Versa Director's requirements for ports and protocols are listed here: Firewall Requirements and steps for manual system hardening of process for Versa Director can be found here: System Hardening

What port needs to be enabled for Director High Availability?

TCP ports 4566 and 4570. Ensure that Director HA ports are allowed only between the two director nodes in a HA pair and block access from all other sources using firewall rules and/or iptables. Versa recommended best practice is to enable HA on southbound interfaces which are usually secured, block all ports except TCP 443 on the Internet facing interfaces. 

How do I verify that the Internet facing interface is secure against any unauthorized access on the HA ports?

You can attempt to connect to TCP ports 4566 and 4570 from a host in the Internet and if you cannot accomplish 3-way handshake, then it means the ports are secured.

How can HA ports be allowed only between the two director nodes and blocked from all other sources?

Please refer to this link: Harden Port 4566

How to configure site to site IPsec tunnel between the two director nodes if the HA connection is over an unsecured network?

Please refer to this link: Secure Communication between Director HA Nodes

How can I confirm if the Versa Director is already compromised? 

Any of the below, if present, are indicators of compromise.

  1. Presence of the below file on the disk, matching this pattern.

    admin@Director:~$ ls -larth /tmp/ | grep .temp.data

    admin@Director:~$ locate .temp.data

  2. Look for favicon.png in the below path. 
    admin@Director:~$  ls -latr -R /var/versa/vnms/web/ | grep .png 

If the above command finds any files, then run the commands below as shown to determine the mime-type of these files. The mime-type should return "image/png". If it returns any other mime type, then the system may be compromised.

file -b --mime-type /var/versa/vnms/web/custom_favicon/favicon.png

Additionally, verify the mime type of the below files and ensure it is image/png

file -b --mime-type /opt/versa/vnms/apache-tomcat/webapps/versa/dist/*.png

What steps need to be taken to restore a compromised Versa Director instance?

The following steps need to be taken immediately if the Director instance is compromised.

Step 1.  Stop Director services on both the standby and Active Director nodes.  (Run: vsh stop)

Step 2. If you have an edge firewall fronting the Versa Director instances, make sure TCP ports 4566, 5432 are blocked on the Internet exposed interface.

Step 3. Execute the below command on the Active Director and Standby Director nodes 

sudo /opt/versa/vnms/scripts/secure-utils.sh --secure-ha-ports enable

Step 4. Delete the favicon file, if present.

sudo rm -rf /var/versa/vnms/web/custom_favicon/favicon.png

Step 5.  Clean up Java files by deleting the below folder:

         Note: Take care not to delete the /opt/versa/vnms/apache-tomcat/webapps/versa.war file

sudo rm -rf /opt/versa/vnms/apache-tomcat/webapps/versa

Repeat all the above steps on the standby Director node.


Step 6. Restart Versa Director services          

First start service on Active Director node (vsh start), wait until all the services are up and running and then start services on the Standby Director node.

Use commands vsh start and vsh status to start and check status respectively.


Step 7.  Reset password of all users both local and external accounts if external authentication was configured.

Reset the password of all local users. 


Step 8.  Review all local accounts in the Versa Director.

Review all the local user accounts and if you cannot identify any user account, delete it.

The below commands will list all configured local users. 

source /etc/profile.d/versa-profile.sh
ncs_cmd -c 'x /aaa/authentication/users/user/name' | cut -d '['  -f2 | cut -d ']' -f1


Use the below command to delete any specific user. 

Note: Do not delete the following user accounts: Administrator, Operator and admin

cli 

configure 

delete aaa authentication users user <username1>

delete aaa authentication users user <username2>

commit


How can I confirm if the Versa Director has been restored cleanly?

After making sure services are up, login to the Director UI successfully. Then check to make sure the file /tmp/.temp.data does not exist.  

Make sure to upgrade the Versa Director to the remediated software version available below. 

Software Download Links:

21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3

22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2

22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3

22.1.4: Not affected.