Captcha Ftp module

The CaptchFtp module is an FTP server capable of both active and passive mode, integrated into the BitNinja agent. This module will check the IP addresses that try to connect to it, and detect if the IP is on the BitNinja greylist. If the IP is greylisted, it will simulate the FTP connection and won’t allow any real FTP operations for the malicious IP. Using the simulated FTP connection, the owner of the greylisted IP will find a file named: your_IP_is_greylisted_README.txt

This file contains instructions on how to delist the IP address. The instructions explain that the owner of the greylisted IP address should visit the IP of the server in a browser and resolve the CAPTCHA.

If the attacker with the greylisted IP address will try to upload a file using the simulated FTP connection, the file will be saved only to the BitNinja quarantine folder. This folder is located in /var/lib/bitninja/CaptchaFtp. For example if the attacker is trying to upload a file named backdoor.php on 2nd January 2019, the file will be saved to this location: /var/lib/bitninja/CaptchaFtp/2019/01/02/ and will be renamed by the following pattern: <hour_of_upload>_<minute_of_upload>_<unique_id>


For even more information, you can read our blog article about the CaptchaFtp module on our website:

The CaptchaFtp module is disabled by default. You can enable it using the following command:

bitninjacli --module=CaptchaFtp --enabled

Relations to other modules

CaptchaFtp sends events to the Shogun module in order to send it to BitNinja Central, as well as to the AntiFlood module to detect flood attempts and block them.

Customizing the port of CaptchaFtp

You can customize the default port of the CaptchaFtp module in the /etc/bitninja/CaptchaFtp/config.ini file by modifying the port numbers in the configuration.

The default configurations are the following:

listen_addr = ""
listen_port = 60210
low_port = 60211
high_port = 60250
max_conn = 10
max_conn_per_ip = 3
server_name = "BitNinja FTP CAPTCHA server"

If you want to change the default port from 60210 to something else, you should modify the value of listen_port in the config.ini.

If you want to change the default range for FTP passive mode from 60211-60250, you should change the values of low_port and high_port in the config.ini.

After you’ve changed the values in the config file and saved it, you should reload the CaptchaFtp module with the following command:

bitninjacli --module=CaptchaFtp --reload