It is very easy to add hosts to Sandfly. Simply paste in the hostnames, IP addresses, or IP netblocks that you want to add. It takes Sandfly roughly 1-2 seconds to connect to a host, inventory the system, and return results. Therefore, many hosts can be added very quickly to get immediate protection.


Here you can see the full screen for adding hosts. Further below we will go over each section in more details.

Adding Hosts to Sandfly

Adding Hosts to Sandfly


Adding by IP / Hostname List

In order to add a list of hosts for protection, first set the Type to the IP / Hostname List option. Then enter into the IP / Hostname List textbox, one entry per line, either an IP Address or Hostname of a host that would be reachable via SSH at the indicated port from the Sandfly node(s) or jumphost(s), as appropriate for your network architecture.


Either a partially or fully qualified Hostname can be used in this list.  However, the hostname must be DNS resolvable on the Sandfly server.

Selecting IP List or Range

Selecting IP List or Range


Adding by IP Range

Alternatively, if you have a group of hosts on a netblock that needs protection, Sandfly can easily look for them without the need to enter hosts individually. First, set the Type to the IP Range option. Then, in the IP Ranges textbox enter one or more netblocks, one entry per line, up to a class B network in CIDR notation (e.g. 192.168.1.0/24).


NOTE: Netblock Scanning is Limited to Class B

Sandfly can accept up to a Class B network at a time (65535 hosts). If you need to scan more than this, you will need to enter each net block in as separate entries.



Use Existing Credentials

In the next section, select the credential you want Sandfly to use to login to these hosts. This is the credential you setup as detailed under the Host Credentials area. If a credential is invalid, Sandfly will indicate this to you when you view the list of hosts.

Selecting a Credential to Use

Selecting a Credential to Use


Use New Credentials

If you have not yet added any credentials to pick from, it can be done at this step. Select New for the Credential Type and fill in the fields for the SSH key or username/password to use.

Adding Hosts with New Credentials

Adding Hosts with New Credentials


Select Optional Jump Host

If you are using a jump host to connect to these systems, they can be selected in this section. At least one jump host must already be setup to show options in the Jump Host drop down. If a jump host has not been setup yet, please refer to the Jump Hosts documentation on how to do this.

Optional Jump Host Selection

Optional Jump Host Selection


Select Queue

For the last section, Sandfly can use named queues to send the host add request to an appropriate node. For instance, you may have a node running inside a protected segment in Amazon Cloud, another at Digital Ocean, and a final one internally. If these nodes are all online you will get a drop down option with their names. The default name is main if you have not enabled this feature on your Sandfly nodes.


The (parenthesis) after the queue name indicates how many nodes are servicing that queue. Below we see a queue name of main with one node active.

Selecting Named Queue for Scanning

Selecting Named Queue for Scanning


Finish

Once all of the data has been entered, click the Finish button. Behind the scenes, Sandfly nodes are now attempting to connect to the list of addresses via SSH and collecting host inventory. After a few seconds, the Refresh button can be hit and hosts will start to appear.


The list will show all active and inactive hosts. You are now ready to scan the systems for Linux threats.

Host View

Host View


Finding Unknown Hosts with IP Range Scan

If you want to search for hosts that are on your network, Sandfly can look for them with an IP Range scan. This feature is useful for admins trying to get a handle on what systems exist on their network, or for incident responders that may be entering a hot incident site blind as to all the devices that may exist. 


For instance, below we found one active host in a netblock of 192.168.1.0/24. These kinds of unknown hosts are common. We also found another host at 192.168.1.10 that had an authentication failure. This means a SSH enabled device answered, but we could not log in. This is also valuable information to know when assessing a network.

Found One Active Host in an Unknown Netblock

Found One Active Host in an Unknown Netblock


To searchunknown devices, enter at least one netblock, one entry per line and in CIDR notation (e.g. 192.168.1.0/24) up to a class B. Sandfly will use the supplied credentials and try to authenticate via SSH to any device it finds with an open SSH port. If it logins successfully, it will inventory and add the host like normal. Otherwise, the entry will be shown as inactive with a Status of Unknown and it cannot be scanned by the sandflies.


NOTE: Netblock Scanning is Limited to Class B

Sandfly can accept up to a Class B network at a time (65535 hosts). If you need to scan more than this, you will need to enter each net block in as separate entries.



If Sandfly saw a host, but could not log in, then you will see authentication failures in the host view. This is not fatal, but more informative that a host is present but could not be accessed. You can try to access these hosts with another credential or delete them if you do not want to Sandfly to try accessing them. 


NOTE: Sandfly Adding Hosts and Network Timeouts

If you have a lot of dead addresses when you scan a netblock (or packet filters that drop packets on remote hosts), Sandfly may take some time to complete waiting for dead connections to timeout.

Each scanning node has 500 threads each. This can impose a large load on a network if you run a number of scanning nodes and enter many blocks of IP addresses. It is possible to scan several thousand systems at once which could cause problems. We recommend you space out your cans to prevent this.



Previous
Previous Article:

Next Article:
Next