Deploying Sandfly IDS Server on Ubuntu 20.04 - cfloquetprojects/homelab GitHub Wiki

Introduction:

Today we will be deploying an agentless intrusion detection system (IDS) built for Linux systems called Sandfly to monitor many hosts at once for malicious activity without installing any endpoint protection software on those hosts, which may require updates/patches over time.

Sandfly has an intuitive web interface which, in later guides we will be adding SSL (using certs from our existing ADCS PKI setup) to in order to secure it a bit further, but for now this will not be covered in todays tutorial.

Ubuntu has been the bedrock for many servers for many years given that it is open-source, and rather stable while being extremely compatible/flexible. In this case we will be using Ubuntu v20.04 LTS given it has support until 2030.

I will be showing how to install Docker as well as Sandfly IDS (both the server and scanning instances) on Ubuntu 20.04 using their maximum security installation architecture guide in a series of tutorials going forward, since I've found Sandfly IDS to be a remarkably useful and effective tool for any investigator/engineer tasked with monitoring/maintaining the security of Linux systems.

Resources:

• Sandfly Installation Docs

• Sandfly Standard vs. Maximum Security Installation

• Sandfly GitHub

• Wiki: Installing Docker Engine on Ubuntu v20.04

Pre-flight Check:

• Check out the latest releases of Sandfly IDS over on their [GitHub Releases Page], the version that I will be downloading and installing today is v3.3.0, but make sure you grab whatever the latest one is whenever you're doing this on your own.

• Ensure that both Ubuntu hosts have been networked with static IPv4 addresses within your internal lab environment, if you have a DHCP server with reservations created thats terrific, but if not you can set your static IPv4 address for Ubuntu using the /etc/netplan/*.yaml file.

• Make sure that your host that will be acting as your server has a resolvable DNS entry in your local DNS server, this will play a role in the Sandfly IDS installation process, as well as is good practice for private networks.

• It's a good idea to get Sandflys' 12-month free starter license, since it is free for up to 500 hosts which well exceeds the volume of our lab environment.

• Prior to moving onto the guide, make sure you have retrieved the latest packages for your Ubuntu hosts with the following:

$ sudo apt-get -y update
$ sudo apt-get -y upgrade

Preparing Ubuntu v20.04 Instances for Installation:

• As a matter of preference, I will be installing both net-tools as well a firewalld to both apply firewall rules as well as manage listening connections and confirm our containers are working properly.

💡 If you prefer to use the Ubuntu native tool ufw (uncomplicated firewall), that will work just as well for this lab, both of these tools are essentially wrappers for iptables, but I will only be including commands for firewalld in this lab guide.

$ sudo apt-get install -y net-tools firewalld

• Now we will create our sandfly user and add them to the docker group in order for them to be able to run and manage the containers that will be used to run Sandfly IDS.

💣 Rather than using the useradd command here, we will be using adduser since it automatically creates home directories for the users we add.

$ sudo adduser --disabled-password --shell /bin/bash --gecos "Sandfly" sandfly
$ sudo usermod -aG docker sandfly

Setting Firewall Rules for Web Access and REST API:

• Since we already installed net-tools as well as the firewalld utility in the earlier section, let's put them to use by locking down our node to only allow necessary traffic and ports during operation.

💡 The port 5673/tcp that we will be enabling is for the RabbitMQ messaging protocol (AMQP) that Sandfly nodes use to communicate back to our central server.

$ sudo firewall-cmd --remove-service=dhcpv6-client --permanent
$ sudo firewall-cmd 


### Installing Docker on Server & Scanning Nodes:
 - At risk of repeating my own self-plug, we can actually follow a [guide I wrote earlier on](https://github.com/cfloquetprojects/homelab/wiki/Install-Docker-Engine-on-Ubuntu-20.04-Core-LTS) for installing `Docker Engine` on both of our `Ubuntu v20.04` instances. 
 > 💡 If you would prefer the official documentation from Docker Docs that can be [found here](https://docs.docker.com/engine/install/ubuntu/)

### Installing Sandfly Server Node:


### Installing Sandfly Scanning Node