Lots of our users are interested in using BitNinja with ServerPilot and our team was also very curious how much compatible they are. Therefore, I have tested it and today I show you the results. 🙂
Tested operating systems: Ubuntu LTS 14.04, Ubuntu LTS 16.04
The goal of this test is to check if BitNinja modules are compatible with ServerPilot and it's configurations. I used ServerPilot’s manual installer on two Ubuntu Vagrant boxes and two SoftLayer hosted Ubuntu servers. ServerPilot should be installed on a fresh installed/created server, meaning no Apache, PHP, MySQL, Nginx, etc. installed (though BitNinja, htop, mc ... not hosting related apps could be present).
ServerPilot installs PHP, MySQL, Nginx, Apache, PHP-FPM,(LAMP/LEMP stack) security updates, and a basic firewall which drops everything except allowed packages. More information can be found the ServerPilot's installation guide.
ServerPilot's Firewall uses DROP policy in filter table and it adds some of its own rules. When it activates it's appending its rules at the end of the chains. IpFilter inserting its rules in the beginning of the chains that it uses. This way it doesn't matter which one is started first.
When ServerPilot’s Firewall deactivates, it restores ACCEPT policy and removes its own rule and leaves any other rules alone.
It's really a basic firewall but it's more than nothing, this is why ServerPilot recommends HeatShield, a sister company of ServerPilot, which allows more flexible firewall customization. This is why HeatShield was also included in the test.
| BitNinja |
ServerPilot (with and without Firewall)
|
HeatShield
|
Both
|
| System |
OK |
OK |
OK |
| DataProvider |
OK |
OK |
OK |
| IpFilter |
OK |
OK |
OK |
| CaptchaHttp |
OK |
OK |
OK |
| CaptchaSmtp |
OK |
OK |
OK |
| PortHoneypot |
OK |
OK |
OK |
| AntiFlood |
OK |
OK |
OK |
| Shogun |
OK |
OK |
OK |
| DosDetection |
OK |
OK |
OK |
| MalwareDetection |
OK (need configuration though) |
OK |
OK |
| SenseLog |
OK (log detection route needed) |
OK |
OK |
| SenseWebHoneypot |
OK |
OK |
OK |
| WAF/WAF 2.0 |
OK |
FAIL |
FAIL |
| OutboundWAF |
OK |
FAIL |
FAIL |
ServerPilot is not limiting the outgoing connection, this is why System, DataProvider, Shogun(incident sending) are working and they can communicate with the API servers. IpFilter inserts its rules to the beginning of the chains, this is why modules that require ports to open to function (CaptchaHttp, CaptchaSmtp, PortHoneypot, SenseWebHoneypot, WAF, OutboundWAF), could work.
DosDetection watches netstat records to operate, it's not affected by ServerPilot.
SenseLog has failed for the time being because it hasn’t got any log detector for ServerPilot, and ServerPilot’s log directory is /srv/users/(System username default is serverpilot)/log/(app name). App means a deployed web site on the server. On our documentation site, you can find more info how you can add the path.
MalwareDetection works, but it has to be configured for watching /srv/users/(System username default is serverpilot)/apps/(app name) too.
HeatShield is an easy-to-use online remote firewall rule manager something like UncomplicatedFirewall for Ubuntu desktop use.
The free HeatShield uses almost the same setting as ServerPilot’s FireWall, but it flushes the Filter table if any changes were made. It doesn’t limit outgoing connections, so it allows communication with the API server.
All BitNinja modules are compatible with ServerPilot and most of them compatible with HeatShield as well. So, you don't have to worry, you can use both of them with BitNinja without any doubt.
Would you like to test it?
