BitNinja features
BitNinja is a comprehensive solution for securing servers and web applications. It allows administrators to not only protect their resources, but also simplify security management.
The following summarizes the functions of the BitNinja module in the ispmanager panel. The full list of BitNinja features and their configuration is described in the developer's documentation.
| Название | Краткое описание | Enabled by default | Manual setting |
| IpFilter | Compares IP addresses against black and grey lists of millions of entries. If it detects a match, it restricts or blocks actions. | + | – |
| Shogun | Passes incidents between different parts of the system. For example, if an incident occurs in the Captcha HTTP module, it will be processed and redirected to other modules: AntiFlood and IpFilter. | + | – |
| AntiFlood | In case of multiple connections to other modules, such as Captcha, temporarily blocks the IP address to reduce the load. | + | – |
| Captcha Http module | Used to catch false positive blocking results. This captcha allows the user to remove themselves from the blocking list. | + | – |
| Captcha Ftp module | Checks if the IP address trying to connect via FTP is in the block list. If the IP is there, it will simulate an FTP connection without actually connecting. Anything downloaded by this simulation will be quarantined. | – | + |
| Captcha Smtp module | Used to catch false positive blocking results. This captcha allows the user to remove themselves from the blocking list. The difference with the Captcha Http module is that here you can remove yourself if you connect via SMTP. You can only remove yourself from the blocklist a few times, so it is better to warn the server owner about the problem. | + | – |
| Database Cleaner (SQL Scanner) | Scans SQL DB for malware. Only works if a full scan has been performed first. Works with MySQL only (other DBMS not tested). Works with WordPress, Joomla, Drupal only. | – | + |
| DefenseRobot | Works in conjunction with MalwareDetection. When DefenceRobot receives information from it, the module tries to find logs related to malware downloads. If a log is found, it saves information about the incident, information about the attacker is saved in the Shogun module. If it is a new discovery, it adds the IP to the blocked list via ChallengeList. The module works with the last 30 seconds before the malware file was modified. | + | – |
| DefenseRobot SaveUnFilteredLoglines | Saves all logs sent in the last 30 seconds before modifying the malware file. Including API connections: Get, Post, Head, Put requests. Log entries do not cause incidents. | – | + |
| DefenseRobot CollectUnWatchedLogs | Saves Auth, Exim, PostfixLogin and other logs from SenseLog. Log entries do not cause incidents. | – | + |
| DosDetection | Tracks active connections. In case of more than 80 connections from 1 IP address, BitNinja considers it an attack and adds the IP to the block list for one minute. The connection threshold can be configured via the interface. Important: BitNinja does not protect against DDoS attacks in its classic form. It is possible to configure indirect protection at the level of IpFilter, DosDetection and SslTerminating modules. | + | – |
| MalwareDetection | A module to detect malware in files. After installing BitNinja, a deep scan is performed, which may temporarily increase server load. | + | – |
| AI Malware Scan | Faster scanning with no server load. Transmits MD5 hash to BitNinja servers where AI scanning takes place. | – | + |
| AI Active Scan | Streams live monitoring to BitNinja servers. | – | + |
| Port Honeypot | The module places up to 100 traps on random ports selected from the most popular ports. Port Honeypot will see if anyone is scanning the ports (except for stealth scans) and will capture all traffic entering the traps and respond to queries. If an attacker tries to use a trap, the module will generate an incident. | + | – |
| SenseWebHoneypot (Web Honeypot) | The module simulates a backdoor. If an attacker tries to use it, the module collects all available information about the attacker and blocks them. Technically it looks like a PHP file with content. The files should be placed in the locations where the attack is expected to take place. | – | + |
| ProxyFilter (TrustedProxy) | Works with requests coming from trusted networks (e.g. CloudFlare). Simple IP/TCP analysis will not work here, as you will need to analyse the IP set in the X-forwarded-for header. The module requires at least 2GB of free disk space on the server to work properly. | + | – |
| SandboxScanner | Searches for unknown PHP files and checks them in a safe local environment. It is actually a PHP emulator. Works by default, but if you disable malware detection, you will need to manually enable SandboxScanner afterwards. | + | – |
| SenseLog (Log Analysis) | Analyses logs on the server looking for suspicious activity. In particular, Apache logs, NginX logs, OS logs, Exim, Postfix, Dovecot, MySQL, ispmanager panels and a few others. | + | – |
| SiteProtection | A module that was previously a standalone application. It is now available with the main installation. It is designed to protect the site (not the server): it collects statistics, shows boxes on the site with compromised passwords, interacts with other BitNinja modules. Focuses specifically on working with websites. | – | + |
| Spam Detection | Helps to catch situations where site forms are used for spam attacks. This module only works with Exim. The module sends outgoing mail information (headers, sender and recipient) to BitNinja servers, where all this information is analysed using AI. | + | – |
| SslTerminating | Helps CaptchaHTTP and WAF to work correctly with HTTPS requests. Powered by HAProxy 1.9.13. In the nearest future it will be replaced by Caddy Server. | + | – |
| Vulnerability Patcher | Checks for vulnerabilities on the server and patches them. This is the module that applies CVE patches to the server. Nothing is automatically patched, but BitNinja will highlight the presence of a vulnerability. | – | + |
| Web Application Firewall (WAF) | Works when scanning incoming traffic. By default it only works with HTTP requests, SSLTerminating must be enabled to work with HTTPS. In addition to SSLTerminating, for maximum correct operation of the module it is necessary to specify server IP addresses as trusted proxies. It is possible to work with CDN, load balancer or proxies installed at the entrance to the web server. | + | – |