False-positive catch

Estimated reading time: 1 min

Customer IP got blocked when he/she was editing his/her site.

This is most likely because of a false positively triggered BitNinja WAF rule. In short terms, we need to disable the rule that has been false positively triggered or whitelist the IP address of the customer.

Whitelisting

Whitelisting an IP address is a security risk because BitNinja won’t block any request from the IP address. So we recommend whitelisting an IP address only if the IP address is static and you trust the IP address.

Find which rule was triggered false positively.

  1. Enter the IP address into your search field at the top of the Dashboard screen
  1. Scroll down and find the first incident or the incident right after the IP was delisted
  1. Open down the incident log with the arrow icon at the right and check the rule that was triggered

False-positive WAF trigger

We need to disable the rule on the URL where the it was triggered.
When you are looking for a rule, always look for the WAF icon as below:

Whitelisting an IP address is always a security risk, as BitNinja won’t check the packages from the IP that is whitelisted.

Always check the request’s payload and the URL. If the payload looks suspicious and at the end of the URL there is a PHP file with 8 random characters as a name then it can be a hexa botnet attack for example.

How to disable the WAF rule

  1. Open down the incident with the arrow icon at the right side
  2. Make a note about these entries in the log:
    Victim server
    The URL where the rule was triggered false positively
    The ModSecurity id, this is the number of the rule that was triggered.
  3. Go to the WAF 2.0 menu
  4. Select the victim server at the top of the screen
  5. Enter the domain pattern based on the URL then click on the ADD button
    if the rule was triggered on the www.example.com/wp/wp-admin/ admin-ajax.php then you need to set enter
    *example.com/wp/wp-admin/*to disable the rule on this URL
    You can add
    */wp/wp-admin/*too if you wish to disable the rule for all WordPress admin URI
  6. Click on the little setting icon at the right then click on advanced settings
  7. Open the rule groups until you find the ModSecurity id and disable the rule with the switch icon at the right side
    You can use your browser’s search function to find the rule while you are opening down the rule groups. ctrl+f

False positive Port Honeypot catch

If the Icon looks like this one below, that means there was an attempt to connect to a port that BItNinja uses as a Port honeypot. This can be because of a setting on the user’s end. You can whitelist the IP address if you trust this IP.

Whitelisting an IP address is always a security risk, as BitNinja won’t check the packages from the IP that is whitelisted.
To disable the Port honeypot for a specific port
Add a line in the /etc/bitninja/PortHoneypot/config.ini file under the [ports_never_use] flag that looks like this ports[]=PortNumber.

It is important to make sure there is no semicolon in front of the line.

After the file is modified please restart BitNinja with the service bitninja restart command.

How to whitelist the IP address

  1. Click on the +WHITELIST button at the top
  2. Add a comment
  3. Click on ADD TO WHITELIST
Views: 121