Compatibility
Do you already use tools to secure your server? You may not need them as BitNinja comes with many different modules to secure your server from every aspect and may make your previous solutions redundant. If you would like to keep your existing solutions, you can find out the compatibility of different 3rd party software below.
| 3rd party software | Compatible | Related BitNinja module |
|---|---|---|
| APF (Advanced Policy Firewall) | yes | ipfilter, ip-reputation |
| CSF (Config Server Firewall) | yes | ipfilter, ip-reputation |
| CXS (Config Server Exploit) | no | MalwareDetection |
| Dome9 | no | ipfilter, ip-reputation |
| fail2ban | yes | SenseLog |
| firewalld | yes | ipfilter, ip-reputation |
| Imunify360 | no | WAF, ipfilter, ip-reputation, MalwareDetection, SenseLog |
| iptables-services | yes | ipfilter, ip-reputation |
| LFD (Login Failure Daemon) | yes | SenseLog |
| maldet | no | MalwareDetection |
| mod_security | yes | WAF |
| Uncomplicated Firewall | yes | WAF |
| Wordfence | yes | WAF, MalwareDetection |
Below is some additional information regarding different 3rd party softwares.
CSF
BitNinja is compatible with this tool but CSF manages iptables rules aggressively. Every time you change a rule it flushes all iptables rules and reloads only its own. CSF then invokes an external script; BitNinja has the integration and sets it up automatically but it still means there is a slight time window when the BitNinja rules are not set every time CSF reloads. Many users reported the use of CSF with BitNinja successfully, although BitNinja makes CSF redundant.
CXS
BitNinja is not compatible with CXS. Our MalwareDetection module can't
run parallel with it. It is safe to switch from CXS to BitNinja's MalwareDetection.
Docker
You can use BitNinja in a Dockerized environment with simply installing BitNinja on the host machine, so it will monitor all inbound traffic even the requests forwarded to the containers. After installing, BitNinja will automatically allow all of your external IP addresses so it won't interfere with the communication between the hosts, but please double check the allow listing by yourself as well.
This way BitNinja can't analyze the logs, but still maintain a lot of security measurements. You will be able to use the WAF module and malware detection beta modules too.
Dome9
Unfortunately Dome9 drops any iptables rules other than its own, so Dome9 is not compatible with BitNinja, currently.
fail2ban
You can keep fail2ban running on your server but in most use cases SenseLog
makes it redundant. Fail2ban has some limitations as it opens every log file
for every separate rule you have, so it can consume more resources. Fail2ban
will also block suspicious IPs and it can frustrate users. Read more about how we
solved this issue by introducing the challenge list technique for different protocols:
ip-reputation.
firewalld
The BitNinja agent is compatible with the RHEL 7.x+ default firewall management service. Firewalld cannot be used simultaneously with iptables-services.
iptables-services
BitNinja is compatible with this firewall management service which serves as a wrapper for iptables, and makes it easier to use.
LFD
BitNinja's SenseLog can run with LFD in parallel, though it is safe
to stop LFD, as it is redundant to run SenseLog with LFD.
maldet
BitNinja is not compatible with maldet, the bash script for detecting malwares.
Our MalwareDetection module can't run parallel with maldet.
It is safe to switch from maldet to BitNinja's MalwareDetection.
mod_security
Mod_security is an apache2 WAF with fixed pattern based rulesets. Our WAF
module operates as a local reverse proxy so it is fully compatible with any web
server. You can decide to keep your mod_security rules or drop them and rely on
our WAF, it is up to you.
Uncomplicated Firewall
Uncomplicated Firewall is a front-end from iptables, it does not clash with BitNinja's rules.
Virtuozzo / OpenVZ
BitNinja is compatible with Virtuozzo / OpenVZ.
Third Party monitoring services
If you are using free monitoring or scanner services like HackerGuardian, you should add them to your allow list for the scan time. You can add them permanently, but it is not recommended because attackers like to use free online tools to scan victim servers.
If you want to use HackerGuardian, their IP range is:199.66.200.0/21
Saving iptables rules
It is not advised to save and load iptables rules created by BitNinja, because the ipfilter module is responsible for
creating and loading these rules, and to create port redirections dynamically for running processes. The module will
delete rules that may be stuck from previously running processes, for when the BitNinja agent's processes are stopped incorrectly.
In case of you have a CentOS 7 server, and you've decided to use iptables-services instead of firewalld, and you need to save the iptables rules, follow the steps below. We've successfully tested the following scenario on one of our test servers.
Install ipset-service with the following command:
yum install ipset-service
Install the ipset service, and use the following command to save the ipsets:
service ipset save
Save the actual iptables rules with the following command:
iptables-save | grep -v Bitninja > rules.txt