You're staring at a terminal. Something's not resolving. Practically speaking, a service isn't responding. You type netstat -tuln and see a wall of port numbers — 22, 53, 80, 443, 3306, 5432, 6379 — and you're supposed to just know what each one does, why it matters, and what happens when it breaks.
This changes depending on context. Keep that in mind.
Most people don't. They memorize port numbers for an exam, then forget them the moment they hit production.
Here's the thing: network services aren't abstract concepts. They're the plumbing of every system you touch. In real terms, web servers, databases, name resolution, time sync, file sharing, remote access — they all run on top of these services. And when something goes sideways at 2 AM, the difference between guessing and knowing is the difference between a five-minute fix and a four-hour war room.
So let's actually learn them. Not as a list. As things you'll use.
What Are Network Services
A network service is any program that listens on a port, speaks a protocol, and does something useful for other machines (or processes) on the network. So that's it. No magic Simple, but easy to overlook..
Some run on well-known ports (0–1023) — the ones IANA assigns. Think about it: hTTP on 80. Still, hTTPS on 443. SSH on 22. DNS on 53. These are standardized so clients don't have to guess.
Others live in the registered range (1024–49151) — PostgreSQL on 5432, MySQL on 3306, Redis on 6379. And then there's the ephemeral range (49152–65535) where clients pick random source ports for outbound connections Turns out it matters..
But a port number is just a door. Even so, the service is what's behind it. And the protocol is the language they speak Worth keeping that in mind..
The Three Pieces You Actually Need to Know
Every network service has three moving parts:
- The daemon — the process running in the background.
sshd,nginx,mysqld,named. This is what you start, stop, restart, and monitor. - The protocol — the rules of conversation. TCP or UDP (usually). HTTP, DNS, SSH, TLS, NTP. This determines how clients talk to it.
- The port — the address. Combined with an IP, it forms a socket. One service per port per IP (mostly).
Miss any of these, and you're troubleshooting blind.
Why This Stuff Actually Matters
You might think, "I'm a developer / DevOps / whatever — I just deploy containers. The platform handles networking."
Until it doesn't Easy to understand, harder to ignore..
A container can't reach the database. In real terms, wrong port in the connection string? Is it a firewall rule? But dNS resolution failing inside the cluster? So the database isn't listening on the right interface? The service mesh sidecar crashing?
All of these are network service problems. And they show up everywhere:
- Security audits — "Why is port 3306 open to the world?" Because someone bound MySQL to
0.0.0.0instead of127.0.0.1or a private IP. - Performance tuning — Your app is slow.
netstatshows thousands ofTIME_WAITconnections. That's not the database — that's your connection pool not reusing connections. - Compliance — PCI DSS, HIPAA, SOC2 all care about which services expose what and how they're secured.
- Incident response — Something's beaconing out on port 443. Is it legitimate HTTPS? A reverse shell over TLS? Malware using DNS tunneling on port 53?
You don't need to be a network engineer. But you do need to recognize the usual suspects, know their default behaviors, and spot when something looks wrong But it adds up..
The Core Services You'll See Everywhere
Let's walk through the ones that show up in almost every environment. Not an exhaustive list — the ones that matter.
SSH (Port 22, TCP)
Secure Shell. The universal remote access tool for Linux/Unix. Encrypted, authenticated, ubiquitous.
What it does: Gives you a shell. Tunnels traffic. Copies files (scp, sftp). Runs commands remotely. Git over SSH. Ansible. Your CI/CD pipeline deploying to prod.
Key features:
- Public key authentication (please use this, disable password auth)
- Port forwarding — local, remote, dynamic (SOCKS proxy)
- Multiplexing —
ControlMasterlets you reuse connections - Subsystems —
sftpis one, but you can define custom ones
What goes wrong:
- Brute force on port 22 (use fail2ban, change the port, or better — key-only + bastion host)
Permission denied (publickey)— usually wrong key, wrong user, orAuthorizedKeysFilepath mismatch- Connection drops —
ClientAliveInterval/ServerAliveIntervalkeeps idle sessions alive
Pro tip: ssh -v (or -vv, -vvv) is your best friend. Read the debug output. It tells you exactly which key it tried, which auth method failed, whether the host key matched.
DNS (Port 53, UDP and TCP)
Domain Name System. The phone book. Except it's distributed, cached, hierarchical, and mostly invisible until it breaks.
What it does: Resolves names to IPs (A/AAAA records), aliases (CNAME), mail servers (MX), text records (TXT for SPF/DKIM/DMARC), service discovery (SRV), and more That alone is useful..
Key features:
- UDP for queries under 512 bytes (most of them)
- TCP for zone transfers (AXFR/IXFR) and large responses (DNSSEC, big TXT records)
- Recursive vs authoritative — your laptop talks to a recursive resolver (1.1.1.1, 8.8.8.8, your ISP); that resolver walks the tree to authoritative servers
- Caching — TTL controls how long answers live. Low TTL = fast changes, high load. High TTL = stale data during migrations.
What goes wrong:
- "It works on my machine" — different resolver, different cache
- DNSSEC validation failures — clock skew, broken chain, missing DS record
- Split-horizon DNS — internal vs external answers differ. Great for security, confusing for debugging.
- NXDOMAIN vs SERVFAIL — the former means "doesn't exist," the latter means "server error." Big difference.
Tool you need: dig +trace example.com walks the full delegation chain. dig @1.1.1.1 example.com queries a specific resolver. Learn these.
HTTP/HTTPS (Ports 80/443, TCP)
The web. You know this. But do you know what the server actually does?
What it does: Listens for requests, routes them, serves static files, proxies to app servers, terminates TLS, enforces headers, logs access.
Key features:
- Virtual hosts — one IP, many domains.
Hostheader (HTTP/1.1) or SNI (TLS) tells the server which site. - Reverse proxy —
Reverse proxy — the component that sits between the client and the backend services, acting as a gatekeeper and traffic director. It terminates the client’s TLS session, inspects the HTTP request, and then forwards the request to one or more application servers based on rules such as the host header, URL path, or even the client’s IP address. By consolidating TLS termination at the edge, the proxy reduces the load on the backend instances and enables features like HTTP/2 multiplexing, request rewriting, and response caching without requiring changes to the application code.
Honestly, this part trips people up more than it should.
Important capabilities include:
- Virtual host support – a single listener can serve many domains by inspecting the
Hostheader (HTTP/1.1) or the Server Name Indication (SNI) extension (TLS). This allows multiple sites to coexist on the same IP address and IP port. - Load balancing and health checking – the proxy can distribute requests across a pool of back‑ends, periodically probing their health endpoints to remove unhealthy nodes automatically.
- TLS termination and re‑encryption – after decrypting inbound traffic, the proxy can optionally re‑encrypt it before sending it to the back‑ends, which is useful when the back‑ends run in isolated networks or when different cipher suites are required for internal traffic.
- Request/response manipulation – headers can be added, removed, or altered; URLs can be rewritten for A/B testing or routing to maintenance pages; responses can be cached at the edge to reduce downstream load.
Common pitfalls that surface when the proxy is mis‑configured:
- SNI mismatches – if the client presents a certificate that does not cover the requested hostname, the proxy may reject the TLS handshake, resulting in “connection reset” or “SSL handshake failure” errors.
- Incorrect certificate chain – an incomplete chain can cause browsers to display certificate warnings, and some strict validation libraries may outright abort the connection.
- Header‑injection vulnerabilities – allowing user‑controlled input to influence response headers can open the door to HTTP response splitting attacks.
- Health‑check misconfiguration – a poorly defined health endpoint may report a service as healthy while it is actually unable to process traffic, leading to traffic being sent to dead nodes.
To verify that the proxy behaves as expected, use tools that can see both the client‑side and server‑side traffic. curl -v or wget with verbose output will show the exact request path and any redirects, while openssl s_client -connect host:443 -servername host reveals the TLS parameters that the proxy presents. For deeper inspection, tcpdump or wireshark captures can confirm that TLS termination truly occurs at the proxy and that the subsequent traffic to the back‑ends is correctly encrypted or plain, depending on the configuration And it works..
It sounds simple, but the gap is usually here.
Beyond the proxy itself, a solid CI/CD pipeline benefits from additional observability layers:
- Structured logging – centralizing logs from the proxy, application servers, and the CI agents enables correlation of events such as failed deployments, certificate expirations, or sudden traffic spikes.
- Metrics collection – exposing request latency, error rates, and connection counts via Prometheus or similar systems helps detect regressions early.
- Automated certificate management – integrating with ACME clients (e.g., certbot) ensures that certificates are renewed without manual intervention, preventing outages caused by expired certs.
- Graceful reloads – using the proxy’s reload mechanism (e.g.,
nginx -s reload) allows configuration changes to take effect without dropping existing connections, which is crucial during rolling deployments.
In a nutshell, mastering the interplay between SSH access, DNS resolution, and HTTP/HTTPS communication forms the backbone of a reliable production environment. Worth adding: by securing SSH with key‑only authentication and bastion routing, leveraging DNS tools like dig +trace to verify delegation and caching behavior, and configuring a reverse proxy that handles TLS termination, load balancing, and request routing, you eliminate many of the common failure modes that disrupt CI/CD pipelines. Coupled with proactive monitoring, automated certificate renewal, and disciplined logging, these practices create a resilient foundation that keeps deployments smooth, services available, and incidents easy to diagnose.