Hugging Face's logo

Spaces:
danielrosehill
/
Claude-Code-Slash-Commands
Sleeping

App Files Community
Claude-Code-Slash-Commands / commands /sysadmin /linux-desktop /security /firewall /analyze-firewall.md
danielrosehill's picture
danielrosehill
Redesign interface with accordion cards and category pills
292d92c
preview code
|
raw
history blame contribute delete
7.68 kB

A newer version of the Gradio SDK is available: 6.2.0

Upgrade

Analyze Firewall and Suggest Hardening

You are helping the user check if a firewall is running, analyze open ports, and suggest potential hardening.

Your tasks:

  1. Check if a firewall is active:

    UFW (Uncomplicated Firewall):

    sudo ufw status verbose

    iptables (lower level):

    sudo iptables -L -n -v
sudo ip6tables -L -n -v

    firewalld (if used):

    sudo firewall-cmd --state
sudo firewall-cmd --list-all

    nftables (modern replacement for iptables):

    sudo nft list ruleset

  2. If no firewall is active, recommend enabling UFW:

    sudo apt install ufw
sudo ufw enable
sudo ufw status

  3. Check currently listening services:

    sudo ss -tulpn
# Or
sudo netstat -tulpn

    This shows what services are listening on which ports.

  4. Check for open ports from external perspective:

    sudo nmap -sT -O localhost

    Or install nmap if not available:

    sudo apt install nmap

  5. Analyze each open port: For each listening port, identify:

    • Which service is using it
    • Whether it should be accessible from network
    • Current firewall rules for it

    Common ports to check:

    • 22 (SSH)
    • 80 (HTTP)
    • 443 (HTTPS)
    • 3306 (MySQL)
    • 5432 (PostgreSQL)
    • 6379 (Redis)
    • 27017 (MongoDB)
    • 3389 (RDP)
    • 445 (SMB)
    • 2049 (NFS)

  6. Check UFW rules in detail:

    sudo ufw status numbered
sudo ufw show added

  7. Check iptables rules in detail:

    sudo iptables -S
sudo iptables -L INPUT -v -n
sudo iptables -L OUTPUT -v -n
sudo iptables -L FORWARD -v -n

  8. Identify potential security issues:

    Services listening on 0.0.0.0 (all interfaces): These are accessible from network. Should they be?

    sudo ss -tulpn | grep "0.0.0.0"

    Services that should only be local: Databases, Redis, etc. should typically only listen on 127.0.0.1:

    sudo ss -tulpn | grep -v "127.0.0.1"

    Unnecessary services: Check for services that shouldn't be running:

    sudo systemctl list-units --type=service --state=running | grep -E "telnet|ftp|rsh"

  9. Analyze by service type:

    SSH (port 22):

    • Should SSH be accessible from internet?
    • Consider changing default port
    • Check SSH configuration: cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
    • Verify key-only authentication is enforced
    • Check fail2ban status: sudo systemctl status fail2ban

    Web services (80, 443):

    • Are these intentional?
    • Is there a web server running?
    • Check for default/test pages

    Databases (3306, 5432, 27017, etc.):

    • Should NEVER be exposed to internet
    • Should listen only on 127.0.0.1
    • Check configuration files

  10. Check for common attack vectors:

    # Check for services with known vulnerabilities
sudo ss -tulpn | grep -E "telnet|ftp|rlogin|rsh|rexec"

# Check for uncommon high ports
sudo ss -tulpn | awk '{print $5}' | cut -d: -f2 | sort -n | uniq

  11. Suggest hardening measures:

    Enable UFW if not active:

    sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

    For SSH access:

    sudo ufw allow 22/tcp comment 'SSH'
# Or from specific IP:
sudo ufw allow from <IP-address> to any port 22 comment 'SSH from specific IP'

    For web server:

    sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

    For local network only:

    sudo ufw allow from 192.168.1.0/24 comment 'Local network'

  12. Install and configure fail2ban (recommended):

    sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

  13. Check for IPv6 exposure:

    sudo ss -tulpn6
sudo ufw status

    Ensure IPv6 is also protected:

    sudo ufw default deny incoming
# UFW handles both IPv4 and IPv6

  14. Advanced iptables hardening (if using iptables):

    Drop invalid packets:

    sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

    Rate limit SSH:

    sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

    Log dropped packets:

    sudo iptables -A INPUT -j LOG --log-prefix "iptables-dropped: "

  15. Check for Docker interference: Docker manipulates iptables directly, which can bypass UFW:

    sudo iptables -L DOCKER -n

    To prevent Docker from bypassing UFW, edit /etc/docker/daemon.json:

    {
  "iptables": false
}

    Or use firewalld instead for better Docker integration.

  16. Check connection tracking:

    sudo conntrack -L
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max

  17. Review logging:

    sudo grep UFW /var/log/syslog | tail -20
sudo tail -20 /var/log/ufw.log

  18. Generate hardening recommendations: Based on findings, suggest:

    • Enable firewall if not active
    • Block unnecessary ports
    • Restrict services to local interface only
    • Install fail2ban for brute-force protection
    • Change SSH port (optional, security through obscurity)
    • Disable root SSH login
    • Use key-based SSH authentication only
    • Close database ports from external access
    • Remove unnecessary services
    • Enable connection rate limiting
    • Set up intrusion detection (OSSEC, Snort)
    • Regular security updates
    • Monitor logs regularly

  19. Provide firewall management commands:

    UFW:

    • sudo ufw status - Check status
    • sudo ufw enable - Enable firewall
    • sudo ufw disable - Disable firewall
    • sudo ufw allow <port> - Allow port
    • sudo ufw deny <port> - Deny port
    • sudo ufw delete <rule> - Delete rule
    • sudo ufw reset - Reset to default
    • sudo ufw logging on - Enable logging

    iptables:

    • sudo iptables -L - List rules
    • sudo iptables -A INPUT -p tcp --dport <port> -j ACCEPT - Allow port
    • sudo iptables -D INPUT <rule-number> - Delete rule
    • sudo iptables-save > /etc/iptables/rules.v4 - Save rules
    • sudo iptables-restore < /etc/iptables/rules.v4 - Restore rules

  20. Report findings: Summarize:

    • Firewall status (active/inactive)
    • List of open ports
    • Services listening on each port
    • Current firewall rules
    • Security issues found
    • Recommended hardening measures
    • Priority actions (critical vs. nice-to-have)

Important notes:

  • Test firewall rules carefully to avoid locking yourself out
  • Always have a backup access method (console/KVM) before changing SSH rules
  • UFW and iptables can conflict - use one or the other
  • Docker can bypass UFW - special configuration needed
  • Deny incoming by default, allow specific services
  • Keep logs for intrusion detection
  • Regularly review and update firewall rules
  • Consider using VPN for remote access instead of exposing services
  • fail2ban is essential for SSH protection
  • Don't expose databases to the internet