Server Install - Docker Image
The Sandfly server hosts the User Interface (UI), REST API, and optional database. A server instance must always be installed and running for Sandfly to work.
Please follow these instructions and you will be up and running in no time.
Download Setup Archive
The setup files are located at Sandfly Security's Github. Please visit the link below to obtain the latest version:
https://github.com/sandflysecurity/sandfly-setup/releases
Depending on your needs, choose between one of the two available packages.
Standard Package
This package contains what is minimally needed to install and run Sandfly with the exception of the containers, which will be downloaded from the Internet as needed. Container downloads may need to occur after installation, thus hosts using this package should be able to connect to the Internet.
To use this option, download sandfly-setup-5.2.0.tgz onto the sandfly server and then extract the archive:
wget https://github.com/sandflysecurity/sandfly-setup/releases/download/v5.2.0/sandfly-setup-5.2.0.tgz
tar -xzvf sandfly-setup-5.2.0.tgz
Offline Package
For users who have systems that either are or intending to run a Sandfly server and/or nodes that are not directly connected to the Internet for any reason (e.g. offline / air-gapped), or for those who simply prefer to have a ready to use bundle, we alternately provide an offline package which includes the containers.
To use this option, download sandfly-setup-offline-5.2.0.tgz from Github, copy the file onto the host where Sandfly will be installed, and finally extract the archive.
Once either archive has been extracted, there should be a directory named sandfly-setup. This is where all the operations below will take place.
Install Container Tool
Sandfly uses Docker or Podman as everything runs inside a container for security and performance reasons. It is important to use the latest, supported version of Docker or Podman.
If a Docker compatible deployment is already installed and up-to-date, proceed to the Start Docker step. The Docker version can be checked with the following command:
docker -v
Podman Installations
RHEL 8 Compatible and Newer
For Podman based deployments, which comes standard with RedHat Enterprise Linux (RHEL) 8 compatible and newer versions of that operating system base, first complete the steps found in the Run Sandfly with Podman documentation. Then return to this page and proceed to the Run Server Setup Script section to continue the server installation.
Docker Installations
IMPORTANT: Do Not Install Alternate / Additional Versions of Docker
Some Linux distributions (such as Ubuntu via the use of snap and apt) or manual docker installations allow for two versions of docker packages to exist without a warning. This can potentially cause problems when starting Sandfly containers. Please ensure that there is only one supported version of docker installed on the host OS.
IMPORTANT: CentOS Repositories Are Too Old for Docker
Some Linux distributions (such as CentOS) contain old versions of Docker that are not compatible with Sandfly. Please perform the installation via one of the provided scripts to ensure that a supported version of Docker is used.
For Docker based deployments, install the latest supported version using one of the scripts below that most closely corresponds to the operating system of the host:
CentOS 7 Compatible
~/sandfly-setup/setup/install_docker_centos7.sh
Ubuntu 18 Compatible
~/sandfly-setup/setup/install_docker_ubuntu18.sh
Ubuntu 20 Compatible and Newer
~/sandfly-setup/setup/install_docker_ubuntu20.sh
Debian 9 Compatible and Newer
~/sandfly-setup/setup/install_docker_debian.sh
Start Docker
Make sure the Docker daemon starts automatically or you can start it manually on Linux with the following command:
service docker start
Run Server Setup Script
This script will start a PostgreSQL and a management container, which will initialize the DB with the tables and user information for logging in. The script will output the secret data into a special directory that we will also use later to start the server and scanning nodes.
IMPORTANT: Do not change the ports of the Sandfly containers
For security reasons we highly recommend that Sandfly runs by itself, on its own virtual machine (VM) or bare metal host. Sandfly will not work if its own ports are changed. If you still choose to install other applications on the same host, then any conflicting ports must be changed on the other application in order for Sandfly to continue to function.
Go to the setup directory.
cd ~/sandfly-setup/setup
Run server install script.
./install.sh
Prepare the Database and Server Management
To start off, the install script will automatically load the containers, downloading them if not locally present, and then configure the database and server management.
Installing Sandfly server version 5.2.0.
Copyright (c)2016-2024 Sandfly Security Ltd.
Welcome to the Sandfly 5.2.0 server setup.
d8319597d9667e9d10960fc13874bb4ec418272edea9c3f1a554adebabc0471b
Starting Postgres database.
Based on 2 CPUs and 2006060kB total RAM, we will start
Postgres with the following settings:
...
Unable to find image 'postgres:14.9' locally
14.9: Pulling from library/postgres
378acb154839: Pull complete
...
79360c1d4f7a: Pull complete
Digest: sha256:9ace7db0a39444eed9d4ad986afd2b49457608ab17954a2eef806ddec992e01d
Status: Downloaded newer image for postgres:14.9
a6c2ec745f7e5c4fb1f939b540136fb238cda4adc525b9dfee97e58929705d33
******************************************************************************
Setting Up Server
The server install script is now starting.
******************************************************************************
Unless the install script encountered errors at this stage, it will automatically proceed to the server API setup.
Add the Server API Hostname/IP Address
The API server is the same as the main server that you connect to in order to access the UI. Enter the IP address or hostname of the system that is hosting the database.
If your host is not resolvable by DNS, enter the external interface IP address. Otherwise, enter the server's DNS resolvable, fully qualified domain name.
IMPORTANT: Do Not Use Localhost (127.0.0.1) As Your Server Address
Do not enter localhost (127.0.0.1), or any other loopback interface, for the server address as the application will not work. It must be a valid, external interface such as an ethernet IP address or fully qualified domain name the system uses for connectivity.
Example:
******************************************************************************
Server API Setup
We're going to setup where the server is located so the user interface and
scanning nodes can connect to it.
The entry should be the server fully qualified domain name (FQDN) or the
server IP address. It is important that the address supplied is reachable by
your web browser for the UI and the scanning nodes.
Do NOT use localhost (127.0.0.1) as the address or the server will not work.
It must be an address that is reachable by the server itself and nodes.
******************************************************************************
Please supply the server API hostname or IP address here (NOT localhost): example.sandflysecurity.com
Or you can put in your externally reachable IP address if DNS is not available for your host:
...
Please supply the server API hostname or IP address here (NOT localhost): 198.51.100.100
The script will have scrolled by a lot of data on the database and server management being initialized. If you get an error, please ensure that there are sufficient resources available. If you are still receiving errors, then make a copy of the output of the entire process and contact Sandfly for help.
SSL Setup
This install script will automatically generate self-signed SSL keys for use by the scanning nodes and server. You will have a chance to make a signed key after setup completes.
When generating keys we also generate Diffie Hellman parameters. This can take a while depending on the system and other factors. As long as the screen is moving, then it is generating the keys fine.
*****************************************************************************
*** Creating SSL Keys for Server
*****************************************************************************
*** Using hostname from environment: 198.51.100.100
*** Server SSL key creation completed.
Optional: Generate a Signed SSL Certificate
At the end of the install script you will be asked to generate signed SSL certificates. This is recommended, but if you are running Sandfly on internal systems it may not be possible to use the built-in script to do this and you can skip this step.
If the system has access to the Internet and can be reached on port 80, you can use the built-in script to make signed certs for you. You can generate a signed certificate for the server using the Let's Encrypt service from the EFF. This will stop you from having SSL errors when connecting to the UI with a modern browser.
IMPORTANT: Port 80 Must Be Visible From The Internet During Signing!
Make sure the server you are using has a legitimate hostname that is reachable from the Internet and resolves correctly. Port 80 will need to be open for the EFF server to validate the host.
Yes, the server needs to be reachable by the EFF certificate generation process on the HTTP port (80).
You can block this port again after you receive your certificate from Let’s Encrypt, but it must be open during the generation process.
Make sure that the hostname is legitimate and port 80 can be reached from the Internet. The Let's Encrypt service will not sign any certificate for servers that are not reachable on the Internet.
******************************************************************************
Make Signed SSL Key?
If the Sandfly server is able to be seen on the Internet, we can generate a
signed key using EFF's Let's Encrypt Bot. Answer below if you'd like to do
this.
******************************************************************************
Generate signed SSL keys (type YES)?
Indicate whether to use signed SSL keys or not. If so, then answer the certificate questions:
****************************************************************************
Signed Certificate Install
EFF's Let's Encrypt bot needs your fully qualified hostname to reach this
host. It must be visible online with TCP port 80 access for this to work.
****************************************************************************
What is your fully qualified hostname for the signed SSL cert? example.sandflysecurity.com
Next you will be asked for a contact e-mail. We recommend you put in a valid e-mail in case there is a security alert about the certificates. You can opt in or out of the EFF mailing list.
When starting the server, the scripts look for the signed versions first before trying to use the unsigned versions if present.
If all is well, when you connect to the UI you will not get any warnings from your browser about invalid certificates.
If you are using an internal server to host Sandfly, then you probably cannot use this method. You will have to find another way to get the server certificate signed. If you are fine using a self-signed certificate and just telling your browser to accept it manually, then skip this step.
If you have a way to generate signed keys with your own CA, you will want to base64 encode the certificate and key and place them in the fields in the config.server.json file located under setup_data:
- server.ssl.server.cert_signed
- server.ssl.server.private_key_signed
Setup Complete
When the install script finishes you will see the following output.
******************************************************************************
Setup Complete!
Your setup is complete. Please see below for the path to the admin password to
login.
You will need to go to /root/sandfly-setup/start_scripts and run the following to start the
server:
./start_sandfly.sh
Your randomly generated password for the admin account is located under:
/root/sandfly-setup/setup/setup_data/admin.password.txt
******************************************************************************
The admin password is a randomly generated diceware string of words. You can change it once you login and the generated password will no longer work.
cat ~/sandfly-setup/setup/setup_data/admin.password.txt
agentless-proof-hardened-heroic-utility-shells-sandfly
Start the Server
It is now time to start the server. Go to the start_scripts directory and run the script start_sandfly.sh.
cd ~/sandfly-setup/start_scripts/
./start_sandfly.sh
*** Starting Postgres.
...
*** Starting Sandfly Server.
...
<server is started>
When you start the server after the installation, the node config will be present until we copy and delete it as detailed under the node install instructions. In this case you will receive this warning when you first run the server:
********************************* WARNING *********************************
* *
* The node config data file at: *
* ../setup/setup_data/config.node.json *
* is present on the server. *
* *
* This file must be deleted from the server to fully protect the SSH keys *
* stored in the database. It should only be on the nodes. *
* *
********************************* WARNING *********************************
Are you sure you want to start the server with the node config data present?
Type YES if you're sure. [NO]: YES
For now, type YES, and hit enter. After we copy the config under the Node Install instructions we will delete the node config JSON and you should not see this warning any more.
Standard Security Install Ignore Warning
If you are running the Standard Security mode with the server and node on the same system, you can ignore this warning about the node config file present.
Check Containers are Running
Check if PostgreSQL and the Sandfly server containers are running:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4b24ab50f1c5 quay.io/sandfly/sandfly:5.0.2 "/opt/sandfly/start_…" 4 seconds ago Up 3 seconds 0.0.0.0:80->8000/tcp, :::80->8000/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp sandfly-server
f23041d1b2b4 postgres:14.9 "docker-entrypoint.s…" 4 seconds ago Up 3 seconds 5432/tcp sandfly-postgres
Next, copy the diceware password generated for the admin user so that you can log into the web interface:
cat ~/sandfly-setup/setup/setup_data/admin.password.txt
agentless-proof-hardened-heroic-utility-shells-sandfly
Access the Server with Your Browser
Go to your new web server address for the Sandfly server, for example:
https://example.sandflysecurity.com/
If you did not sign your certificate with a valid certificate authority, you will receive a warning. You can ignore this while testing. However, for operational purposes we recommend that you use a signed certificate.
At the login screen enter the username admin and the diceware password that was generated during this process. A successful authentication will open the user interface for administering Sandfly.
The server is now ready. Next we will load the node and connect it all together.
Updated about 2 months ago