BitNinja Knowledgebase

BitNinja is an easy-to-use server security tool mixing the most powerful defense mechanisms. We have invented a new technology, called defense network. Every BitNinja protected server learns from every attack and the system applies this information automatically on all BitNinja enabled servers. This way the shield is getting more and more powerful with every single attack.
BitNinja has different modules for different aspects of cyber attacks. It is super easy-to-install, requires virtually no maintenance and able to protect any server by providing immediate protection against a wide range of cyber attacks.
Please feel free to learn more on the Features site or the Technical Documentation.

BitNinja is primarily designed for the needs of hosting providers. However, it is also a perfect choice for any VPS, colocation and SaaS provider, website developer, digital agency and any other company that runs their own servers and wants to keep them safe on the Internet.

BitNinja has proved to be effective on more than 2000 production servers so far. Due to the effective filtration of nonstop malicious network scans and attack attempts, on average, it has reduced network traffic by 50%. BitNinja has also shown to minimize forum and contact form spam and attacks against various CMSs (WordPress, Joomla, Drupal). Server load level has been dramatically reduced while the servers’ operational stability and availability have significantly increased. For example, one of our first partners, a web hosting company experienced an average server availability change from 98% to 99%. The reduction in downtime saved their admins’ time and saved money for their business.

Just to tell some key points:

Instead of dealing with security threats separately, here at BitNinja we have a holistic approach to it. We provide different modules to the different aspects of server security, so 360° defense is granted by our modular solution.

• With the power of collective intelligence, your server becomes more protected every second, as we sync attack information among all the BitNinja protected servers worldwide.

• Moreover, while cloud-based security solutions require your traffic to be redirected through their servers, with BitNinja, you don’t have to do any configuration. Also, any failures of the cloud-based party can make your server unavailable, which is a huge risk to take. Our service runs on your own existing infrastructure, so there is no downtime if anything stops running in our system.

• BitNinja directly protects not only on HTTP, but all other protocols (HTTPS, SMTP, IMAP, POP3, SSH, FTP) as well.

Yes, we provide comprehensive support for our partners (having Pro or Basic license), including technical support for incident management, configuration or threat management.

Rebranding BitNinja is not an option. But we have a partner program you can join to provide BitNinja as a value-added service to your customers. For more information, please contact our Ninjas at

Yes, we have a Reseller Partner Program that allows you to sell BitNinja worldwide.
Our Reseller Panel, API, and Reseller Kit for marketing purposes grants a quick start to launch your business.

If your IP is listed on our greylist, you can either remove it on the Dashboard or using our CLI. In case you’re not a BitNinja partner, please contact us and if there aren’t any recent harmful activities, we’re happy to do the removal for you quickly and for free.

No, we don’t work like Cloudflare or any other cloud-based security tool. BitNinja is a hybrid of an on-premise and cloud-based solution. You can install it on your server and it gives the protection of a defense network by communicating with the cloud.

On the other hand, most CDNs are only worth using against network layer DoS attacks and their primary function is not securing a server. But BitNinja can protect against 99% of web attacks.

No, it isn’t a container, but if you install it on the host server, BitNinja is able to protect all containers.

CSF is a basic filtering tool only for Linux boxes, while BitNinja is a modular defense shield. Many users reported the use of CSF along with BitNinja successfully, although BitNinja makes CSF redundant.

No, BitNinja is a proprietary software.

You can follow our feature updates through our social media sites, blogs and newsletters. Also, you can check the changelog for more details.

We send incident-reports to alert the server owners about the malicious traffic we received from their server. The incident-report contains the first three incidents - the reasons of the greylisting- and a link to our Public Page, where you can check the last 100 incidents.

If you need any help interpreting the report, please check our investigation site or contact us by email at

The concept of Tor to provide worldwide anonymity for their users has opened the gates for numerous highly restricted countries. Due to this reason, it's really hard to track back the origin of the requests and numerous hackers use it to hide their activities.

The case is nearly the same with the proxies too. At the moment, we can't track back the source of the requests. We are planning a solution that can ease the situation with trusted proxies.

BitNinja does not observe any activity from internal IP addresses, as BitNinja has been created to protect your server from any incoming attacks from external addresses.

With our trap mailboxes, we collect huge amounts of spamming IPs and put them on our greylist. With our IP database, collected worldwide, BitNinja prevents the connection of those IPs. We eliminate the false positives with CaptchaSmtp and allow human users to remove themselves from the greylist easily.

BitNinja observes mainly the incoming traffic, and provides higher protection to our customers, although the DoS Detection and the Outgoing Traffic Analyzer module observe the outgoing traffic as well.

You can use BitNinja in a Dockerized environment with simply installing BitNinja on the host machine, so it will monitor all inbound traffic even the requests forwarded to the containers.

  • • CMS (Wordpress, Joomla, Drupal) scans and hacks

  • • Open port scans

  • • Enumeration attack

  • • SQL vulnerability scanning

  • • SQL injections

  • • Brute force

  • • Malware infections

  • • Deface

  • • Phishing

  • • Application layer DoS attacks

  • • Slowloris 

  • • Spams

  • • Directory traversal

  • • Unvalidated file uploads

  • • XSS

Yes, against its non-distributed version.

Our greylist provides indirect protection by dropping the connections from known malicious botnets. At the moment we have information about more than 15 million IPs worldwide.

BitNinja monitors the number of simultaneous incoming and outgoing connections and interferes in case of a DDoS attempt. Unlike any other solutions, we don’t permanently block the source but drop the connections and greylist the attacker's IP.

We react as fast as we can and our worldwide honeyfarm also helps with it. We constantly monitor and analyze new incident patterns so we can intervene ASAP.

You can configure BitNinja to capture attacks, but currently we cannot provide our full-stack protection for name servers.

Yes, BitNinja provides both, in our system these parts are not separated, the detective and defensive modules are working together to protect your device.

The main difference is that CloudFlare's service is basically a content delivery network, while BitNinja is a more complex, server-based solution. Both BitNinja and CloudFlare is able to protect your server against DoS attacks. CloudFlare can protect against lower level attacks, for example, network bandwidth exhaustion, BitNinja will block attacks on your server at the network layer of the TCP/IP model. This will prevent attacks which work by exhausting the resources on the server (memory, CPU time, the number of processes, entries in the connection tracking table, free TCP ports, application's resources, etc.). Your server won't produce any outgoing traffic towards the attacking IP, therefore BitNinja can also protect against attacks where the attacker tries to exhaust the outbound bandwidth.

Yes, you can install it on your server with one line of code, within 1 minute. This way your server becomes part of a defense network, counting more than 2.000 servers worldwide. Thanks to the shared attack information, the defense shield becomes more and more powerful with every single attack.

Definitely not. We don’t just virtual-patch known CMS vulnerabilities. We provide protection for the whole server on every protocol against a wide range of cyber attacks.

That domain seems to be used for testing open proxies if all or nearly all of the requests sent with absolute URI. The absolute URI form is required when the request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and returns with a response. If your server works as an open proxy, it will forward the request to If the attacker can access, they will see whether your server forwarded the request and this way, so they will be able to find out if your server works as an open proxy or not. While this scan is not malicious on its own, open proxies can be used to hide the true IP address of the attacker and may be used for several different kinds of attacks, e.g DDoS attacks.

Yes, our control panel is designed for your convenience. You can manage all your servers in one place, so don’t have to login and make the same settings several times. We also provide statistics, history data and real-time threat monitoring.

All the modules can be enabled/disabled through the Dashboard at the Modules menu. For more precise configuration, you can use individual log files, according to the Technical Documentation.

Yes, you can add or remove IPs from your black/white/greylists through the CLI or on the Dashboard. Your changes are processed immediately, so your security settings are applied instantly. If necessary, you can also handle IP ranges or block countries with customized time frames to eliminate any attack attempt from those regions.

Thanks to the Events, you can follow every malicious event and update, connected to your servers, in a real-time log panel. 

• Here you can see update info, white/black/greylisting of IPs, all IP removals, notifications from defense modules and incoming attacks. 

• Here you can also check any affected IP’s history by clicking on them, or analyze the log feed on your servers’ separately. Just click on the name of the server.

Once you add or remove an IP on a list, changes are automatically applied to all the servers managed under that particular account.

Besides the collective log feed, you can also analyze your servers’ logs separately. Just click on the server’s name in the Events panel, or go to the Servers/Details/Logs menu.

Yes, you can add/invite new members to your account on the Dashboard/Users menu using the List/Add Users button. You can set 4 pre-defined roles to each user, depending on the level of access you want to grant. Now you can choose between Admin, Server Operator, Server Group Operator or Invoice/Accounting Manager, but later on we plan to add new roles with more defined access points.

Yes, you can invite them at Dashboard/Users using the List/Add Users button. Assign them the role “Invoice/Accounting Manager”, so they will only have access to your invoices.

Yes, you get your first attack report right after the first 10 captured attacks after the installation of BitNinja. Then, we send a report about your servers on a weekly basis.

There are several opportunities to monitor the efficiency of the Ninja Army. Check the Event log for real-time attack events.

Check the server-based Trends, Logs or Analytics at the Serves/Details menu.

At Dashboard/IP Manager, can filter incidents based on incident type, time frame for distinct servers or IPs.

You can handle IP ranges with customized time frames at the Dashboard/IP manager menu. Please handle with care because whitelisting an IP means that the traffic from those sources bypasses the rules of BitNinja on your server. 

You can handle IP ranges or block countries with customized time frames to eliminate any attack attempt from those regions at the Dashboard/IP manager menu.
In our weekly reports, we regularly summarize the most frequent attack sources of your servers. In case you don’t expect valid traffic from those countries, it’s worth blocking them from your server. You can also monitor the top attacker countries at the Dashboard/Servers/Details/Analytics menu.

At the Dashboard/Servers menu, you can change the licence from “Basic” to “Pro” for server separately. If you haven’t added your payment details yet, you can change the licence at Dashboard/Payment by setting the License type Field from “Basic” to “Pro”. After you add your payment details, you will receive the full-stack protection immediately.

The full-functionality trial starts after the installation of your server and lasts for 7 days in case of each server.

If you previously added your payment details and you chose the Basic/Pro license at the Payments menu, your credit card will be charged with the presented price. If you chose Cancelled in the License type field, your licence will  automatically change to Cancelled, which means that the protection will be inactive on the server.

You only need to give your name and an email address to sign up on our website. After this, you receive a verification email to your mailbox with a confirmation link. Then, log into your account, add your servers and the trial starts instantly. No credit card needed to start the trial!

The Basic version is designed to protect your server against the most vicious IPs listed on our Essential List. This list contains ~2500 IPs worldwide. Secondly, the Basic version contains user-based blacklist and whitelist management. Please note that user-based listing does not equal with global rules. On the other hand, the Pro licence offers the benefit of global blacklist protection and one of BitNinja’s most powerful module, the greylist. Additionally, every other module is available for the users of the pro version, which are not components of the Basic, such as, WAF, Port and Web Honeypots, Malware Detection, etc.

If you login to the Dashboard, you will find it under the Payment menu. We issue invoices on Mondays on a weekly basis.

You can choose between monthly or annual payment on the Dashboard under the Payment menu.

You’ll be able to download the invoice the next Monday after each charge on the Dashboard.

We accept the following credit cards: Visa, MasterCard, Maestro, Diners Club, Discover, JCB, UnionPay, Laser, Solo.

Of course, you can use PayPal instead of credit card.

Yes. On the Dashboard under the Payment menu you can change the details anytime.

The list price doesn’t include VAT. Taxes are regulated according to European Union Agreements.

You don’t have to sign a long-term contract in order to enjoy the benefits of our service.

Here is the method how we count the hosted users on your server:

First of all, we check the number of system and non-system users by UID_MIN, MAX, SYS_UID_MIN/MAX, it can be defined in /etc/login.defs.
Moreover, we count different users' various folders in /home, /var/www, /var/www/vhosts. The largest is the benchmark for the pricing.

You can check the number in the different folders with the following command:

ls -n /home|awk '$3 >= UID_MIN'|awk '{print $3}'|sort|uniq|wc -l

ls -n /var/www/|awk '$3 >= UID_MIN'|awk '{print $3}'|sort|uniq|wc -l

ls -n /var/www/vhosts|awk '$3 >= UID_MIN'|awk '{print $3}'|sort|uniq|wc -l

/usr/bin/awk '-F' '[/:]' '{if ($3 >= 1000 && $3 < 60000 && $3 != 65534) print $1}' '/etc/passwd'  2>&1 |/usr/bin/wc '-l'

You can also check the users in the different folders with the following commands:

ls -lah /var/www/vhosts

ls -lah /var/www/

ls -lah /home

/usr/bin/awk '-F' '[/:]' '{if ($3 >= 1000 && $3 < 60000 && $3 != 65534) print $0}' '/etc/passwd'

After registration and the validation of your email address, you can login to your Dashboard. Click on the “Add server” button and install Bitninja on your server with a one-line code. When the installation is complete, click on the Modules menu to enable them for each of your servers.

BitNinja supports every Linux distributions. We design packages for .apt and .rpm based Linux systems and do automatic testing for the following distributions:

  • CentOS 6 32/64 bit
  • CentOS 7
  • CloudLinux 5
  • CloudLinux 6
  • CloudLinux 7
  • Debian 6 32/64 bit
  • Debian 7 32/64 bit
  • Debian 8 32/64 bit
  • OpenSUSE 42.3 (with configurations)
  • RedHatEnterpriseServer 5
  • RedHat 6 and up
  • Ubuntu 10.04 and up

You can find more information about the supported distributions on our documentation page.

Yes, you can install it on virtual servers with all popular virtualization techniques (Xen, OpenVZ, VMWare, Virtuozzo, Docker).

In case of Virtuozzo and OpenVZ - due to their operation - you can only use simulated IPset.

So you cannot use the whole greylist with millions of suspicious IPs, your server will use IP information gathered since the last restart.

You can install BitNinja on as many servers as you want, while managing them in one easy-to-use control panel, the Dashboard.

With the one-line installation code, you can install BitNinja in a minute with basic IT skills. However, if you want your sysadmin to handle the installation, you can send him a message with all the information with one click using our Dashboard.

BitNinja will automatically start on your server, it requires no setup configuration, the protection is enabled immediately.

To remove BitNinja you can use the following commands:

Debian based distribution:

  •  • apt-get remove bitninja bitninja-dojo

Rpm based distribution:

  •  • yum remove bitninja bitninja-dojo

Removing kmod-IPset on Centos5

  •  • yum remove kmod-ipset

Removing IPset on Centos5

  •  • yum remove ipset

BitNinja is designed to work with your existing infrastructure, you don’t have to leave other solutions behind immediately. Compatible with major hosting platforms (e.g. Plesk, Cpanel, ISP Manager), virtualization techniques (Xen, OpenVZ, VMWare, Virtuozzo, Docker) and other security solutions (CSF, mod_security, LFD, fail2ban, UFW, CloudFlare).

With an increasing number of integrations, software management is as simple as ABC.

The minimum hardware requirements to run BitNinja:

  •  RAM: 512M
  •  Dual-core CPU
  •  Storage: 1024M
  •  Internet access

Interested in server security basics?

Download our latest article on cybercrime, botnets and server security essentials for hosting providers and server owners.