Server Install - Cloud Image - AWS

Overview

Sandfly is able to be rapidly deployed on Amazon Web Services (AWS) with a single pre-built Amazon Machine Image (AMI). Images deployed in this way will have most configuration options automated so you can get up and running quickly.

For the basic cloud install, the server and node are located on the same system. This is not the optimal security configuration for Sandfly as we prefer customers to run the server and nodes on separate Virtual Machines (VMs). However, for small production use and testing, this may be sufficient for you and allows you to quickly deploy the product with little overhead.

The Sandfly server hosts the User Interface (UI), REST API, and database. A server instance must always be installed and running for Sandfly to work. Likewise, the system will start scanning nodes which are doing the legwork for scanning for compromise and intruders. These also must always be running on the system after install.

Cloud Image Requirements and Provisioning

When you provision a VM to use with Sandfly we recommend that you have a minimum 8GB of RAM and sufficient CPU. For small deployments this is the minimum but may have to be scaled upwards as you add more hosts. The new VM image will have Sandfly pre-installed and is ready to be configured.

From your EC2 Management Console launch the Sandfly Security image from the AMI Catalog or your provisioned Instance.

Login to Host to Begin Configuration

Once the AMI instance has come up, you need to login to it using your SSH credentials and the username "ec2-user".

Connect with ssh from the command line:

ssh -i <privatekey.pem> ec2-user@<public_ipv4_address>

Upon a successful login, you will be immediately presented with the following install screen:

Welcome to Sandfly Install

Welcome to Sandfly Install

Agree to License Terms

You will be asked to review and agree to the license terms for Sandfly. Please type YES when you have read the agreement.

Server Automated Setup and Cryptographic Key Generation

After you agree to the license, the system will initialize the database and cryptographic keys. This is all automated, but may take a minute or two to complete depending on your system speed and key generation algorithms.

During this time you will also have an automatic trial license generated to begin using Sandfly immediately. If you have a paid license you can delete the trial license once you login and replace it.

Minimal Configuration Completed

When the setup completes you will see the message below.

******************************************************************************
**                                                                          **
** SANDFLY INSTALLATION COMPLETE                                            **
**                                                                          **
** Use the URL and login information printed below to log in to your        **
** server. The initial admin password is stored on this server in           **
** the setup_data directory; we recommend you change your initial           **
** password after logging in.                                               **
**                                                                          **
******************************************************************************

===> URL: https://192.168.1.10/
===> Username: admin
===> Password: system-treason-decibel-scouring-coasting-padding-active

Please make a note of the password. It is randomly generated and you will need it the first time to login and setup the system.

Optional SSL Signed Certificate

This install script will generate self-signed SSL keys for use by the scanning nodes and server. If you wish to use a signed certificate, Sandfly can generate one for you using EFF Let's Encrypt signing service.

Signed Certificate Requirements

We will be using the EFF Let's Encrypt service. This service requires the following:

  1. A valid DNS resolvable hostname.
  2. TCP port 80 visible from the Internet.

The service must have a hostname that resolves as this is used in the certificate. Also, the service will connect to the server on port 80 to establish it is alive. Once this process happens, you can block port 80 and setup stricter firewall rules for the Sandfly server going forward.

❗️

IMPORTANT: Port 80 Must Be Visible From The Internet During Signing!

Make sure the server you are using has a legitimate hostname that is reachable from the Internet and resolves correctly. Port 80 will need to be open for the EFF server to validate the host.

You can block this port again after you receive your certificate from Let’s Encrypt, but it must be open during the generation process.

Run SSL Setup

To begin, run the setup-ssl script.

Ready for a real SSL certificate? Add a record for this host to
your public DNS server, make sure port 80 is open from the Internet,
and run `setup-ssl` to request a certificate from Let's Encrypt.

Make sure, again, that the hostname you put in is legitimate and port 80 can be reached from the Internet. The Let's Encrypt service will not sign any certificate for servers that are not reachable on the Internet.

The questions that follow are self-explanatory, as seen below.

*************************************************************************
Requesting Certificate from Let's Encrypt

We are now going to try to contact Let's Encrypt with EFF's certbot to 
sign our certificate. The Sandfly server must be accessible from the 
internet on TCP port 80 for this procedure to work.

This script will temporarily stop the Sandfly server.
*************************************************************************

ACTION REQUIRED: you must add a public DNS entry for this host that 
resolves   to the outside internet IP address of this server 
(192.168.1.10). Port 80   must be open from the internet for Let's Encrypt 
to complete its validation. What is the public DNS entry for this server 
(e.g. "sandfly.example.com")?
==> example.sandflysecurity.com

The server will now be stopped so we can obtain a certificate.

Next you will be asked for a contact e-mail. We recommend you put in a valid e-mail in case there is a security alert about the certificates.

Stopping sandfly-server...
sandfly-server
sandfly-server-mgmt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): [email protected]

You will need to agree to the EFF terms of service. You can also choose to be on their mailing list or not for updates.

When completed you will see the following:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.sandflysecurity.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.sandflysecurity.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.sandflysecurity.com/privkey.pem
   Your cert will expire on 2021-07-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Copying signed certs to SSL directories
Certificates copied. Done.
sandfly-server-mgmt
server.config.json updated with new SSL certificate.
Re-starting Sandfly Server.
sandfly-server
93c3b912b1096f8c002e403cf3adfd5a292c8ffa6fa1869ff534451d24f92975
Done!

If all is well, when you connect to the UI you will not get any warnings from your browser about invalid certificates.

If you are using an internal server to host Sandfly, then you probably cannot use this method. You will have to find another way to get the server certificate signed. If you are fine using a self-signed certificate and just telling your browser to accept it manually, then skip this step.

If you have a way to generate signed keys with your own CA, you will want to base64 encode the certificate and key and place them in the fields in the config.server.json file located under setup_data:

  • server.ssl.server.cert_signed
  • server.ssl.server.private_key_signed

Setup Complete

You can now connect to the URL of the server and login using the username admin and randomly generated password from the setup above.


What’s Next

Next Installation Step: