowed port and any change (e.g. non-default port) so others can access.

Prerequisites

Steps

  1. IP, DNS, and routing

    Confirm IP (static or DHCP), subnet, and gateway. Check /etc/resolv.conf or resolvectl for nameservers; run getent hosts and dig. Confirm default route (ip route) and that the routing table is correct for the environment.

  2. Listening ports and firewall

    List listening ports with ss -tlnp; allow only SSH and required services (e.g. 80, 443). Set default deny inbound; allow established/related; allow those ports. Run ufw status or nft list ruleset; test allowed ports from a client and confirm others are blocked.

  3. SSH and access

    Ensure sshd listens on the port you allowed (e.g. 22); if changed, allow that port. Open a second SSH session and log in before closing the first. Document the SSH port and any access requirements so the team can reach the server.

  4. Document and hand off

    Record static IP, DNS, firewall rules, and SSH port; add to runbook or CMDB. Run through the checklist once more; then mark the server ready for go-live.

Summary

Before go-live, verify IP and DNS, routing, firewall (SSH and required ports only), and SSH access in a second session. Use this checklist so you do not ship with wrong IP, open ports, or locked-out SSH.

Prerequisites

Steps

Step 1: IP, DNS, and routing

Confirm IP, subnet, and gateway. Check nameservers and run getent/dig. Confirm default route and routing table.

Step 2: Listening ports and firewall

List listening ports; allow only SSH and required services. Default deny inbound; allow established/related and those ports. List rules and test from a client.

Step 3: SSH and access

Ensure sshd listens on the allowed port. Open a second SSH session and log in. Document the SSH port and access requirements.

Step 4: Document and hand off

Record IP, DNS, firewall rules, and SSH port. Run the checklist again; then mark ready for go-live.

Verification

  • IP, DNS, and routing are correct; firewall allows only required ports; SSH works and is documented.

Troubleshooting

Wrong IP or no default route — See How to configure a static IP and How to inspect the routing table. Locked out — Use console; allow SSH and reload firewall. DNS fails — See How to fix broken DNS on Linux and DNS checklist.

Next steps

Continue to