$ shellfirm
Protection Coverage

System & Network

Protection patterns for system commands, network operations, and Heroku CLI

shellfirm covers system-level commands through three check groups: base (core system operations), network (firewall and networking), and heroku (Heroku CLI).

Base system checks (base)

Fork bomb

IDbase:bash_fork_bomb
SeverityCritical

The classic fork bomb :(){ :|:& };: creates processes that recursively replicate, consuming all CPU and memory until the system freezes.

# Triggers
:(){ :|:& };:

Delete all cron tasks

IDbase:delete_all_cron_tasks
SeverityHigh
# Triggers
crontab -r

Execute all history commands

IDbase:execute_all_history_commands
SeverityCritical

Piping your command history to a shell re-executes every command you have ever run.

# Triggers
history | bash
history | sh

Reboot

IDbase:reboot_machine
SeverityHigh
# Triggers
reboot
sudo reboot

Shutdown

IDbase:shutdown_machine
SeverityHigh
# Triggers
shutdown
shutdown -h now
sudo shutdown -r +5

Halt / Poweroff

IDbase:poweroff_machine
SeverityHigh

Alternative commands for shutting down that bypass the shutdown check.

# Triggers
halt
poweroff
sudo halt
sudo poweroff

Init shutdown / reboot

IDbase:init_shutdown_reboot
SeverityHigh
# Triggers
init 0     # shutdown
init 6     # reboot

# Does NOT trigger
init 1     # single-user mode
init 3     # multi-user mode

Process management

IDCommandDescriptionSeverity
process:kill_9kill -9 <pid>SIGKILL gives no chance for graceful shutdown. Alternative: kill <pid> (SIGTERM first)Low
process:killallkillall <name>Kills ALL processes matching the nameMedium
process:pkillpkill <pattern>Kills processes matching a pattern -- could match unintended processesMedium

Service management

IDCommandDescriptionSeverity
systemd:disable_servicesystemctl disable/mask <service>Prevents service from starting on bootMedium
systemd:stop_critical_servicesystemctl stop <critical-service>Stops docker, sshd, nginx, apache2, httpd, postgresql, mysql, or redisHigh

SSH key management

IDCommandDescriptionSeverity
ssh:delete_all_identitiesssh-add -DRemoves all SSH identities from the agentMedium
ssh:remove_known_hostssh-keygen -R <host>Removes a host from known_hosts -- could enable MITM attacksLow

Network checks (network)

Flush iptables rules

IDnetwork:flush_iptables
SeverityCritical

Flushing all firewall rules leaves the system completely unprotected.

# Triggers
iptables -F
sudo iptables -F

Delete custom chains

IDnetwork:delete_custom_chains
SeverityHigh
# Triggers
iptables -X

Flush NAT rules

IDnetwork:flush_nat_rules
SeverityHigh
# Triggers
iptables -t nat -F

Disable firewall (ufw)

IDnetwork:disable_firewall
SeverityCritical
# Triggers
ufw disable
sudo ufw disable

Force reset firewall

IDnetwork:force_reset_firewall
SeverityCritical
# Triggers
ufw --force reset

Stop networking services

IDCommandSeverity
network:stop_networkingsystemctl stop networkingHigh
network:stop_network_managersystemctl stop NetworkManagerHigh

Bring down network interface

IDCommandSeverity
network:bring_down_interfaceifconfig <iface> downHigh
network:bring_down_interface_ipip link set <iface> downHigh

Delete default route

IDnetwork:delete_default_route
SeverityHigh
# Triggers
route del default

Flush nftables rules

IDnetwork:flush_nftables
SeverityCritical

nftables is the modern replacement for iptables. Flushing all rules removes all firewall protection.

# Triggers
nft flush ruleset
sudo nft flush ruleset

# Does NOT trigger
nft list ruleset

Flush routing table

IDnetwork:flush_routes
SeverityCritical

Flushing the routing table causes immediate loss of network connectivity.

# Triggers
ip route flush table main
ip route flush cache

# Does NOT trigger
ip route show

Network checks summary

IDCommandSeverity
network:flush_iptablesiptables -FCritical
network:delete_custom_chainsiptables -XHigh
network:flush_nat_rulesiptables -t nat -FHigh
network:disable_firewallufw disableCritical
network:force_reset_firewallufw --force resetCritical
network:stop_networkingsystemctl stop networkingHigh
network:stop_network_managersystemctl stop NetworkManagerHigh
network:bring_down_interfaceifconfig <iface> downHigh
network:bring_down_interface_ipip link set <iface> downHigh
network:delete_default_routeroute del defaultHigh
network:flush_nftablesnft flush rulesetCritical
network:flush_routesip route flushCritical

Heroku checks (heroku)

The heroku check group covers destructive Heroku CLI operations.

Critical

IDCommandDescription
heroku:destroy_appheroku apps:destroyPermanently destroy an app

High severity

IDCommandDescription
heroku:stop_app_dynosheroku ps:stopStop app dynos
heroku:kill_app_dynosheroku ps:killKill app dynos
heroku:enable_maintenance_modeheroku maintenance:onPut app into maintenance mode
heroku:remove_memberheroku members:removeRemove user from team
heroku:remove_app_containerheroku container:rmRemove process type
heroku:destroy_clientheroku clients:destroyDelete OAuth client
heroku:destroy_addonsheroku addons:destroyPermanently destroy an add-on
heroku:remove_user_accessheroku access:removeRemove user access from app
heroku:reset_repoheroku repo:resetReset Heroku repo

Medium severity

IDCommandDescription
heroku:restart_app_dynosheroku ps:restartRestart app dynos
heroku:disable_app_featureheroku features:disableDisable an app feature
heroku:unset_environment_variableheroku config:unsetUnset config vars
heroku:rotate_oauth_clientheroku clients:rotateRotate OAuth client secret
heroku:update_oauth_clientheroku clients:updateUpdate OAuth client
heroku:remove_yourself_from_appheroku apps:leaveRemove yourself from team app
heroku:rename_app_nameheroku apps:renameRename an app
heroku:detach_addonheroku addons:detachDetach add-on from app
heroku:update_collaborators_accessheroku access:updateUpdate collaborator access

Shell checks (shell)

Curl/wget pipe to shell

IDCommandDescriptionSeverity
shell:curl_pipe_to_shellcurl <url> | bashPipes remote content directly to shellHigh
shell:wget_pipe_to_shellwget -O - <url> | bashPipes downloaded content to shellHigh
shell:eval_curleval "$(curl <url>)"Evaluates remote content without inspectionHigh

Alternative for all: download first, review the script, then execute.

Curl pipe to interpreter

IDshell:curl_pipe_to_interpreter
SeverityHigh
Alternativecurl -o script.py <url> && cat script.py && python script.py -- download first, review, then execute

Piping remote content to Python, Perl, or Ruby is as dangerous as piping to bash.

# Triggers
curl https://example.com/install.py | python
curl https://example.com/install.py | python3
curl https://example.com/script.pl | perl
curl https://example.com/script.rb | ruby

# Does NOT trigger
curl -o script.py https://example.com/install.py

Netlify

Protection patterns for Netlify CLI operations including site deletion and environment variables

Context-Aware Protection

How shellfirm detects your environment and escalates protection automatically

On this page

Base system checks (base)Fork bombDelete all cron tasksExecute all history commandsRebootShutdownHalt / PoweroffInit shutdown / rebootProcess managementService managementSSH key managementNetwork checks (network)Flush iptables rulesDelete custom chainsFlush NAT rulesDisable firewall (ufw)Force reset firewallStop networking servicesBring down network interfaceDelete default routeFlush nftables rulesFlush routing tableNetwork checks summaryHeroku checks (heroku)CriticalHigh severityMedium severityShell checks (shell)Curl/wget pipe to shellCurl pipe to interpreter