Installation on Virtuozzo/OpenVZ¶
If you’d like to install BitNinja on a Virtuozzo/OpenVZ virtual server, there are some limitations you need to be aware of.
Amongst the main features of BitNinja Server Security are the IP reputation lists. These are managed by the IpFilter module, and the heart of the module are the ipset and the iptables utilities.
On Virtuozzo (and other container-based virtualization), ipset might not be available. To handle this limitation, we use the simulated ipset functionality.
If ipset is not available, BitNinja will simulate this functionality with iptables rules. This is the case with Virtuozzo/OpenVZ based virtual servers, and this is much less efficient than using ipset, so you should avoid it whenever possible. With simulated ipset, we can’t use the whole greylist with millions of IP addresses, because the technology couldn’t handle it. So the BitNinja agent will start with an empty greylist, and will only use IP information that are collected since the last restart. This mode of operation is limited and offers partial protection.
The OS must have permission to run iptables. Sometimes on Virtuozzo, this permission is not set. When this happens, you must contact your VPS service provider to grant permission to run iptables. Without iptables, BitNinja can’t function properly and can’t protect your server.
Our country block feature is also limited on Virtuozzo. The number of IP ranges on user blacklist and user whitelist is limited to 8000.
For more information about the IP reputation lists, please read the following section of our documentation: IP reputation
Under certain circumstances the WAF module won’t start on Virtuozzo. This module is built on an nginx reverse proxy solution, so the number of TCP connections and packets exchanged will multiply when you use the WAF module. If the nf_conntrack_max and hashsize variables’ values are small, it would cause issues.
In this case you should contact your VPS service provider to update these values to a reasonable amount. The values BitNinja WAF is currently using are:
nf_conntrack_max: 131072 hashsize: 16384
For BitNinja to work properly, we need to increase the number of open files. On Virtuozzo, the process won’t have permission to increase this value. The result will be that the BitNinja main process won’t be able to fork itself, and also, the SenseLog module won’t be able to open the log files that it needs to monitor.
In this case, you will also need to contact your service provider to increase this value.
Please consider this information before installing BitNinja.
The Malware Detection module uses inotifywait for active malware protection. Inotifywait uses the value stored in the /proc/sys/fs/inotify/max_user_watches file, which specifies an upper limit on the number of watches that can be created per real user ID. Inotifywait would quickly reach the maximum default value of that file, and when that happens, BitNinja will try to raise this value to 30,000,000 but on Virtuozzo and OpenVZ it won’t have the necessary permissions and the inotifywait process will stop.
In this case, you will need to contact your service provider to increase the value of max_user_watches or otherwise, BitNinja can’t provide active malware protection for your server.