Key Investigation

The Key Investigation area of SSH Hunter provides information that centers around host aspects of SSH key data that is collected by Sandfly.

Table View

The principle page offers search capabilities for various key fields and lists all discovered SSH keys in an easy to use table.

SSH Hunter - Key Investigation Data Table

SSH Hunter - Key Investigation Data Table

Clicking anywhere on a row of data, excluding the checkbox and action buttons, will open a page that contains additional details associated to that entry.

Detail View

Under the Visualization tab the nodes in the Explorer section can be expanded and the panel can be zoomed or moved around in order to follow the relationship between keys, users, and hosts. Below the Explorer is the Key Use Timeline showing key quantities on that host over time.

SSH Hunter - Key Summary View

SSH Hunter - Key Summary View

The summary section provides easy to view textual data of an individual key.

Clicking on the Hosts, Users, or Zones tabs will drill down into the associated data.

SSH Hunter - Hosts Tab

SSH Hunter - Hosts Tab

Manually adding keys

Normally, the keys listed in the Key Investigation page and the Tag Workbench are the keys Sandfly has found on hosts through scans that include the recon_user_list_all sandfly.

However, this means you can only tag or ban keys that are already on hosts. You may want to watch for known retired or malicious keys that are not currently on hosts and be alerted as soon as such a key shows up.

Or, you may wish to add a set of allowed keys to a Security Zone without first having to add them to the hosts – potentially generating nuisance alerts if you know you are adding new allowed keys to hosts in that zone due to key rotation, new employee hires, etc.

This feature lets you add keys to the system directly instead of having to discover them via scans.

To manually add keys, open the Key Investigation page and then click the Add Keys button found in the top-right corner.

A screenshot of top button bar in Key Investigations

The Add SSH Keys form allows you to paste in SSH public keys, with one key per line. The entries may be copied directly from authorized_keys files and Sandfly will parse out the key itself, or the entries may be just the key without the type and comment fields found in authorized_keys files. You may also use a combination of the two formats in a single operation.

A screenshot of the Add SSH Keys form

Add SSH Keys Form

Any tags you enter in the Add SSH Keys dialog will be added to the new keys, immediately allowing them in SSH Security Zones that permit the tags. If the key already exists in Sandfly, the provided key tag(s) will be added to the existing key.

Added keys can also be immediately banned simply by adding the “Banned” tag.

Keys which have been added manually, instead of discovered through scans, can be identified by the First Seen and Last Seen dates in the key list being “Never”.

A screenshot of manually entered keys that were never seen by Sandfly

Never Seen Keys

If/when the key is found on a host, the First/Last Seen dates will be changed to real values and the key will be like any other key Sandfly discovers during scans.