A code- and config-forward kit for hardening a Linux network estate end to end: default-deny host firewalls (iptables **and** nftables), network segmentation patterns, Suricata IDS/IPS rules, hardened
Browse the actual product documentation and code examples included in this toolkit.
Key features of Network Security Toolkit
• **Host firewalls, two ways:** a fully-commented stateful **iptables** script • **Segmentation patterns:** a reference zone model (DMZ/App/Data/Mgmt) with a • **IDS/IPS:** an annotated **Suricata** config plus two rule files — tuned • **Hardened VPNs:** a **WireGuard** server config + provisioning script and a • **SSH + TLS hardening:** a production `sshd_config` (key-only, modern crypto) • **Verification tooling:** a stdlib **port auditor** (open/closed/filtered, with
**Host firewalls, two ways:** a fully-commented stateful **iptables** script
**Segmentation patterns:** a reference zone model (DMZ/App/Data/Mgmt) with a
**IDS/IPS:** an annotated **Suricata** config plus two rule files — tuned
**Hardened VPNs:** a **WireGuard** server config + provisioning script and a
**SSH + TLS hardening:** a production `sshd_config` (key-only, modern crypto)
**Verification tooling:** a stdlib **port auditor** (open/closed/filtered, with
Configure Network Security Toolkit parameters to see how the product works.
# 1. See what's currently exposed (no setup needed): python3 scripts/port_audit.py 10.30.1.10 --ports 1-1024 # 2. Harden SSH FIRST (your lifeline), validating before reload: sudo cp ssh/sshd_config /etc/ssh/sshd_config && sudo sshd -t && sudo systemctl reload sshd # 3. Apply a default-deny host fi