Skip to content

BitNinja in ispmanager

BitNinja is a comprehensive cloud-based security system that operates at multiple levels. It detects and blocks network attacks, filters malicious traffic, scans files for viruses, and quarantines infected sites.

A single BitNinja license protects one server, with no limits on the number of users or sites.

The capabilities of the BitNinja module in the ispmanager panel are briefly listed below.

Section titled “The capabilities of the BitNinja module in the ispmanager panel are briefly listed below.”

A complete list of BitNinja features and configuration details can be found in the developer documentation.

NameBrief DescriptionAvailability
IpFilterCompares IP addresses against blacklists and greylists containing millions of entries. If a match is found, it restricts actions or blocks the IPEnabled by default
ShogunTransmits incident data between different system components. For example, if an incident occurs in the Captcha HTTP module, it is processed and forwarded to other modules, such as AntiFlood and IpFilterEnabled by default
AntiFloodTemporarily blocks an IP address to reduce load if there are multiple connection attempts targeting other modules (e.g., Captcha)Enabled by default
Captcha HTTP moduleUsed to handle false-positive blocks; allows users to remove themselves from the blacklist by solving a CAPTCHAEnabled by default
Captcha FTP moduleChecks if an IP address attempting an FTP connection is on a blacklist. If found, it simulates an FTP connection without establishing a real one; any data uploaded during this simulation is quarantinedManual configuration
Captcha SMTP moduleUsed to catch false-positive blocks. This CAPTCHA allows users to remove themselves from the blocklist. Unlike the Captcha HTTP module, this one allows removal when connecting via SMTP. Users can only remove themselves from the blocklist a limited number of times, so it is best to notify the server owner about the issueEnabled by default
Database Cleaner (SQL Scanner)Scans SQL databases for malware. Operates only after a full scan has been performed. Works only with MySQL (other DBMSs have not been tested). Compatible with WordPress, Joomla, and DrupalManual configuration
DefenseRobotWorks in conjunction with MalwareDetection. Upon receiving information from MalwareDetection, the module attempts to locate logs associated with the malware upload. If a log is found, incident details are saved, and information about the attacker is pre-stored in the Shogun module. If the threat is detected again, the IP is added to the blocklist via ChallengeList. The module analyzes the 30 seconds of activity preceding the malware file modificationEnabled by default
DefenseRobot SaveUnFilteredLoglinesSaves all logs generated in the 30 seconds prior to a malware file modification, including API connections (GET, POST, HEAD, PUT requests). These log entries do not trigger incidentsManual configuration
DefenseRobot CollectUnWatchedLogsSaves Auth, Exim, PostfixLogin, and other logs from SenseLog. These log entries do not trigger incidentsManual configuration
DosDetectionMonitors active connections. If more than 80 connections originate from a single IP address, BitNinja identifies this as an attack and adds the IP to the blocklist for one minute. The connection limit (threshold) can be adjusted via the interface. Important: BitNinja does not protect against classic DDoS attacks. Indirect protection can be configured via the IpFilter, DosDetection, and SslTerminating modulesEnabled by default
MalwareDetectionA module for detecting malware in files. After installation, BitNinja initiates a deep scan, which may temporarily increase server loadEnabled by default
AI Malware ScanA faster scan that places no load on the server. It transmits MD5 hashes to BitNinja servers, where AI-based scanning takes placeManual configuration
AI Active ScanTransmits live monitoring data to BitNinja serversManual configuration
Port HoneypotThis module deploys up to 100 traps on random ports selected from the most commonly used ones. Port Honeypot detects port scanning activity (excluding stealth scans), captures all incoming traffic directed at the traps, and responds to requests. If an attacker attempts to use a trap, the module generates an incident reportEnabled by default
SenseWebHoneypot (Web Honeypot)This module simulates a backdoor. If an attacker attempts to use it, the module collects all available information about the attacker and blocks them. Technically, it appears as a PHP file containing specific code; these files should be placed in locations where attacks are likely to occurManual configuration
ProxyFilter (TrustedProxy)Works with requests coming from trusted networks (for example, CloudFlare). Simple IP/TCP analysis won’t work here, as it requires analyzing the IP specified in the X-forwarded-for header. This module requires at least 2 GB of free server space.Enabled by default
SandboxScannerSearches for unknown PHP files and scans them in a secure local environment. It’s essentially a PHP emulator. Enabled by default, but if you disable Malware Detection, you must manually enable SandboxScanner.Enabled by default
SenseLog (Log Analysis)Analyzes server logs for suspicious activity. This includes Apache, NginX, OS logs, Exim, Postfix, Dovecot, MySQL, the ispmanager dashboard, and some others.Enabled by default
SiteProtectionThis module was previously a standalone application. Now available with the main installation. Designed to protect the website (not the server): collects statistics, displays email addresses with compromised passwords, and interacts with other BitNinja modules. Focuses specifically on websitesManual configuration
Spam DetectionHelps detect situations where website forms are used for spam attacks. This module only works with Exim. The module sends outgoing mail information (headers, sender, and recipient) to BitNinja servers, where all this information is analyzed using AIEnabled by default
SslTerminatingHelps CaptchaHTTP and WAF work correctly with HTTPS requests. Powered by HAProxy 1.9.13. Will soon be replaced by Caddy ServerEnabled by default
Vulnerability PatcherScans for vulnerabilities on the server and provides patches for them. This module implements CVE fixes on the server. Nothing is automatically populated, but BitNinja highlights any vulnerability.Manual Configuration
Web Application Firewall (WAF)Scans incoming traffic. By default, it only works with HTTP requests; SSLTerminating must be enabled for HTTPS. For the module to work as smoothly as possible, in addition to SSLTerminating, you must configure the server’s IP addresses as trusted proxies. It is possible to work with a CDN, load balancer, or proxies installed at the web server’s entrance. Working together with BitNinja’s WAF and ModSecurity’s WAF in the panel is possible, but requires fine-tuning. For example, BitNinja’s WAF, thanks to its reverse proxy architecture and support for full OWASP CRS rules, can serve as the primary means of protection. At the same time, WAF (ModSecurity) can act as an additional audit tool.
The optimal configuration is to enable all critical rules in the BitNinja WAF settings and use it as the primary blocking tool, while switching WAF (ModSecurity) to detection-only mode or disabling it to avoid conflicts and excess load.
Enabled by default