Identify, Track, and Respond to SSH Credential Use and Abuse

SSH Hunter and Key Explorer
SSH Hunter

Secure Shell (SSH) is the de facto way to securely access Linux servers. Despite the increase in security SSH provides, it also presents unique and significant challenges in terms of credential theft and hiding intruder activity. SSH key management has a variety of pitfalls such as stale credentials, orphaned keys, and can easily conceal malicious keys inserted by malware or intruders to maintain persistence.

At Sandfly we have seen incidents where SSH credentials were stolen or used to insert backdoor access for intruders and malware. We have also seen targeting of SSH keys by malware to enable lateral movement across hosts. As SSH communications are encrypted, it not only protects legitimate users but also means intruders are concealed from network monitoring tools and can move undetected.

To date, there has been no way for administrators to easily track SSH key usage and credential abuse easily. That all changes with Sandfly's SSH Hunter and our unique agentless architecture.

Meet Sandfly's SSH Hunter

SSH Hunter is a powerful tool to track SSH key usage across your Linux systems. SSH Hunter leverages Sandfly's agentless architecture to give you the ability to:

  • Track keys across all your Linux systems.

  • See which users can access your Linux systems.

  • Discover when keys were first and last seen, key types, and key locations.

  • Visualize how SSH keys, users, and host access are distributed.

  • Find anomalies such as duplicate keys or users with new keys unexpectedly added.

  • Rapidly respond to incidents involving compromised SSH credentials.

  • Search for new keys, old keys, banned keys, and much more.

With Sandfly's SSH Hunter, you now have the ability to quickly track and identify issues with SSH keys. Sandfly lets you find SSH credential problems before they become a major incident.

SSH Key Explorer Gives Instant Visibility

The SSH Key Explorer allows you to visually see where a key is being used across your Linux fleet, who is using the key, when it was created, how old it is and much more. You get an instant view of what users and SSH keys are in use across your network.

Sandfly's SSH Key Explorer

Monitor Automated SSH Key Management

As SSH key management takes on a more automated role, it becomes important to monitor these systems to make sure they are operating without fault. SSH Hunter can track keys being deployed by automated systems, but also can find keys added out-of-band into accounts that automated systems may not be monitoring. This includes SSH keys used in embedded Linux devices which often have no monitoring in place.

Sandfly searches for keys for all users on your Linux hosts so errant and unexpected keys will not take you by surprise.

Rapid Incident Response

If you are responding to an incident, knowing what SSH credentials are in use is critical. SSH keys are high value targets for intruders and allow rapid compromise across an enterprise. With Sandfly's agentless scanning for SSH keys, you get instant knowledge of this critical piece of forensic data even if no monitoring is currently in place. Sandfly will automatically locate SSH keys on hosts and build an instant overview of what is happening with them to save precious time when investigating an incident.

Find SSH Problems Before They Turn Into Compromises

SSH Hunter also tracks keys and looks for unusual behaviors such as duplicate keys inside authorized_keys files, orphaned keys and more. Our key timeline shows you the first time we saw a key, and when that key was seen on other hosts. You will know at a glance if a new key is being used unexpectedly or if old keys are still present on any host.

SSH Duplicate Keys Alert

Find, Filter, and Fix SSH Keys

SSH Hunter allows you to quickly filter keys by many different attributes. You can search for keys first seen over the last 24 hours for instance to find new and unexpected keys being used on user accounts.

Search for SSH keys over the last 24 hours.

Or, you can perform detailed searches for attributes such as key type or date ranges to find keys that need to be updated or removed. Our flexible filter search allows you to customize what attributes are important to you and search instantly for keys that match.

Search for SSH keys by key type and age.

SSH Key Auditing Made Easy

Sandfly's new SSH Hunter makes tracking and auditing SSH key usage simple and fast. Our agentless Linux security platform will track and monitor this critical asset automatically. If you would like to try out the SSH Hunter, contact us for a trial license.

Use Sandfly for Free

Protect Hosts Now