Configuring Reverse Shell Detection and Defense
CFW can defend against reverse shell attacks. After this function is enabled, the service can block reverse shells.
Constraints
- Intrusion prevention does not support decryption detection and defense for TLS- and SSL-encrypted traffic.
Impacts on Services
If IPS basic protection is enabled, a range of possible threats and suspicious traffic will be blocked. To change the protection mode, you are advised to enable the Observe mode and check false alarms for a period of time and then switch to the Intercept mode.
Actions
- Observe: Detected reverse shell attacks are only recorded in attack event logs.
- Block session: If the firewall detects a reverse shell attack, it blocks the current session.
- Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time.
After Block IP is configured, CFW continuously blocks IP addresses. If address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.
Enabling Reverse Shell Defense
- Log in to the CFW console.
- Click
in the upper left corner of the management console and select a region or project. - (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Ensure Basic Protection is enabled.
- Click Advanced at the bottom of the page. In the Reverse Shell Defense area, click
to enable it.
- Action:
- Observe: Detected reverse shell attacks are only recorded in attack event logs.
- Block session: If the firewall detects a reverse shell attack, it blocks the current session.
- Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time.
After Block IP is configured, CFW continuously blocks IP addresses. If address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.
- Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.
- Mode:
- Conservative: coarse-grained protection. If a single session is attacked for four times, observation or interception is triggered. It ensures that no false positives are reported.
- Sensitive: fine-grained protection. If a single session is attacked for two times, observation or interception is triggered. It ensures that attacks can be detected and handled.
- Action:
- Click OK.
Follow-up Operations
For details about the protection overview, see Viewing Attack Defense Information on the Dashboard. For details about logs, see Attack Event Logs.
Related Operations
- Changing the defense action: Click Configure in the Reverse Shell Defense area. In the displayed dialog box, select an action and click OK.
- Modifying the threshold: Click Configure in the Reverse Shell Defense area. In the displayed dialog box, set the threshold and click OK.
- Disabling reverse shell defense: Click next to Reverse Shell Defense. In the displayed dialog box, click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
