How to block Reverse shell if infected?

Started by newman87, January 31, 2022, 09:23:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 31, 2022, 09:23:25 PM Last Edit: February 01, 2022, 11:04:32 AM by newman87
Hi,
my question is: In case I am infected with a Reverse shell connection e.g. Meterpreter from Metasploit, is there any way to block this using OPNSense? (Without using Suricata for detection and prevention)
I read that Meterpreter can escape firewall, proxy server etc. So,is this possible to block it?How?
Thanks
February 01, 2022, 08:13:47 AM #1
Basically it is just normal traffic.
If you know the Ports or destination IPs you can block them, but if the attacker changes them the traffic will pass.
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
February 01, 2022, 08:26:51 AM #2
Allow outgoing only the absolutly necessary ports and protocolls. Windows is a little picky on that though... ;-) With some firewalls (on windows: Gdata) you can block traffic (even outgoing) on the level of the application (again: windows needs so many "allow" trash for the OS, hard to know the difference from malware in the first place).

Put different classes of clients in different physical subnets. If you don't want to run suricata it's the best you can do.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 01, 2022, 07:06:51 PM #3
Will Suricata detect and then block a Reverse shell connection?As far I can see,Suricate only alerts for Bad traffic,you need to manually block Bad traffic and then Suricata will block the same traffic.Is there any way to automatically block first seen Bad Traffic?
Cheers
Print
Go Up Pages1
User actions