Deploying Sandfly Security for Agentless Linux Intrusion Detection
In modern cloud environments, protecting Linux infrastructure is essential. Many traditional security solutions depend on endpoint agents, which may add performance overhead, introduce stability concerns, and create compatibility challenges across mixed or older systems. Sandfly Security provides a modern, agentless method for Linux intrusion detection and incident response, delivering detailed visibility without the operational complexity of conventional tools.
Sandfly is an automated compromise and intrusion detection platform that continuously searches for malicious activity on Linux systems around the clock. It connects to cloud servers through SSH, launches temporary scanners for deep forensic analysis, and then removes them completely. Because this agentless approach does not require permanent software on endpoints, Sandfly can detect threats such as malware, rootkits, and suspicious user activity without risking agent-related performance issues or kernel conflicts. This makes it a reliable option for production environments.
Key Takeaways
- Agentless Security: Sandfly Security delivers comprehensive Linux intrusion detection without installing software on endpoints, reducing performance impact and compatibility risks.
- Fast Deployment: A marketplace-based one-click application can automate the Sandfly deployment process, including Docker container setup and database initialization, reducing installation time from hours to minutes.
- Secure Architecture: The recommended configuration uses dedicated service accounts, SSH key-based authentication, and cloud firewall rules to apply defense-in-depth security principles.
- Continuous Monitoring: Automated scan schedules with trickle scanning provide broad threat detection while minimizing the impact on production systems.
- Scalable Solution: Sandfly’s agentless design makes it practical to deploy across many Linux environments, from cloud servers to legacy systems and embedded devices. When monitoring many cloud servers, keep provider-specific server limits in mind, as they may affect larger rollouts. For best performance, choose a server size that matches your environment’s requirements and review your provider’s plan documentation for guidance.
Cloud Marketplace Partnership
Sandfly Security can be offered through cloud marketplace integrations to simplify deployment of this security platform.
Sandfly has long been aligned with Linux-based cloud environments. Its agentless Linux security approach makes it a natural fit for organizations that want to deploy threat detection quickly and securely across their infrastructure.
A one-click application automates what would otherwise be a multi-step installation involving Docker containers, database initialization, and network configuration. This lowers the barrier to entry for enterprise-grade Linux security.
Sandfly’s approach addresses Linux security in a modern and compelling way by offering agentless visibility and practical deployment options for cloud customers.
What You Will Learn
This tutorial gives you a complete, step-by-step walkthrough for deploying Sandfly Security by using a cloud marketplace one-click application. By following this guide, you will:
- Deploy a Sandfly server from a cloud marketplace image.
- Create a dedicated and secure service account on target cloud servers for Sandfly to use.
- Configure secure, passwordless SSH key-based authentication.
- Apply a cloud firewall to enforce a strict least-privilege network policy.
- Configure and schedule automated security scans from the Sandfly web console.
By the end of this tutorial, you will have a production-ready Sandfly installation actively monitoring your Linux infrastructure for threats. This article uses Ubuntu- and Debian-based commands, but Sandfly can be extended to all Linux distributions.
Prerequisites
Before you begin, you will need the following:
- An active account with a cloud provider.
- At least one existing Linux cloud server to monitor. This guide refers to it as your target cloud server.
- The public IP addresses of your Linux cloud servers.
- A local computer with an SSH client installed so you can connect to your cloud servers. For guidance, refer to documentation on connecting to cloud servers with SSH.
Step 1 — Deploying the Sandfly Security One-Click Application
The first step is to create the Sandfly server by using the preconfigured image from your cloud provider’s marketplace. This image includes the required components and an automated setup script so you can get started quickly.
Open your cloud marketplace and search for “Sandfly Security”. Then select the option to create a Sandfly Security cloud server.
You will be taken to the standard cloud server creation page with the Sandfly image preselected. Configure the server with the following settings:
Choose a Plan
- Sandfly’s documentation recommends a server with at least 8 GB of RAM for production use.
- For this tutorial, a general-purpose cloud server with at least 4 GB of RAM and 2 vCPUs is a suitable starting point for smaller environments.
- You can scale the server later as your monitoring requirements grow.
Choose a Datacenter Region
- For better performance and lower network latency, choose the same region where your target cloud servers are hosted.
Authentication
- Select SSH key as the authentication method.
- This is much more secure than password-based authentication and is a core security best practice.
- Select an existing public SSH key or add a new one.
- For more details, refer to your provider’s SSH key management documentation.
Finalize Details
- Create one cloud server for this Sandfly instance.
- Choose a descriptive hostname, such as
sandfly-server. This helps you identify the server easily in your control panel. - Optionally, add tags or assign the server to a specific project.
After configuring these options, click the button to create the cloud server. Your provider will now provision the Sandfly server, which may take a few minutes.
Step 2 — Initial Server Login and Setup
The Sandfly one-click application is designed to run an automated installation when you log in for the first time. During this process, it configures the required Docker containers, initializes the database, and creates a secure random password for the web interface.
After the sandfly-server cloud server has been created and its public IP address is visible in your control panel, connect to it over SSH as the root user. Replace <your_sandfly_server_ip> with the actual IP address of your cloud server.
ssh root@<your_sandfly_server_ip>
After your first successful connection, the server automatically runs a setup script.
You will see output while the server pulls Docker images and configures the Sandfly application stack. This process may take several minutes.
When the script finishes, it displays a message containing the randomly generated password for the Sandfly web UI admin user.
This is the only time the password is shown. Copy it immediately and store it securely, such as in a password manager. You will need it later to log in to the Sandfly web console.
Note: If you cleared the screen and did not save the password, you can retrieve it again with this command:
cat /opt/sandfly-setup/setup/setup_data/admin.password.txt
This file contains the password used for the initial setup. After you log in and change the password, the value stored here will no longer be valid.
Step 3 — Creating a Secure Service Account on Target Cloud Servers
Sandfly needs root-level privileges on the systems it scans so it can perform comprehensive security checks. However, allowing a service to connect directly as root creates a significant security risk and conflicts with the principle of least privilege.
The recommended security practice is to create a dedicated non-root service account on each target cloud server and grant that account permission to execute commands with root privileges through sudo.
This method separates access and creates a clear audit trail for all actions performed by the scanning service.
Run the following steps on every Ubuntu cloud server that you want Sandfly to monitor.
First, log in to your target cloud server as root:
ssh root@<your_target_server_public_ip>
Next, use the adduser command to create a new user. In this guide, the user is named sandfly-scanner. The adduser utility automatically creates a home directory and prompts you to set a password.
adduser sandfly-scanner
You will be asked to enter and confirm a password for the user. Choose a strong, unique password and store it safely. You can press ENTER to skip the later prompts for the user’s full name and other details.
Adding user `sandfly-scanner'...
Adding new group `sandfly-scanner' (1001)...
Adding new user `sandfly-scanner' (1001) with group `sandfly-scanner'...
Creating home directory `/home/sandfly-scanner'...
Copying files from `/etc/skel'...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for sandfly-scanner
Enter the new value, or press ENTER for the default
Full Name:
Room Number:
Work Phone:
Home Phone:
Other:
Is the information correct? Y
After creating the user, grant it sudo privileges. On Ubuntu, the recommended approach is to add the user to the sudo group. By default, members of this group can run commands with root privileges by using sudo.
Use the usermod command with the -aG flags to append the user to the sudo group:
usermod -aG sudo sandfly-scanner
To confirm that the user was added to the group successfully, use the getent command:
getent group sudo
The output should show sandfly-scanner as a member of the sudo group.
sudo:x:27:<your_username>,sandfly-scanner
Repeat this process for each cloud server you want to monitor. You have now created a secure and auditable service account for Sandfly.
Optional: Later in the Sandfly setup, you can provide the password for this account so Sandfly can use sudo. Alternatively, you can remove the password requirement by giving the Sandfly account special sudo permissions that do not require a password. You can do this by adding the following line to the /etc/sudoers.d/sandfly file:
echo "sandfly-scanner ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sandfly
Repeat this process for every cloud server you plan to monitor. You now have a secure and auditable service account that Sandfly can use.
Consider the following two notes:
- You may prefer to use a less obvious account name so attackers cannot easily identify that the system is monitored. If you choose to do this, use any valid Linux username. Sandfly can be configured to log in with any valid account name, so the specific username is not important as long as it is valid.
- If you stop using Sandfly, remove these accounts from your target cloud servers.
Step 4 — Configuring SSH Key-Based Authentication
After creating the service account, the next step is to configure SSH key-based authentication.
This allows the Sandfly server to log in to target cloud servers as the sandfly-scanner user securely and without a password, which is required for automated scanning.
SSH keys are much more secure than password authentication. A key part of this setup is creating a new dedicated SSH key pair specifically for this service.
Reusing an existing key, such as your personal administrative key, is not recommended. A dedicated key limits the impact if that key is ever compromised because access is restricted to the Sandfly scanning function.
First, connect to your sandfly-server cloud server through SSH if you are not already logged in.
ssh root@<your_sandfly_server_public_ip>
On the sandfly-server, generate a new SSH key pair. This example uses the modern and secure ed25519 algorithm. The -f flag defines the file path for the key, and -C adds a descriptive comment.
ssh-keygen -t ed25519 -f ~/.ssh/sandfly_scanner_key -C "sandfly-scanner-key"
When prompted for a passphrase, press ENTER twice to leave it blank.
You may also choose to add a passphrase to the key for use with Sandfly. Sandfly supports encrypted keys, but you must enter the passphrase when adding the credentials in the UI. Because Sandfly encrypts all keys that it manages, a passphrase may not be necessary in every environment.
You can also generate an SSH key pair directly inside the Sandfly UI. Letting Sandfly handle this can reduce risks related to key management, such as leaving private key material in an unsecured file system location. The private key will not be visible again through the UI after it is created.
Using this method requires logging in to the UI as described later in this guide or in the Sandfly documentation.
Next, display the contents of the newly created public key:
cat ~/.ssh/sandfly_scanner_key.pub
The output is a single line beginning with ssh-ed25519. Copy the full line to your clipboard. You will add this public key to the authorized_keys file for the sandfly-scanner user on each target cloud server.
Now run the following commands on each target cloud server. If you are still logged in as root, first switch to the sandfly-scanner user:
su - sandfly-scanner
As the sandfly-scanner user, create a .ssh directory in the home folder and set the correct permissions. SSH is strict about permissions. If they are too open, the key will not be accepted for authentication.
mkdir ~/.ssh
chmod 700 ~/.ssh
Create the authorized_keys file inside the .ssh directory and set the proper permissions:
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Finally, append the public key copied from the sandfly-server to the authorized_keys file. Replace PASTE_PUBLIC_KEY_HERE with the actual public key from your clipboard.
echo "PASTE_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
Exit the sandfly-scanner user session and then exit the target cloud server.
exit
exit
Repeat this process for every target cloud server. Your Sandfly server can now authenticate securely to your target systems.
Step 5 — Configuring the Sandfly Web Console
After preparing the Sandfly server and target cloud servers, configure the Sandfly application through its web-based interface. This includes logging in, activating the license, and adding the credentials and hosts that Sandfly will scan.
First Login and License Activation
Open a web browser and visit your Sandfly server’s public IP address using HTTPS:
https://<your_sandfly_server_public_ip>
Your browser will probably show a security warning because the server uses a self-signed SSL certificate by default. This is expected. Continue past the warning to reach the login page.
Log in with the username admin and the randomly generated password you saved during the initial server setup in Step 2.
If Sandfly was installed with a marketplace image, a license may already be generated automatically and the system will be ready for adding hosts. If you did not install through a marketplace image, contact Sandfly if a license is required.
Adding Scan Credentials
Next, provide Sandfly with the SSH private key and user credentials that it will use to connect to target cloud servers. Sandfly uses a strong security model in which credentials are encrypted with a public key when entered.
Keys are stored encrypted and can only be decrypted by scanning nodes. This means they cannot be viewed again through the UI, and they remain protected even if the server database is compromised when Sandfly is run in Maximum Security Mode, which requires running a node on a separate virtual machine from the server.
In the Sandfly UI, go to Configuration > Credentials from the left sidebar. Click the + Add button.
Complete the form with the following values:
- Credential Type: Select SSH Private Key.
- Name: Enter a descriptive name for this credential set, such as
scanner-creds. - Username: Enter
sandfly-scanner. - Private Key: Use the contents of the private key generated on the
sandfly-server.
Go to your SSH session on the sandfly-server and run this command:
cat ~/.ssh/sandfly_scanner_key
Copy the full output, including the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY----- lines, and paste it into the Private Key field in the Sandfly UI.
Sudo Password Optional: Enter the password you created for the sandfly-scanner user in Step 3. Sandfly will use it to elevate privileges through sudo when needed.
Click the Finish button to save the credential.
Adding Hosts to Monitor
The final configuration step is to tell Sandfly which cloud servers it should monitor.
Go to Hosts > Add Hosts from the sidebar.
Configure the host form as follows:
- Type: Select IP / Hostname List.
- IP / Hostname List: Enter the public IP addresses of your target cloud servers, with each IP address on a separate line.
- Add Credentials: Select Existing from the credential type dropdown. Then select the
scanner-credscredential you created. - Advanced users can select the queue they want to use, as explained in the Sandfly scaling documentation. For most default installations,
mainis the correct queue. - Add any tags you want applied to the hosts after they are discovered.
- Advanced users can override the scan directory Sandfly uses on the remote system. This is typically used for embedded systems to avoid writing to SD cards or other write-limited storage by directing Sandfly to write to a RAM-based location such as
/dev/shm. Most users should leave this option unchanged.
Click the Finish button. Sandfly will queue a task to connect to the hosts, verify the credentials, and perform an initial inventory. After a minute, go to the Hosts page. Your target cloud servers should appear with the status Active, which means Sandfly can connect to them successfully.
Step 6 — Configuring a Cloud Firewall
To strengthen your security posture, use a cloud firewall to restrict SSH access to the target cloud servers. A cloud firewall works at the network level and provides a centralized and scalable way to enforce rules before traffic reaches the servers.
For detailed firewall setup instructions, refer to your cloud provider’s firewall documentation.
The goal is to create a rule that blocks all incoming SSH traffic by default and only allows connections from the specific IP address of the sandfly-server.
In your cloud control panel, open the networking section and navigate to the firewall area. Create a new firewall.
Give the firewall a descriptive name, such as sandfly-target-policy.
Under the inbound rules section, define a new rule. By default, cloud firewalls should block all incoming traffic that is not explicitly allowed by a rule, which is the most secure setup.
Configure the rule using the details below. Remove any default rules that are not required.
| Rule Type | Protocol | Port Range | Sources | Description |
|---|---|---|---|---|
| SSH | TCP | 22 | IP address of the Sandfly server | Allows the Sandfly server to connect for scanning. |
This rule allows SSH traffic on port 22 only from the IP address of your Sandfly server. All other SSH connection attempts are dropped at the firewall level.
In the section where the firewall is applied to cloud servers, select all target cloud servers by name.
For a more scalable and manageable setup, use tags. You can create a tag such as sandfly-monitored, apply it to all target cloud servers, and then apply the firewall rule to that tag instead of individual servers. This ensures that any new cloud server created with the tag is automatically protected by the firewall.
Click the button to create and apply the firewall. Your target cloud servers are now protected by a network-level firewall that strictly controls access for the Sandfly service.
Note: For simplicity, enable the firewall after configuration and after adding all hosts to Sandfly. This lets you test connectivity from the Sandfly scanner to the target nodes before enforcing the firewall.
Step 7 — Running and Scheduling Security Scans
After completing the configuration, you can run your first security scan and create a recurring schedule for continuous monitoring.
Initiating a Manual Scan
A manual scan is a useful way to confirm that the full setup works correctly and to create an immediate security baseline for your systems.
In the Sandfly UI, go to Scanning > Manual Scan from the sidebar.
- Step 1: Select Hosts to Scan: Check the box next to the target cloud servers you added, or use the top checkbox to select all hosts.
- Step 2: Select Sandfly Modules to Use: For the first scan, use the default active Sandfly modules. Select the top checkbox to choose all modules.
- Advanced users can choose to run Sandfly at a higher priority on target hosts, but this is usually unnecessary and can be left at Low.
- Finish: Click the Finish button.
Sandfly will add the scan to its task queue and begin the analysis. You can monitor progress from Scanning > Task Queues.
Viewing Initial Results
After the scan completes, open the Results page. This page lists any alerts generated by the scan. Initial scans may flag legitimate administrative tools or custom configurations as suspicious. Ongoing security operations include reviewing these alerts and tuning them by whitelisting files, processes, or behaviors that are known to be safe in your environment.
A sample result may show a backdoor process. You can review both the alert and the raw forensic data. You may also enable an AI analysis feature through a private LLM instance to support forensic investigation and assist as a virtual security analyst.
Creating a Scheduled Scan
The real strength of Sandfly is its ability to run automated and continuous monitoring. Next, create a schedule so scans run automatically.
Go to Schedules > Add Scan from the sidebar.
Configure the schedule with the following recommended settings for a reliable production environment:
Step 1: Schedule
- Name: Give the schedule a descriptive name, such as
daily-full-scan. - Description: Add a description of the schedule’s purpose if desired.
- Timer Lower Limit Minutes: This defines the shortest waiting time between scans. The default minimum is 60 minutes. Set the value low enough so multiple scans can run each day.
- Timer Upper Limit Minutes: This defines the longest waiting time between scans. The default is 120 minutes. This value must be higher than the lower limit. The default values are a strong starting point, although you may choose to spread scans out or limit them to certain hosts using tag groups. Review the Sandfly documentation for these advanced scenarios.
- Restrict Schedule to a Time Window: This optional setting tells Sandfly to scan only during specific time periods. Sandfly generally has no performance impact on protected hosts, but this option can provide additional assurance that scans will not run during critical business hours.
Step 2: Scan
- Host Mode: Select Scan All Hosts to include every active host in the schedule. Review the documentation if you want to include or exclude hosts by tags.
- Sandfly Type: Keep the default values at first. Over time, you may decide to scan more frequently for certain attack types, such as processes, and less often for file-based threats by using different schedules.
- Sandfly Selection Percentage: The default is 25%. This means each scan randomly selects 25% of the available checks to run. Across the day, this 25% selection repeats, providing full coverage over time without creating system impact. You can adjust this setting after evaluating performance. The default is a good choice for the continuous scanning schedule configured in Step 1.
- Scan Mode: Select Trickle Scanning. This is important for production environments. Instead of scanning all hosts at once, which could create a “thundering herd” of resource spikes, Trickle mode spreads scans across the schedule’s time window. This reduces performance impact and keeps applications stable, showing Sandfly’s focus on operational safety in live environments. Immediate Scanning is better suited for urgent incident response.
Step 3: Host Maintenance
You can keep the default settings here for now. This feature can automatically remove hosts that have been offline for a long time, which is helpful in dynamic environments. It is designed to work with Discovery Mode, which finds hosts in dynamic address ranges. Discovery Mode adds hosts that appear with new IP addresses, while cleanup removes hosts that have been inactive too long so their licenses can be reused elsewhere.
Click the Finish button to create and activate the schedule. Sandfly will now automatically protect your cloud servers according to the schedule you defined.
Frequently Asked Questions
1. What are the system requirements for deploying Sandfly Security in a cloud environment?
Sandfly recommends at least 8 GB of RAM for production deployments, although smaller environments can begin with 4 GB of RAM and 2 vCPUs. The platform supports Ubuntu and other Linux distributions, and marketplace-based one-click applications can handle dependency management automatically.
2. How does Sandfly Security work without installing agents on target systems?
Sandfly operates through SSH connections. It deploys temporary scanners that perform forensic analysis and then remove themselves completely. This agentless approach avoids the kernel conflicts, performance degradation, and compatibility problems that can occur with traditional endpoint agents.
3. Can Sandfly Security integrate with existing security tools and SIEM platforms?
Yes. Sandfly provides a comprehensive REST API for integrations with SIEM platforms such as Splunk, Elasticsearch, SOAR tools, and custom security dashboards. The platform also supports alert forwarding and can export forensic data in standard formats for analysis by other security tools.
4. Is Sandfly Security suitable for both cloud and on-premises environments?
Yes. Sandfly’s agentless architecture is suitable for hybrid environments, including cloud servers, on-premises servers, network appliances, and embedded Linux devices. The platform can be deployed across multiple network segments and geographic locations. Sandfly also does not send outbound telemetry to third parties, so it can run fully isolated from the internet to protect highly secure and air-gapped workloads.
5. How does Sandfly Security handle false positives and alert tuning?
Sandfly includes advanced whitelisting features that allow security teams to tune alerts for their specific environment. Initial scans may identify legitimate administrative tools, but the platform can be adjusted based on these findings to reduce noise and focus on real threats.
Conclusion
You have now deployed and configured Sandfly Security on Linux cloud servers. By using a marketplace-based one-click application, you established a powerful agentless intrusion detection system.
You followed security best practices by creating a dedicated service account, using strong SSH key-based authentication, and restricting network access through a cloud firewall. You also configured an automated continuous scanning schedule that proactively searches for threats across your Linux cloud servers.
Your security process does not end here. As you continue, consider exploring more advanced Sandfly capabilities:
- Alert Tuning: Review initial findings and use Sandfly’s whitelisting features to reduce noise and focus on real threats.
- SIEM Integration: Forward alerts to a Security Information and Event Management platform such as Splunk for centralized logging and correlation.
- API Automation: Use Sandfly’s REST API to automate host management, trigger scans, and integrate security into CI/CD pipelines. For more information about API integration, review the API documentation.
For more detailed information, refer to the official Sandfly Security documentation. With Sandfly and a secure cloud infrastructure, you have a strong foundation for protecting Linux systems.
Additional content and how-to guides related to Sandfly integration can further expand this setup, including guidance on integrating a Sandfly scanner with a private AI platform to help interpret scan results.


