Documentation

Security Zones

SSH Security Zones let you select a group of hosts, by host tags, and declare that they belong in a zone. You may then select SSH public keys, by tags, that are allowed on hosts inside that zone.

If a host is in a zone and a key that is not permitted by the zone is found on the host, Sandfly will generate an alert result during scans and indicate zone violations in the SSH Hunter pages in the Sandfly User Interface (UI).

Key status icons

In addition to alerts from future scans, real-time status is shown throughout the SSH Hunter views in the UI. For example, the Key Investigation, User Investigation, and Host Investigation lists all have status icons indicating a zone violation is occurring related to the key/user/host (indicated by a red icon of a key inside a shield), and violations are indicated in the detail pages and graph views of the SSH Security Zones.

Various icons in the Key Summary list indicate how keys are currently involved with security zones:

A screenshot of the green status key

A green shield means that they key is permitted in at least one security zone, and is not currently found in any other security zones causing a violation.

A screenshot of the dimmed status key

Lack of a shield (dim / dashed-line icon) means that the key is not permitted in any security zones, and has not been found on any host that is in a security zone. This is the “default state” when non-zoned keys are only found on non-zoned hosts.

A screenshot of the red dashed status key

A red dashed-line shield icon indicates that the key is not permitted by any security zones, but it was found on a host that is in a security zone.

A screenshot of the solid red status key

Finally, a solid red shield means that the key is both permitted in one or more security zones, and ALSO has been found on a host in another security zone that this key is not permitted in.

Zone Status

The default page under SSH Hunter is now SSH Security Zones. This gives you a quick overview of the integrity of SSH public key access to your network.

A screenshot of the zone list in the Security Zones

A red shield icon means that the zone has a violation – that is, one or more hosts in the zone have an SSH key that is not permitted in the zone. Click on a zone for more details.

A screenshot of the zone hosts list

The Zone Hosts list on a zone shows all the hosts in the zone, and when a host has an SSH key that is not permitted in the zone, a red shield icon is displayed. Clicking on a host will take you to the Host Investigation page, where on the Users & Key Entries tab you can see the specific users and the entries in their authorized_keys files that are in violation of the zone:

A screenshot of the users and keys list

The SSH visualization graphs also show a zone violation icon if the tree node or one of its descendants contains a zone violation:

A screenshot of the visualization explorer

VIDEO SPOTLIGHT: SSH Security Zones - Full demo of how to track, secure and monitor SSH keys on Linux agentlessly.

Visit Sandfly Security's YouTube Channel for all of our videos.

Updated 11 days ago

What’s Next