BitNinja in ispmanager
BitNinja is a comprehensive cloud-based security system that operates at multiple levels. It detects and blocks network attacks, filters malicious traffic, scans files for viruses, and quarantines infected sites.
A single BitNinja license protects one server, with no limits on the number of users or sites.
The capabilities of the BitNinja module in the ispmanager panel are briefly listed below.
Section titled “The capabilities of the BitNinja module in the ispmanager panel are briefly listed below.”A complete list of BitNinja features and configuration details can be found in the developer documentation.
| Name | Brief Description | Availability |
|---|---|---|
| IpFilter | Compares IP addresses against blacklists and greylists containing millions of entries. If a match is found, it restricts actions or blocks the IP | Enabled by default |
| Shogun | Transmits incident data between different system components. For example, if an incident occurs in the Captcha HTTP module, it is processed and forwarded to other modules, such as AntiFlood and IpFilter | Enabled by default |
| AntiFlood | Temporarily blocks an IP address to reduce load if there are multiple connection attempts targeting other modules (e.g., Captcha) | Enabled by default |
| Captcha HTTP module | Used to handle false-positive blocks; allows users to remove themselves from the blacklist by solving a CAPTCHA | Enabled by default |
| Captcha FTP module | Checks if an IP address attempting an FTP connection is on a blacklist. If found, it simulates an FTP connection without establishing a real one; any data uploaded during this simulation is quarantined | Manual configuration |
| Captcha SMTP module | Used to catch false-positive blocks. This CAPTCHA allows users to remove themselves from the blocklist. Unlike the Captcha HTTP module, this one allows removal when connecting via SMTP. Users can only remove themselves from the blocklist a limited number of times, so it is best to notify the server owner about the issue | Enabled by default |
| Database Cleaner (SQL Scanner) | Scans SQL databases for malware. Operates only after a full scan has been performed. Works only with MySQL (other DBMSs have not been tested). Compatible with WordPress, Joomla, and Drupal | Manual configuration |
| DefenseRobot | Works in conjunction with MalwareDetection. Upon receiving information from MalwareDetection, the module attempts to locate logs associated with the malware upload. If a log is found, incident details are saved, and information about the attacker is pre-stored in the Shogun module. If the threat is detected again, the IP is added to the blocklist via ChallengeList. The module analyzes the 30 seconds of activity preceding the malware file modification | Enabled by default |
| DefenseRobot SaveUnFilteredLoglines | Saves all logs generated in the 30 seconds prior to a malware file modification, including API connections (GET, POST, HEAD, PUT requests). These log entries do not trigger incidents | Manual configuration |
| DefenseRobot CollectUnWatchedLogs | Saves Auth, Exim, PostfixLogin, and other logs from SenseLog. These log entries do not trigger incidents | Manual configuration |
| DosDetection | Monitors active connections. If more than 80 connections originate from a single IP address, BitNinja identifies this as an attack and adds the IP to the blocklist for one minute. The connection limit (threshold) can be adjusted via the interface. Important: BitNinja does not protect against classic DDoS attacks. Indirect protection can be configured via the IpFilter, DosDetection, and SslTerminating modules | Enabled by default |
| MalwareDetection | A module for detecting malware in files. After installation, BitNinja initiates a deep scan, which may temporarily increase server load | Enabled by default |
| AI Malware Scan | A faster scan that places no load on the server. It transmits MD5 hashes to BitNinja servers, where AI-based scanning takes place | Manual configuration |
| AI Active Scan | Transmits live monitoring data to BitNinja servers | Manual configuration |
| Port Honeypot | This module deploys up to 100 traps on random ports selected from the most commonly used ones. Port Honeypot detects port scanning activity (excluding stealth scans), captures all incoming traffic directed at the traps, and responds to requests. If an attacker attempts to use a trap, the module generates an incident report | Enabled by default |
| SenseWebHoneypot (Web Honeypot) | This module simulates a backdoor. If an attacker attempts to use it, the module collects all available information about the attacker and blocks them. Technically, it appears as a PHP file containing specific code; these files should be placed in locations where attacks are likely to occur | Manual configuration |
| ProxyFilter (TrustedProxy) | Works with requests coming from trusted networks (for example, CloudFlare). Simple IP/TCP analysis won’t work here, as it requires analyzing the IP specified in the X-forwarded-for header. This module requires at least 2 GB of free server space. | Enabled by default |
| SandboxScanner | Searches for unknown PHP files and scans them in a secure local environment. It’s essentially a PHP emulator. Enabled by default, but if you disable Malware Detection, you must manually enable SandboxScanner. | Enabled by default |
| SenseLog (Log Analysis) | Analyzes server logs for suspicious activity. This includes Apache, NginX, OS logs, Exim, Postfix, Dovecot, MySQL, the ispmanager dashboard, and some others. | Enabled by default |
| SiteProtection | This module was previously a standalone application. Now available with the main installation. Designed to protect the website (not the server): collects statistics, displays email addresses with compromised passwords, and interacts with other BitNinja modules. Focuses specifically on websites | Manual configuration |
| Spam Detection | Helps detect situations where website forms are used for spam attacks. This module only works with Exim. The module sends outgoing mail information (headers, sender, and recipient) to BitNinja servers, where all this information is analyzed using AI | Enabled by default |
| SslTerminating | Helps CaptchaHTTP and WAF work correctly with HTTPS requests. Powered by HAProxy 1.9.13. Will soon be replaced by Caddy Server | Enabled by default |
| Vulnerability Patcher | Scans for vulnerabilities on the server and provides patches for them. This module implements CVE fixes on the server. Nothing is automatically populated, but BitNinja highlights any vulnerability. | Manual Configuration |
| Web Application Firewall (WAF) | Scans incoming traffic. By default, it only works with HTTP requests; SSLTerminating must be enabled for HTTPS. For the module to work as smoothly as possible, in addition to SSLTerminating, you must configure the server’s IP addresses as trusted proxies. It is possible to work with a CDN, load balancer, or proxies installed at the web server’s entrance. Working together with BitNinja’s WAF and ModSecurity’s WAF in the panel is possible, but requires fine-tuning. For example, BitNinja’s WAF, thanks to its reverse proxy architecture and support for full OWASP CRS rules, can serve as the primary means of protection. At the same time, WAF (ModSecurity) can act as an additional audit tool. The optimal configuration is to enable all critical rules in the BitNinja WAF settings and use it as the primary blocking tool, while switching WAF (ModSecurity) to detection-only mode or disabling it to avoid conflicts and excess load. | Enabled by default |