In this article, you can see some of the most useful BitNinja CLI commands and their short descriptions.
IP management
To manage the BitNinja whitelist, greylist, blacklist just use the bitninjacli command, then pass the name of the BitNinja list you would like to manage (–greylist /–blacklist /–whitelist) then you need to define what operation would you like to do (–add /–del /–check) then after a = symbol you need to add the IP address.
Examples:
| Commands | Result |
|---|---|
| bitninjacli –whitelist –add = 1.2.3.4 | 1.2.3.4 is now added to your account level whitelist |
| bitninjacli –greylist –del = 1.2.3.4 | 1.2.3.4 is no longer greylisted if it was greylisted before |
| bitninjacli –blacklist –check = 1.2.3.4 | checks if 1.2.3.4 is blacklisted |
If you would like to check, delist or add multiple IP addresses you can do that via a bash script.
#!/bin/bash
while read line; do echo $line;
#bitninjacli --greylist/ --blacklist/ --whitelist --add/ --del/ --check = IPaddress
#e.g.:
bitninjacli --greylist --check=$line
done < $1WAF 2.0 Module
These commands are useful if your domains behind Cloudflare becomes unreachable after you enabled the Trusted Proxy module. After issuing these commands the issue will be resolved.
bitninjacli --module=SslTerminating --reload
You can reload SslTerminating haproxy.cfg, if Bitninja is running.
bitninjacli --module=SslTerminating --regenerate
You can regenerate SslTerminating haproxy.cfg, if Bitninja is running.
netstat -lntp | grep -E ~60300|60301' ; iptables -S -t nat | grep -E 'BN_WAF_REDIR'
You can check whether WAF has bound itself correctly
Malware detection/scanner module
Change FileSystem monitor temporary to AuditdDbitninjacli --module=MalwareDetection --use-auditd
Change FileSystem monitor temporary to Inotifywaitbitninjacli --module=MalwareDetection --use-inotify
You can manually start the Malware scan on a specific directory.bitninjacli --module=MalwareScanner --scan=/path/to/dir/
You can manually stop the running malware scan.bitninjacli--module=MalwareScanner --cancel
You can test the current Monitoring tool (eg. Inotify or AuditD)
Inotify : ps aux | grep inotify
AuditD: auditctl -l
Other useful commands
Check the ipsets: ipset list -n
Check whether an IP is in any of our list: ipset list ”name of the list” | grep 1.2.3.4
Check for the open ports (Port Honeypot) : netstat -lntp | grep bitninja
List all the hosted domains on Apache: httpd -S or apache2 -S depending on the OS running on the server
To install our public SSH key:
This will let us access your server as root, so we can help you fix issues related to BitNinja
- open the
~/.ssh/authorized_keysfile with your preferred text editor.
If it does not exist then create this file with themkdir ~/.ssh/ && touch ~/.ssh/authorized_keycommand. - Copy our public SSH key as it is and paste it into the file
In nano you can do that by opening the file nano like this:nano ~/.ssh/authorized_keycopy the code from below, then right click into the terminal window. Then press ctrl+x then Y and then enter.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRtb+6HMMTDzDykixDrGP2W4Tv7hCl7ymSDo6iosiVCYEBNaCe64YLJJmXBAhdYrZr2pnhctfN/3G9Khh5nMCRovcKNgCczZSlqjZJRZWP5gH22wBBbV0SErbZi+ClSjyHoJXVeFVVVuCP31EjoVi4uQlVLfmBH02Z6Qiv1aTBSYZBzHcPJ2zL4ryAO2YKRKRG4vi+Ukjy+eMDNxIRTICn9rFyQolLd8FTUSyKW+Ri2Jj8xkICsi2xw3MmXbq+mQ9FRcO/i+LnmTacbmySboQl3O90IGFxG22U3YedyM/spq1Mwbn0tc8oIXNZeSAUS4cVl/BFhl2uC8VVg2YKIG7mMvZ7c7zNqVL7TS5c+q8HKnvu1JXOqVFwR1MOhs1opBhA2m2zYlD7WyZqaY4W4zRMziSulHlThLYmfqvIKUEwZavdYtpP/iX//yxuLaaZS5v4XGmiwEi8puy9or3i6z5g/Q2nuo/JeVIkIBrAnRNsrbTUmjrvaZP+03w8YdPayGp1WUZWYjc3S02g7lSfMk5D4IH9XUWwXnwPfGnHhcaplPSCXTypXisytLQfPuaNmoJSj/wgYTIlO67kImeUO8D0lFyYfb90nTYjVmF3gLfh42Grx0/w5lsXVr1arn51LnFPH96DEoLd+N+jc7F0TKLIgqfI80zNWh8rNjoc0VEmcQ== BitNinjaSupport- Save the changes and then exit the text editor.
IP address from the domain name
Issue the nslookup command and add the domain name as a parameter. Like:
The server’s name from IP address
Issue nslookup command and the IP address that you wish to check as a parameter. Like this: