Sandfly 5.1 – Introducing SSH Security Zones>
Sandfly Security –
Sandfly 5.1 introduces SSH Security Zones, a new feature in their agentless security platform for Linux
This feature allows administrators to set up secure areas where authorized SSH keys are allowed to operate, and unauthorized keys appearing in these zones are instantly identified to detect lateral movement and access risks
Key points:
1) SSH Security Zones help manage and track SSH authorized_keys files, which can contain too many keys, old keys, orphaned keys, or malicious keys used by intruders.
2) Administrators can define specific zones where only certain keys are allowed, and alerts are generated if new keys appear in these protected areas.
3) Sandfly can track keys across various environments, including cloud, on-premises, embedded, and legacy systems.
4) The platform can also ban specific SSH keys, alerting if they are found on any system, even if they were previously removed.
5) Sandfly 5.1 can detect unencrypted SSH private keys, which pose a significant risk if compromised by attackers
The platform searches user home directories, system /tmp, and /dev/shm ramdisk directories for these keys.
6) Weak SSH keys (RSA keys with 1024 bits or less) are identified and alerted, as they can be vulnerable to advanced adversaries
In addition to the SSH Security Zones, Sandfly 5.1 includes new detection modules for stealth rootkit techniques, systemd attack vectors, and other Linux threats
The update also expands existing threat detection modules to cover a wider range of attacks.
Link: https://sandflysecurity.com/about-us/news/sandfly-5-1-introducing-ssh-security-zones/