Skip to content
/ sandfly-restrict Public

An ssh force-command script for restricting binaries executed by the Sandfly (https://www.sandflysecurity.com/) user.

License

BSD-2-Clause license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

thoughtbox/sandfly-restrict

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
restrict.sh
restrict.sh
 
 

Repository files navigation

very short intro

Sandfly is a Linux security product (see https://sandflysecurity.com); this script attempts to reduce admin paranoia.

sandfly-restrict

This is an ssh force-command script that adds additional security controls to the "sandfly" user's execution environment. In addition to whitelisting of commands using regular expressions, the script will also verify the sha512sum of the "sandfly" binary.

usage

Put restrict.sh in an appropriate directory (/usr/local/bin) with appropriate permissions (e.g. chmod 755). Prepend the "sandfly" user's .ssh/authorized_keys file with command="/usr/local/bin/restrict.sh",no-agent-forwarding, no-port-forwarding,no-user-rc,no-X11-forwarding, like so:

mcfly@test:~$ cat .ssh/authorized_keys
command="/usr/local/bin/restrict.sh",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding ssh-ed25519 AAAA.....eO mcfly@test

Additional admin paranoia can be reduced through host-based means such as TCP wrappers, iptables and/or by limiting which hosts that can log in to the "sandfly" user account. The latter can be achieved by prepending a from= option to the above authorized_keys entry. For example, if your Sandfly nodes are on 172.16.16.0/29, your authorized_keys file should look like (note, NO SPACES unless they are within double quotes):

mcfly@test:~$ cat .ssh/authorized_keys
from="172.16.16.0/29",command="/usr/local/bin/restrict.sh",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding ssh-ed25519 AAAA.....eO mcfly@test

read the fine script

Recent versions of Sandfly support the use of random binary names to reduce detection. If you use this feature, this script requires some tweaking of the regular expression matching (look for "botfly" within the script and take it from there).

new in version 5.0.4.1

Since 5.0.4, Sandfly no longer uses sftp to copy the binary across, so all previous references to sftp have been removed. The versioning of this script now reflects the Sandfly version it supports.

compatibility

This version has been tested to work with Sandfly version 5.0.5; AKA "it works for me".

end note

I have no affiliation with Sandfly Security, Ltd.; I merely find the product interesting.

About

An ssh force-command script for restricting binaries executed by the Sandfly (https://www.sandflysecurity.com/) user.

Topics

linux security-tools edr

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages