The first step of each attack is scanning the victim server to collect information about vulnerabilities. Unfortunately, most server owners don’t realize they can block these scans and stop attacks before they happen. Instead, most IT teams spend their time reacting to attacks, after they occur, cleaning infected files.

Scanning isn’t as apparent as a DoS attack or malware infection, so it is often overlooked when it comes to server security. However, all of these can happen to your server, and are the first signs you are under attack:


“We got many attacks and tried many methods to block them, but nothing was enough. The BitNinja approach is the best we could find. The approach is cloud-based, it is a very elegant solution to a global problem. Every protected server is used as a trap by BitNinja, which is an excellent idea.”
Simon Hintermann
Ganesh Hosting


You can stop your server being scanned by malicious IPs and block hackers by creating an automatic decoy. BitNinja Honeypots trap suspicious connections, so cybercriminals won’t be able to access the valid services on your servers, only the fake ones which are setup to trap them.

The BitNinja Web Honeypot can turn the backdoors used by hackers to access your server through PHP web applications into traps that block them from using the resources on your server. When Command&Control (C&C) servers – that direct botnet attacks – try to access the backdoors on your server, BitNinja will identify and block them.

How is Bitninja different than other Honeypot solutions?


We provide two kinds of Honeypots: Port Honeypot to block IPs which scan for open ports and Web Honeypot to stop hackers from scanning web application vulnerabilities.


Our Honeypots don’t interfere with any services running on your server. Honeypots are only setup on ports where the real service is not running.


BitNinja Honeypots not only collect information about suspicious IPs, but also automatically blocks them to prevent further attacks.


100 honeypots are setup by default to capture most attacks. BitNinja will also turn backdoors it discovers into honeypots automatically.


“After extensive testing and evaluation, we came to the conclusion that the BitNinja product is very mature and provides all the tools we wanted to build our infrastructure. Joining the BitNinja eco-system gave us access to the shared “knowledge” of tens of thousands servers worldwide so we can proactively block malicious traffic before even reaching our clients’ websites – simply impressive”
Dimitar Petkov
“BitNinja is being used by many different hosting companies, and swapping intelligence gathered from thousands of servers, hosting tens of thousands of domains worldwide. It allows us to tell the Good Guys from the Bad guys. With its “IP Reputation” we can see what an IP has been doing historically. Using BitNinja we can make better security decisions”
Andrew Shaw
“Our clients need to ensure their websites are secure from attacks and BitNinja is an integral part of this. It provides fantastic features and the ability for us to manage everything from a single pane of glass. Being part of the many thousands of servers that share attack info helps us ensure our customers’ reputations are not damaged by a compromised website. Now we have it, we would not be without it.”
Andy Starr
Just Technology Group


You can read more technical details about Port Honeypot and Web Honeypot modules on our documentation site.
BitNinja Port Honeypot chooses 100 ports from the 1,000 most attacked ports (for example: 23, the telnet port). It doesn’t setup on actual ports, so it will never interfere with any real services. If you wish, you can configure the module’s settings in /etc/bitninja/PortHoneypot/config.ini
Yes, in the /etc/bitninja/PortHoneypot/config.ini you can set the ports which should always be used as honeypot and those which should be never be a honeypot. However, BitNinja Port Honeypot will never use a port where a real service is running. You can even set the exact starting port, so the module will choose the honeypot ports above that port number.
Currently, we only have a PHP implementation, but we have plans for supporting other languages as well. We are always happy to accept contributors, so don’t be afraid to contact us at if you wish to help our ninjas’ work.
BitNinja can block most deep port scans (TCP connect scans) except syn stealth scan and a few others.
In your Dashboard, the Network Attacks menu helps you review and analyze any blocked attacks. There, you can filter for the “Honeypot” type of incident to see any scans which have occurred on your server. You can see detailed logs for all of your servers or only for those you select.
Web Honeypots are a highly effective method for detecting hackers and blocking malicious bots in a proactive way. Instead of waiting until something bad happens, stop the bad guys as soon as possible! You can also enable our “honeypotify” feature in the Malware Detection module, so any backdoors which are detected will automatically be turned into traps. You can even create additional Web Honeypots (for example on Google Dorks – google search results for vulnerabilities – or on default 404 pages to block directory brute force).