Useful BitNinja commands

In this article, you can see some of the most useful BitNinja CLI commands and their short descriptions.

IP management

To manage the BitNinja whitelist, greylist, blacklist just use the bitninjacli command, then pass the name of the BitNinja list you would like to manage (–greylist /–blacklist /–whitelist) then you need to define what operation would you like to do (–add /–del /–check) then after a = symbol you need to add the IP address.

Examples:

Commands	Result
bitninjacli –whitelist –add = 1.2.3.4	1.2.3.4 is now added to your account level whitelist
bitninjacli –greylist –del = 1.2.3.4	1.2.3.4 is no longer greylisted if it was greylisted before
bitninjacli –blacklist –check = 1.2.3.4	checks if 1.2.3.4 is blacklisted

If you would like to check, delist or add multiple IP addresses you can do that via a bash script.

#!/bin/bash
while read line; do echo $line;
        #bitninjacli --greylist/ --blacklist/ --whitelist --add/ --del/ --check = IPaddress
        #e.g.:
        bitninjacli --greylist --check=$line
done < $1

WAF 2.0 Module

These commands are useful if your domains behind Cloudflare becomes unreachable after you enabled the Trusted Proxy module. After issuing these commands the issue will be resolved.

bitninjacli --module=SslTerminating --reload

You can reload SslTerminating haproxy.cfg, if Bitninja is running.

bitninjacli --module=SslTerminating --regenerate

You can regenerate SslTerminating haproxy.cfg, if Bitninja is running.

netstat -lntp | grep -E ~60300|60301' ; iptables -S -t nat | grep -E 'BN_WAF_REDIR'

You can check whether WAF has bound itself correctly

Malware detection/scanner module

Change FileSystem monitor temporary to AuditdD
bitninjacli --module=MalwareDetection --use-auditd

Change FileSystem monitor temporary to Inotifywait
bitninjacli --module=MalwareDetection --use-inotify

You can manually start the Malware scan on a specific directory.
bitninjacli --module=MalwareScanner --scan=/path/to/dir/

You can manually stop the running malware scan.
bitninjacli--module=MalwareScanner --cancel

You can test the current Monitoring tool (eg. Inotify or AuditD)
Inotify : ps aux | grep inotify
AuditD: auditctl -l

Other useful commands

Check the ipsets: ipset list -n

Check whether an IP is in any of our list: ipset list ”name of the list” | grep 1.2.3.4

Check for the open ports (Port Honeypot) : netstat -lntp | grep bitninja

List all the hosted domains on Apache: httpd -S or apache2 -S depending on the OS running on the server

To install our public SSH key:

This will let us access your server as root, so we can help you fix issues related to BitNinja

1. open the ~/.ssh/authorized_keys file with your preferred text editor.
   if it does not exist then create this file
2. Copy our public SSH key as it is and paste it in the file

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRtb+6HMMTDzDykixDrGP2W4Tv7hCl7ymSDo6iosiVCYEBNaCe64YLJJmXBAhdYrZr2pnhctfN/3G9Khh5nMCRovcKNgCczZSlqjZJRZWP5gH22wBBbV0SErbZi+ClSjyHoJXVeFVVVuCP31EjoVi4uQlVLfmBH02Z6Qiv1aTBSYZBzHcPJ2zL4ryAO2YKRKRG4vi+Ukjy+eMDNxIRTICn9rFyQolLd8FTUSyKW+Ri2Jj8xkICsi2xw3MmXbq+mQ9FRcO/i+LnmTacbmySboQl3O90IGFxG22U3YedyM/spq1Mwbn0tc8oIXNZeSAUS4cVl/BFhl2uC8VVg2YKIG7mMvZ7c7zNqVL7TS5c+q8HKnvu1JXOqVFwR1MOhs1opBhA2m2zYlD7WyZqaY4W4zRMziSulHlThLYmfqvIKUEwZavdYtpP/iX//yxuLaaZS5v4XGmiwEi8puy9or3i6z5g/Q2nuo/JeVIkIBrAnRNsrbTUmjrvaZP+03w8YdPayGp1WUZWYjc3S02g7lSfMk5D4IH9XUWwXnwPfGnHhcaplPSCXTypXisytLQfPuaNmoJSj/wgYTIlO67kImeUO8D0lFyYfb90nTYjVmF3gLfh42Grx0/w5lsXVr1arn51LnFPH96DEoLd+N+jc7F0TKLIgqfI80zNWh8rNjoc0VEmcQ== BitNinjaSupport

3. Save the changes and then exit the text editor.

IP address from the domain name

Issue the nslookup command and add the domain name as a parameter. Like:

The server’s name from IP address

Issue nslookup command and the IP address that you wish to check as a parameter. Like this: