Securing Sandfly IDS Web Dashboard with Two Tier Internal PKI - cfloquetprojects/homelab GitHub Wiki

• Sandfly IDS is an agent-less intrusion detection and threat hunting tool built solely for Linux-based operating systems.
• In a previous lab I have already discussed the installation of Sandfly on Ubuntu, and if you're curious they have a terrific knowledge base site to learn more about the product and implementation.
• Today we will be covering how to secure web-based access to our Sandfly server using internal certificates signed using our internal two-tier PKI infrastructure.

  💡 If you're wondering what two-tier PKI is, or how to deploy it, I've covered this in a couple different wiki posts, which also have reference links to other great tutorials/guides as well.

• Sandfly Support Docs
• OpenSSL Docs

• As mentioned in the introduction, it's absolutely essential that you have already stood up a two-tier PKI environment for testing. This should consist of an offline RootCA, as well as an online SubCA, which fields, and issues certificate requests sent to it by local clients and servers.
• Additionally, I will be using commands such as tree, and unzip which do not come default with the base image of Ubuntu, and can be downloaded as the root user of the Sandfly server with the command below:

# apt-get install -y tree zip unzip

• It's also important to have Sandfly already installed on the host, with a sandfly user created with permissions to execute docker commands (e.g: member of the docker group)

• First things first, for organization purposes and to better visualize the different required files later on, let's create a folder hierarchy to store our respective certificate, config, request, and private key files.

$ mkdir -p sandfly-certs/{requests,certs,keys,config}

• While it's possible to use prompts to manually configure a certificate signing request (.CSR) file, I've always thought it was easier to just have a static config (.CNF) file on hand that can be imported into the certificate request generation process using the -config flag on the openssl command.

$ vi ubnt-sandfly01.cnf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no

[ req_distinguished_name ]
countryName                = <Country>
stateOrProvinceName        = <State>
localityName               = <City>
organizationName           = <Organization/Company Name>
commonName                 = <FQDN of Sandfly Server>

[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = <FQDN of Sandfly Server>

$ openssl genrsa -out ubnt-sandfly01_private.key 2048

$ openssl req -new -key ubnt-sandfly01_private.key -out ubnt-sandfly01.csr -config ubnt-sandfly01.cnf

$ openssl x509 -in ubnt-sandfly01_pub.cer -inform DER -out ubnt-sandfly01_pub.pem -outform PEM

$ openssl x509 -in subca_pub.cer -inform DER -out subca_pub.pem -outform PEM

$ cat ubnt-sandfly01_pub.pem subca_pub.pem YellowstoneRootCA.pem > sandfly-cert.pem

$ openssl x509 -in YellowstoneRootCA.crt -out YellowstoneRootCA.pem

$ base64 -w0 sandflyCert.pem > sandflyCert.pem.line

$ base64 -w0 ubnt-sandfly01_private.key > ubnt-sandfly01_private.key.line