Server Install - Cloud Image

Installing the Sandfly Server from a Cloud Image

Installation

Sandfly is able to be rapidly deployed at cloud providers such as Digital Ocean with a single pre-built image. Images deployed in this way will have most configuration options automated so you can get up and running quickly.

For the basic cloud install, the server and node are located on the same system. This is not the optimal security configuration for Sandfly as we prefer customers to run the server and nodes on separate Virtual Machines (VMs). However for small production use and testing this may be sufficient for you and allows you to quickly deploy the product with little overhead.

The Sandfly server hosts the User Interface (UI), REST API, and optional database. A server instance must always be installed and running for Sandfly to work. Likewise, the system will start scanning nodes which are doing the legwork for scanning for compromise and intruders. These also must always be running on the system after install.

Cloud Image Requirements and Install

Sandfly's setup scripts will pull the latest images for you automatically if you are not using a pre-built cloud provider image. In most cases, simply downloading and running the setup scripts will be all you need.

If you are using a cloud provided image (available at some sites such as Digital Ocean), then when you login the image will be pre-installed and ready to go after you provision your VM. When building your initial VM to use with Sandfly we recommend that you have a minimum 8GB of RAM and sufficient CPU. For small deployments this is the minimum but may have to be scaled upwards as you add more hosts.

Login to Host to Begin Installation

After the cloud VM instance has come up, you can login to it using your SSH credentials. You will be immediately presented with the install screen below.

Welcome to Sandfly InstallWelcome to Sandfly Install

Welcome to Sandfly Install

Agree to License Terms

You will be asked to review and agree to the license terms for Sandfly. Please type YES when you have read the agreement.

Server Automated Setup and Cryptographic Key Generation

After you agree to the license, the system will initialize the database and cryptographic keys. This is all automated, but may take a minute or two to complete depending on your system speed and key generation algorithms.

During this time you will also have an automatic trial license generated to begin using Sandfly immediately. If you have a paid license you can delete the trial license once you login and replace it.

Setup Completed

When the setup completes you will see the message below.

**************************************************************************
**                                                                        
** SANDFLY INSTALLATION COMPLETE                                         
**                                                                     
** Use the URL and login information printed below to log in to your       
**
** server. The initial admin password is stored on this server in         
** the setup_data directory; we recommend you change your intial           
** password after logging in.                                             
**
**************************************************************************

===> URL: https://192.168.1.10/
===> Username: admin
===> Password: system-treason-decibel-scouring-coasting-padded-active

Please make a note of the password. It is randomly generated and you will need it the first time to login and setup the system.

Optional SSL Signed Certificate

This install script will generate self-signed SSL keys for use by the scanning nodes and server. If you wish to use a signed certificate, Sandfly can generate one for you using EFF Let's Encrypt signing service.

Signed Certificate Requirements

We will be using the EFF Let's Encrypt service. This service requires the following:

  1. A valid DNS resolvable hostname.
  2. TCP port 80 visible from the Internet.

The service must have a hostname that resolves as this is used in the certificate. Also, the service will connect to the server on port 80 to establish it is alive. Once this process happens, you can block port 80 and setup stricter firewall rules for the Sandfly server going forward.

❗️

Port 80 Must Be Visible From The Internet During Signing!

Make sure the server you are using has a legitimate hostname that is reachable from the Internet and resolves correctly. Port 80 will need to be open for the EFF server to validate the host.

You can block this port again after you receive your certificate from Let’s Encrypt, but it must be open during the generation process.

Run SSL Setup

We'll run the setup-ssl script mentioned at the end of the setup procedure above.

Ready for a real SSL certificate? Add a record for this host to
your public DNS server, make sure port 80 is open from the Internet,
and run `setup-ssl` to request a certificate from Let's Encrypt.

Make sure, again, that the hostname you put in is legitimate and port 80 can be reached from the Internet. The Let's Encrypt service will not sign any certificate for servers that are not reachable on the Internet.

The questions are self-explanatory as seen below.

*************************************************************************
Requesting Certificate from Let's Encrypt

We are now going to try to contact Let's Encrypt with EFF's certbot to 
sign our certificate. The Sandfly server must be accessible from the 
internet on TCP port 80 for this procedure to work.

This script will temporarily stop the Sandfly server.
*************************************************************************

ACTION REQUIRED: you must add a public DNS entry for this host that 
resolves   to the outside internet IP address of this server 
(192.168.1.10). Port 80   must be open from the internet for Let's Encrypt 
to complete its validation. What is the public DNS entry for this server 
(e.g. "sandfly.example.com")?
==> example.sandflysecurity.com

The server will now be stopped so we can obtain a certificate.

Next you will be asked for a contact e-mail. We recommend you put in a valid e-mail in case there is a security alert about the certificates. You can opt in or out of the EFF mailing list.

Stopping sandfly-server...
sandfly-server
sandfly-server-mgmt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): [email protected]

You will need to agree to the EFF terms of service. You can also choose to be on their mailing list or not for updates.

When completed you'll see the following:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.sandflysecurity.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.sandflysecurity.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.sandflysecurity.com/privkey.pem
   Your cert will expire on 2021-07-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Copying signed certs to SSL directories
Certificates copied. Done.
sandfly-server-mgmt
server.config.json updated with new SSL certificate.
Re-starting Sandfly Server.
sandfly-server
93c3b912b1096f8c002e203cf3adfd5a292c8ffa6fa1899ff534451d24f92975
Done!

If all is well, when you connect to the UI you will not get any warnings from your browser about invalid certificates.

If you are using an internal server to host Sandfly, then you probably can't use this method. You'll have to find another way to get the server certificate signed. If you are fine using a self-signed certificate and just telling your browser to accept it manually, then skip this step.

If you have a way to generate signed keys with your own CA, you will want to base64 encode the certificate and key and place them in the fields in the config.server.json file located under setup_data:

server.ssl.server.cert_signed
server.ssl.server.private_key_signed

Setup Complete

You can now connect to the URL of the server and login using the username admin and randomly generated password from the setup above.


Did this page help you?