SİSTEM & AĞ MÜHENDİSLİĞİ

🧱

// BÖLÜM 01

TEMEL (FOUNDATION)

ZORUNLU ▶

🧠 TEMEL AĞ KAVRAMLARI

IP Adresi (IPv4 / IPv6)

32-bit (v4) ve 128-bit (v6) adres yapısı, hexadecimal notation, dual-stack

MAC Adresi

Layer 2 fiziksel adres, 48-bit, OUI (Organizationally Unique Identifier)

DNS (Domain Name System)

A, AAAA, CNAME, MX, NS, TXT record tipleri; recursive vs iterative sorgu; TTL

DHCP

DORA süreci (Discover→Offer→Request→Acknowledge), lease süresi, scope, exclusions

NAT (Network Address Translation)

Static / Dynamic / PAT (masquerade), private IP → public IP dönüşümü

Gateway (Varsayılan Ağ Geçidi)

Default gateway, inter-VLAN routing, next-hop kavramı

Port Kavramı

Well-known (0-1023), registered (1024-49151), dynamic (49152-65535) portlar

Kritik Portlar

22 SSH · 80 HTTP · 443 HTTPS · 53 DNS · 25 SMTP · 3306 MySQL · 5432 PG

🌐 OSI MODELİ — DEBUG ZİHNİN

7	Application	HTTP, HTTPS, DNS, SMTP, FTP, SSH — kullanıcı verisinin son noktası
6	Presentation	TLS/SSL şifreleme, veri kodlama, sıkıştırma (JPEG, MP4 formatları)
5	Session	Oturum yönetimi, NetBIOS, RPC — bağlantı kurma/sonlandırma
4	Transport	TCP (güvenilir, 3-way handshake) / UDP (hızlı, bağlantısız) — segment/datagram
3	Network	IP routing, ICMP, packet — router cihazı bu katmanda çalışır
2	Data Link	MAC adresleme, Ethernet frame, ARP, switch — VLAN bu katmandadır
1	Physical	Kablo, fiber, RF sinyali, hub — bit akışı, voltaj seviyeleri

💡 Debug Mindset: Sorun çıktığında Layer 1'den yukarı çık. Kablo var mı? → Link up mı? → IP var mı? → Route var mı? → Port açık mı? → Uygulama cevap veriyor mu?

🐧 LİNUX (ŞART)

Dosya Sistemi Hiyerarşisi

/etc (config) · /var (logs, data) · /home (kullanıcılar) · /proc (kernel) · /tmp

Paket Yöneticileri

apt (Debian/Ubuntu) · yum/dnf (RHEL/CentOS) · pacman (Arch) · zypper (SUSE)

Servis Yönetimi

systemctl start/stop/enable/status · journalctl -u service · service logs

İzin Sistemi

chmod (rwx octal), chown (kullanıcı:grup), umask, SUID/SGID/sticky bit

ls -la /etc/nginx/

grep -r "error" /var/log/nginx/ | tail -50

chmod 600 ~/.ssh/authorized_keys && chown $USER ~/.ssh/

systemctl enable --now nginx && journalctl -fu nginx

ps aux | grep nginx | awk '{print $1, $2, $11}'

htop -u www-data -d 5

Hedef: SSH ile bağlan → Nginx kur → Config yaz → Log oku → Servis yönet. Bu döngüyü ezberleyene kadar tekrarla.

🪟 WINDOWS SERVER (OPSİYONEL AMA DEĞERLİ)

Active Directory (AD DS)

Domain, Forest, OU yapısı, kullanıcı/grup yönetimi, Kerberos authentication

Group Policy (GPO)

Merkezi konfigürasyon yönetimi, password policy, software deployment

Windows DNS Server

Forward/Reverse lookup zone, AD-integrated DNS, conditional forwarding

PowerShell Yönetimi

Get-ADUser, New-ADGroup, Set-GPO, Invoke-Command (remote exec)

🌐

// BÖLÜM 02

NETWORKING (CORE)

KRİTİK ▶

🔌 TEMEL AĞ MİMARİSİ

Subnetting

CIDR notasyon, /24 → 254 host, /30 → 2 host (P2P link). VLSM ile verimli adres planı

CIDR (Classless Inter-Domain Routing)

Prefix length, supernetting, route aggregation, prefix advertisement

Routing

Static route, dynamic routing (OSPF, BGP, EIGRP), routing table, longest prefix match

Switching

Layer 2 switching, MAC table, VLAN, STP (Spanning Tree), trunk/access port

VLAN (Virtual LAN)

802.1Q tagging, inter-VLAN routing, native VLAN, voice VLAN

VPN Teknolojileri

IPSec (site-to-site), SSL/TLS VPN (remote access), WireGuard, OpenVPN

💡 Subnetting Egzersizi: 192.168.10.0/24 bloğunu 4 eşit ağa böl. Her ağın network, broadcast ve ilk/son host adresini hesapla. Bunu 5 dakikada yapabilene kadar pratik yap.

📡 PROTOKOLLER — DERİNLEŞ

TCP (Transmission Control Protocol)

3-way handshake (SYN→SYN-ACK→ACK), flow control, congestion control, ordered delivery

UDP (User Datagram Protocol)

Connectionless, no guarantee — DNS, streaming, gaming, VoIP için tercih edilir

HTTP/HTTPS

REST methods (GET/POST/PUT/DELETE), status codes (2xx/3xx/4xx/5xx), headers, HTTP/2 & HTTP/3

SSH (Secure Shell)

Port 22, key-based auth (RSA/ED25519), SSH tunneling, port forwarding, SFTP

ICMP

Ping (echo request/reply), traceroute, type/code alanları, MTU discovery

FTP / SFTP / SCP

Active vs Passive FTP (NAT sorunu!), SFTP (SSH üzeri), SCP (secure copy)

TLS/SSL

Handshake süreci, sertifika doğrulama, TLS 1.2 vs 1.3, cipher suites, mTLS

BGP (Border Gateway Protocol)

İnternet'in omurgası, AS numaraları, eBGP vs iBGP, path selection, route policy

🔥 NETWORK CİHAZLARI

Router

Layer 3 yönlendirme, routing table, NAT/PAT, WAN bağlantısı, ACL uygulama

Switch (Managed)

VLAN config, STP, EtherChannel/LAG, QoS, port mirroring, SNMP

Firewall (Stateful)

Stateful inspection, zone-based policy, NAT rules, IPS/IDS entegrasyonu

Load Balancer

L4 (TCP) vs L7 (HTTP) LB, round-robin/least-conn/IP-hash algoritmaları, health check

WAF (Web Application Firewall)

OWASP Top 10 koruması, regex rule engine, rate limiting, bot protection

Proxy / Reverse Proxy

Forward proxy (istemci gizler), reverse proxy (sunucu gizler), SSL termination

🛠️ NETWORK ARAÇLARI

ping traceroute / tracert netstat / ss tcpdump Wireshark nmap dig / nslookup curl / wget iperf3 mtr ip route arp -n

tcpdump -i eth0 port 80 -w capture.pcap

ss -tulpn | grep :443

nmap -sS -O -p 1-65535 target.ip

dig @8.8.8.8 example.com ANY +noall +answer

mtr --report --report-cycles 10 google.com

// SENARYO: "BU SİTE NEDEN AÇILMIYOR?"

01

ping atla → ICMP cevabı var mı? (Layer 3 kontrol)

02

traceroute → Paket nerede duruyor? (Routing kontrol)

03

nmap port scan → 80/443 open mı? (Firewall/servis kontrol)

04

curl -v https://site.com → HTTP response nedir? (App kontrol)

05

dig site.com → DNS doğru IP'ye çözülüyor mu? (DNS kontrol)

06

Log oku → /var/log/nginx/error.log (Root cause)

🖥️

// BÖLÜM 03

SİSTEM YÖNETİMİ

CORE ▶

🧩 SUNUCU YÖNETİMİ

Nginx

High-performance web server & reverse proxy, event-driven mimari, config blokları (server/location)

Apache HTTP Server

Process-based mimari, .htaccess, mod_rewrite, virtual host konfigürasyonu

Reverse Proxy Konfigürasyonu

proxy_pass, upstream tanımı, health check, timeout ayarları, X-Forwarded-For header

Load Balancer Kurulumu

HAProxy / Nginx upstream, round-robin/least-conn, sticky session, SSL termination

SSL/TLS Sertifika

Let's Encrypt (Certbot), wildcard cert, sertifika yenileme otomasyonu, HSTS

Cron & Scheduled Tasks

crontab -e syntax, log rotation (logrotate), backup otomasyonu, at komutu

📦 VERİTABANI & CACHE SERVİSLERİ

MySQL / MariaDB

InnoDB engine, replication (master-slave/GTID), backup (mysqldump, xtrabackup), indexing

PostgreSQL

MVCC, streaming replication, pgBouncer (connection pooling), vacuum, pg_dump

Redis

In-memory key-value, data structures (string/hash/list/set), persistence (RDB/AOF), pub/sub, Sentinel

Elasticsearch

Full-text search, index/shard/replica kavramları, ELK stack (Logstash + Kibana)

🔐 KULLANICI & YETKİ YÖNETİMİ

Linux User Management

useradd/usermod/userdel, /etc/passwd & /etc/shadow, groups, id komutu

sudo Yetkileri

/etc/sudoers (visudo), NOPASSWD, command whitelisting, sudo log audit

SSH Key Authentication

RSA/ED25519 key üret, authorized_keys, ~/.ssh/config, agent forwarding, bastion host

PAM (Pluggable Auth Modules)

MFA entegrasyonu, Google Authenticator, login politikaları, pam_faillock

ssh-keygen -t ed25519 -C "server@prod" -f ~/.ssh/id_prod

ssh-copy-id -i ~/.ssh/id_prod.pub user@server

usermod -aG sudo,docker,www-data username

📊 MONİTORİNG & OBSERVABİLİTY

Prometheus

Pull-based metrics toplama, scrape config, PromQL sorgu dili, alert rules, recording rules

Grafana

Dashboard oluşturma, veri kaynağı entegrasyonu, alert notification, panel tipleri

Node Exporter

CPU/RAM/Disk/Network metrikleri, sistem seviyesi exposure, custom metrics

Log Yönetimi

journalctl, /var/log/, log seviyeleri (DEBUG/INFO/WARN/ERROR), log aggregation

Alerting

Alertmanager, PagerDuty/OpsGenie entegrasyonu, on-call rotation, escalation policy

Zabbix / Nagios

Agent-based monitoring, SNMP trap, network device monitoring, SLA raporlama

☁️

// BÖLÜM 04

CLOUD (MODERN ZORUNLULUK)

MODERN ▶

☁️ CLOUD PLATFORMLARI

Amazon Web Services (AWS)

Pazar lideri, 200+ servis, global region ağı, pay-as-you-go fiyatlandırma

Microsoft Azure

Microsoft ekosistemi entegrasyonu, hybrid cloud, Active Directory, enterprise odaklı

Google Cloud Platform

BigQuery, Kubernetes (GKE-origin), AI/ML servisleri, global fiber ağ

🔧 ÖĞRENİLECEK CORE SERVİSLER

EC2 / Compute Engine / Azure VM

Instance type seçimi, AMI/snapshot, Auto Scaling Group, Spot vs Reserved vs On-Demand

S3 / GCS / Azure Blob

Object storage, bucket policy, versioning, lifecycle rules, presigned URL, CDN entegrasyonu

VPC (Virtual Private Cloud)

Subnet (public/private), security group, NACL, VPC peering, Transit Gateway

IAM (Identity & Access Management)

User/Role/Policy, least privilege prensibi, service account, MFA enforcement

RDS / Cloud SQL

Managed database, Multi-AZ HA, read replica, automated backup, parameter group

CloudWatch / Stackdriver

Metrics, logs, alarms, custom namespace, log insights sorguları

Terraform / IaC

Infrastructure as Code, HCL dili, state yönetimi, module yapısı, remote backend

Route 53 / Cloud DNS

DNS yönetimi, health check, failover routing, geolocation routing, latency-based

Öneri: AWS'de ücretsiz tier hesabı aç. EC2 kur → Elastic IP bağla → Security group yaz → Nginx deploy et → Domain bağla. Bu 4 saatlik lab, 40 saatlik okumadan değerlidir.

🐳

// BÖLÜM 05

CONTAINER & DEVOPS

MODERN ▶

🐳 DOCKER

Container Mimarisi

VM'den farkı: kernel paylaşımı, namespace/cgroup izolasyonu, copy-on-write filesystem

Image & Layer

Union filesystem, layer caching, multi-stage build, image optimizasyonu, .dockerignore

Dockerfile

FROM/RUN/COPY/EXPOSE/CMD/ENTRYPOINT direktifleri, best practices, güvenli base image

Docker Compose

Multi-container uygulama, service/network/volume tanımı, depends_on, health check

Docker Network

bridge/host/overlay ağ modları, container DNS, port mapping, network isolation

Docker Registry

Docker Hub, ECR/GCR/ACR, private registry, image tagging & versioning stratejisi

docker build -t myapp:v1.0 --target production .

docker run -d -p 8080:80 --name web --restart=unless-stopped myapp:v1.0

docker compose up -d --build && docker compose logs -f

docker stats && docker system prune -af --volumes

☸️ KUBERNETES

Pod

En küçük deployment birimi, container grubu, shared network/storage, lifecycle

Deployment

Replica yönetimi, rolling update, rollback, HPA (horizontal pod autoscaling)

Service

ClusterIP/NodePort/LoadBalancer/ExternalName tipleri, selector, kube-proxy

Ingress

HTTP routing, TLS termination, path-based routing, Nginx/Traefik ingress controller

ConfigMap & Secret

Konfigürasyon yönetimi, env var injection, volume mount, Secret şifreleme (RBAC)

Namespace & RBAC

İzolasyon, ResourceQuota, LimitRange, Role/ClusterRole, ServiceAccount

⚙️ CI/CD & DEVOPS

CI/CD Pipeline

Code → Build → Test → Package → Deploy → Monitor döngüsü, GitOps prensibi

GitHub Actions

Workflow YAML, trigger (push/PR/schedule), runner, matrix build, secrets management

GitLab CI / Jenkins

.gitlab-ci.yml, stages/jobs/artifacts, Jenkins pipeline (Declarative vs Scripted)

Ansible

Agentless config management, playbook/inventory/role yapısı, idempotency

🔐

// BÖLÜM 06

SİBER GÜVENLİK

KRİTİK ▶

🛡️ SAVUNMA TEMELLERİ

Firewall Mantığı

Stateful vs stateless, iptables/nftables, zone-based firewall, default-deny prensibi

Port Security

Gereksiz port kapatma, fail2ban, knock daemon, port knocking, geofencing

SSL/TLS Hardening

TLS 1.3 enforce, weak cipher disable, certificate pinning, HSTS preload

Network Segmentasi

DMZ mimarisi, VLAN izolasyonu, micro-segmentation, zero-trust network

Hardening

CIS Benchmark, root login disable, unnecessary service kapatma, kernel parametreleri

IDS/IPS

Snort/Suricata, signature-based vs anomaly-based, inline mode, alert tuning

🧠 SALDIRI VEKTÖRLERİ (SAVUNMAK İÇİN ANLA)

DDoS (Distributed DoS)

Volumetric/protocol/application layer saldırıları, Cloudflare/AWS Shield, rate limiting

Brute Force

Credential stuffing, password spray, fail2ban kuralları, account lockout, CAPTCHA

Network Scanning

nmap ile keşif, banner grabbing, OS fingerprinting, güvenlik açığı taraması

Man-in-the-Middle

ARP spoofing, DNS poisoning, SSL stripping — önlem: HTTPS+HSTS, DNSSEC

SQL Injection & XSS

OWASP Top 10, parameterized queries, input validation, WAF kuralları, CSP header

Privilege Escalation

SUID bit, sudo misconfiguration, kernel exploit — düzenli patch yönetimi kritik

nmap fail2ban iptables Metasploit Burp Suite OSSEC OpenVAS Lynis

🧪

// BÖLÜM 07

LAB — EN KRİTİK KISIM

%70 ÖĞRENME ▶

🖥️ LAB ORTAMI KURULUMU

VirtualBox / VMware Workstation

Host-only / NAT / Bridged network modları, snapshot alma, linked clone

Proxmox VE (Önerilen)

Ücretsiz bare-metal hypervisor, LXC container + KVM VM, web UI, cluster

GNS3 / EVE-NG

Network simulator, Cisco IOS emülasyon, gerçekçi topoloji tasarımı

Vagrant

Otomatik VM provision, Vagrantfile, multi-machine lab, box yönetimi

🔥 LAB SENARYOLARI (SIRASIZ YAP)

Web Server Lab

2 VM: Nginx + PHP-FPM kur, SSL ekle, virtual host yaz, log izle

DNS Server Lab

BIND9 kur, forward/reverse zone yaz, secondary DNS ekle, DNSSEC aktif et

Firewall Lab

iptables ile zone tabanlı kurallar yaz, DNAT/SNAT konfigürasyonu, test et

Load Balancing Lab

3 VM: 1 HAProxy + 2 backend, health check, session persistence, Grafana dashboard

Docker Lab

Dockerfile yaz, multi-stage build, compose ile stack kur, network izolasyonu test et

Monitoring Lab

Prometheus + Node Exporter + Grafana. Alert kur, dashboard yaz, anomali sim et

Subnetting Lab

4 subnet tasarla, router üzerinde inter-VLAN routing yap, routing table doğrula

Backup & Recovery Lab

rsync + cron ile backup, test restore yap, RPO/RTO hesapla

📜

// BÖLÜM 08

SERTİFİKALAR

OPSİYONEL AMA GÜÇLÜ ▶

🏆 SEKTÖR SERTİFİKALARI

CISCO

CCNA

Network Associate — Altın Standart

COMPTIA

Network+

Vendor-neutral — Başlangıç için ideal

COMPTIA

Security+

DoD onaylı — Siber güvenlik kapısı

AMAZON WEB SERVICES

SAA-C03

Solutions Architect Associate

LINUX FOUNDATION

CKA

Certified Kubernetes Administrator

REDHAT

RHCSA

Enterprise Linux System Admin

💡 Sıralama Önerisi: CompTIA Network+ → CCNA → AWS SAA → CKA. Her sertifika arasında en az 3-6 ay lab yaparak geç.

SİSTEM & AĞ
MÜHENDİSLİĞİ

// LEARNING PATH — 4 SEVİYE

🔥 GERÇEK HAYAT TRUTH