Author Topic: How to block Reverse shell if infected? (Read 1561 times)

newman87 · « **on:** January 31, 2022, 09:23:25 pm »

Hi,
my question is: In case I am infected with a Reverse shell connection e.g. Meterpreter from Metasploit, is there any way to block this using OPNSense? (Without using Suricata for detection and prevention)
I read that Meterpreter can escape firewall, proxy server etc. So,is this possible to block it?How?
Thanks

lfirewall1243 · « **Reply #1 on:** February 01, 2022, 08:13:47 am »

Basically it is just normal traffic.
If you know the Ports or destination IPs you can block them, but if the attacker changes them the traffic will pass.

chemlud · « **Reply #2 on:** February 01, 2022, 08:26:51 am »

Allow outgoing only the absolutly necessary ports and protocolls. Windows is a little picky on that though... ;-) With some firewalls (on windows: Gdata) you can block traffic (even outgoing) on the level of the application (again: windows needs so many "allow" trash for the OS, hard to know the difference from malware in the first place).

Put different classes of clients in different physical subnets. If you don't want to run suricata it's the best you can do.

newman87 · « **Reply #3 on:** February 01, 2022, 07:06:51 pm »

Will Suricata detect and then block a Reverse shell connection?As far I can see,Suricate only alerts for Bad traffic,you need to manually block Bad traffic and then Suricata will block the same traffic.Is there any way to automatically block first seen Bad Traffic?
Cheers

Author Topic: How to block Reverse shell if infected? (Read 1561 times)

newman87

How to block Reverse shell if infected?

lfirewall1243

Re: How to block Reverse shell if infected?

chemlud

Re: How to block Reverse shell if infected?

newman87

Re: How to block Reverse shell if infected?