It is very easy to add hosts to Sandfly. You simply paste in the hostnames, IP addresses, or IP netblock you want Sandfly to add. It takes Sandfly only about 1-2 seconds to connect to a host, inventory the system, and return results. So you can add in many hosts very quickly and get immediate protection.
Below you can see the full screen for adding hosts. We will go over each area below.
Adding hosts to Sandfly
Adding by IP/Hostname List
You can add in a list of hosts you want protected either by a list or hostname. This list needs to have one entry per line. Simply select the IP List type in the drop down menu.
Selecting IP list or range
Adding by IP Address Range
If you do not know what hosts you have on your network, you can have Sandfly look for them for you. Simply put in a netblock and Sandfly will take the credentials you specify and try to connect to any host it finds with them. If it logins successfully, it will inventory and add the host like normal. Otherwise, the host is shown with an authentication failure and cannot be scanned.
Follow the process outlined above, but this time select IP Range instead of IP List for your hosts. Then put in a netblock with an appropriate bitmask as shown below.
Use Existing Credentials
Then select the credential you want Sandfly to use to login to these hosts to start protecting them. This is the credential you setup as detailed under the Host Credentials area. In this case, we have an SSH key setup for AWS and the ubuntu user. Sandfly will use this credential to try to log into all the hosts you add here and obtain inventory information of the remote system. If a credential is invalid, Sandfly will indicate this to you when you view the host lists.
Selecting a credential to use
Use New Credentials
If you have not added a new credential yet, you can do it now. Select new credential and fill in the forms for the SSH key or username/password you wish to use.
Adding hosts with new credentials
Select Optional Jump Host
If you are using a jump host to connect to these systems, you can select it now. The jump host must already be setup to show in this drop down. If you have not setup the jump host yet, please refer to the Jump Host section on how to do this.
Optional Jump Host selection
Sandfly can use named queues to send the host add request to the correct node. For instance, you may have a node running inside a protected segment in Amazon Cloud another at Digital Ocean and a final one internally. If these nodes are all online you will get a drop down with their names. The default name is main if you have not enabled this feature on your nodes.
The (parenthesis) after the queue name are how many nodes are servicing that queue. Below we see a queue name of main with one node active.
Selecting named queue for scanning
When done, click the Finish button. Behind the scenes, Sandfly nodes are now connecting to the list of addresses and collecting host inventory. In a few seconds you can hit the refresh button on your browser and you will see hosts starting to appear.
The list will show all active and inactive hosts. You are now ready to scan the systems for Linux threats.
Finding Unknown Hosts with IP Range Scan
If you do not know what hosts you have on the network, you can have Sandfly look for them for you. This feature is useful for admins trying to get a handle on what systems exist on their network, or for incident responders that may be entering a hot incident site blind as to all the systems that may exist.
For instance, below we found one active host in a netblock of 192.168.1.0/24. These kinds of unknown hosts are common. We also found another host at 192.168.1.10 that had an authentication failure. This means a SSH enabled host answered, but we could not log in. This is also valuable information to know when assessing a network.
Found one active host in an unknown netblock
To find unknown hosts, put in a netblock and Sandfly will take the credentials you specify and try to connect to any host it finds with them. If it logins successfully, it will inventory and add the host like normal. Otherwise, the host is shown with an authentication failure and cannot be scanned.
NOTE: Host Netblock Scanning is Limited to Class B Sandfly can accept up to a Class B range at a time (65535 hosts). If you need to scan more than this, you will need to enter each net block in as separate entries.
Once you enter a netblock Sandfly will start scanning them for active hosts and try to login with the SSH credential supplied. If it logs into them successfully, you will see them show up under the host view and can view inventory data. If Sandfly saw a host, but could not log in, then you will see authentication failures in the host view. This is not fatal, but more informative that a host is present but could not be accessed. You can try to access these hosts with another credential or delete them if you do not want to Sandfly to try accessing them.
NOTE: Sandfly Adding Hosts and Network Timeouts If you have a lot of dead addresses when you scan a netblock (or packet filters that drop packets on remote hosts), Sandfly may take some time to complete waiting for dead connections to timeout. Each scanning node has 500 threads each. This can impose a large load on a network if you run a number of scanning nodes and enter many blocks of IP addresses. It is possible to scan several thousand systems at once which could cause problems. We recommend you space out your cans to prevent this.