Jump Hosts

Adding SSH Jump Hosts to Sandfly

Jump Hosts

Jump hosts are an important part of segmented security architecture. Sandfly is able to use jump hosts to allow it to access isolated segments and perform full security scanning for intruders.

Jump Host View

To add a jump host you first must ensure you have a credential that can work with the jump host added to the system already. Please refer to the Adding Credentials section on how to do this.

After you have added the credential, go to the Hosts sidebar and select Jump Hosts to go to the Jump Host view.

Host Side BarHost Side Bar

Host Side Bar

The Jump Host view will show like below. If you have no jump hosts, then it will be empty.

Jump Host ViewJump Host View

Jump Host View

Adding Jump Host

Click on the Add Jump Host button to enter the Add Jump Host form.

Jump Host add button.Jump Host add button.

Jump Host add button.

The Add Jump Host form has basic fields.

Enter in a jump host name using snake_case. Then enter in the hostname or IP address of the jump host. Next, use the drop down to select the credential that will work to authenticate to the jump host. Finally you can change the default SSH port to use to connect to the jump host.

After you have done the above, click Add Jump Host and it will be listed in the Jump Host view. You can now use this jump host to add your primary hosts and Sandfly will use the jump host(s) you select to establish the connection.

Use Jump Hosts to Hide Incident Response

Jump hosts can not only be used to help isolate your network, but if you are investigating an incident you may want to setup a chain of hosts to hide your origin. Sandfly will happily use a series of jump hosts to connect to the remote system under investigation. You can easily spin up VMs in the cloud to form a chain of jumps and destroy them when you are done.

This is a useful way for hiding your system's location from attackers during an incident which may be a valuable tactic.

Jump Host MaxStartups in SSH

By default, SSH daemons limit the number of maximum connections that can start at once. This prevents flooding a server with connection attempts. However, Sandfly has many scanning threads and if they all connect to the jump host at once, then many of the connections will be refused.

Noting the above, you'll need to change the MaxStartups option under the system sshd_config to higher values.

Each Sandfly node container can have up to 500 concurrent scanning threads running at once. If you think you'll be operating at this capacity, then you should increase the defaults to something like this:

MaxStartups 500

You'll need to restart the server SSH daemon for the value to take effect.


Did this page help you?