Outbound Web Application Firewall

BitNinja’s OutboundWAF module scans only outgoing connections real-time, with the built-in http proxy solution. Upon activation BitNinja injects an iptables rule into your nat table to redirect all outgoing traffic not made by root to ports 80 to 127.0.0.1:60100, a port dedicated for BitNinja OutboundWAF. The OutboundWAF process analyzes the outgoing traffic and makes a connection from your server to a remote server and fetch the actual content.

If BitNinja finds any suspicious connections, it will send the incident to BitNinja analyzer central and try to find which process and script is responsible for it.

Limitations

  1. BitNinja OutboundWAF currently has a limit of 1000 simultaneous connections.
    If your server manages more than this amount, please see the configuration section on how to raise this limitation.
  2. BitNinja OutboundWAF forks a new process for every request to spray the load
    between multiple CPUs. Every process currently has about a 1.7 MB memory footprint, so it is designed to be resource friendly, but be aware of resource usage in large scale installations.
  3. Requests made by root are not watched.
  4. BitNinja OutboundWAF uses ss to find which process is responsible for the malicious
    request, and on some server is can cause higher load.

Activating and Deactivating the OutboundWAF module

Here is how to activate the OutboundWAF module:

  1. Log in to https://admin.bitninja.io/
  2. Navigate to https://admin.bitninja.io/modules
  3. Select the server on which you want to activate the OutboundWAF module.
  4. Switch OutboundWAF on.

Or you can use the command line

bitninjacli --modeule=OutboundWAF --enabled

BitNinja’s OutboundWAF will be activated within 15 seconds.

To deactivate the OutboundWAF module you have 3 options:

  1. You can use the dashboard and set the OutboundWAF module to disabled and save it.

  2. You can use the command line

    bitninjacli --module=OutboundWAF --disabled
    
  3. You can shut down BitNinja (this is the most radical solution, but it will also disable the OutboundWAF appropriately)

    service bitninja stop
    

Configuration

The OutboundWAF module uses the config file located at /etc/bitninja/OutboundWAF/config.ini

In some cases you don’t want the OutboundWAF to monitor your outgoing http connections. Eg.: using an HAProxy load balancer or an Nginx reverse proxy. You can disable the OutboundWAF monitoring for these users by adding their names in the configuration like:

[usercontrole]
ignoredUsers[] = 'bitninja-waf'
ignoredUsers[] = 'bitninja-ssl-termination'