This module is currently disabled.
BitNinja's OutboundWAF module scans only outgoing connections real-time, with the built-in
http proxy solution. Upon activation BitNinja injects an iptables rule into your nat
table to redirect all outgoing traffic not made by root to ports 80 to
127.0.0.1:60100, a port dedicated for
BitNinja OutboundWAF. The OutboundWAF process analyzes the outgoing traffic and makes a connection
from your server to a remote server and fetch the actual content.
If BitNinja finds any suspicious connections, it will send the incident to BitNinja analyzer central and try to find which process and script is responsible for it.
BitNinja OutboundWAF currently has a limit of 1000 simultaneous connections. If your server manages more than this amount, please see the configuration section on how to raise this limitation.
BitNinja OutboundWAF forks a new process for every request to spray the load between multiple CPUs. Every process currently has about a 1.7 MB memory footprint, so it is designed to be resource friendly, but be aware of resource usage in large scale installations.
Requests made by root are not watched.
BitNinja OutboundWAF uses
ssto find which process is responsible for the malicious request and on some server it can cause higher load.
Activating and Deactivating the OutboundWAF module
Here is how to activate the OutboundWAF module:
- Log in to https://admin.bitninja.io/
- Navigate to https://admin.bitninja.io/modules
- Select the server on which you want to activate the OutboundWAF module
- Switch OutboundWAF on
Or you can use the command line
bitninjacli --modeule=OutboundWAF --enabled
BitNinja's OutboundWAF will be activated within 15 seconds.
To deactivate the OutboundWAF module you have 3 options:
You can use the dashboard and set the OutboundWAF module to disabled and save it.
You can use the command line
bitninjacli --module=OutboundWAF --disabled
- You can shut down BitNinja (this is the most radical solution, but it will also disable the OutboundWAF appropriately)
service bitninja stop
The OutboundWAF module uses the config file located at
In some cases you don't want the OutboundWAF to monitor your outgoing http connections. E.g.: using an HAProxy load balancer or an Nginx reverse proxy. You can disable the OutboundWAF monitoring for these users by adding their names in the configuration like:
ignoredUsers = 'bitninja-waf'
ignoredUsers = 'bitninja-ssl-termination'