Hardened Backup Repository
What exactly is a Veeam hardened Backup Repository?
The Backup Repository is created by adding a managed Linux server using Single-use credentials.
It's not quite the same as immutability, but it can be made MORE immutable,
SSH is only required at the time of deployment.
Reliable Ransomware Protection: Keep backups safe with immutable, hardened Linux repositories compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations, preventing encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.
No special appliance or hardware needed
Works with many versions of Linux OS (5.4+ Kernel – XFS)
Usable for Primary and Secondary backups and backup copy jobs
Protect your backups: Veeam v11 hardened repository with immutability - NOTE: See ports listed below
Consider a HLR a "Designated Survivor" tactic ("The practice of designating a successor is intended to prevent a hypothetical decapitation of the government and to safeguard continuity in the office of the president in the event the president along with the vice president and multiple other officials in the presidential line of succession die in a mass-casualty incident").
Recommendations... (Veeam Legends - Veeam Backup & Replication Pocketbook v1)
Credentials: Recommendation: Use one-time credentials instead of username and password when adding Linux server to VBR.
Credentials: Recommendation: Assign minimal privileges to the Linux user for backup and to add the Linux server.
SSH: Recommendation: Disable SSH after installation.
K.I.S.S. design (Keep It Simple and Straightforward).
Create a dedicated repository account for Veeam, that can access the folder where you store backups.
Set permissions on the repository directory to only that account.
Modify the firewall, with dedicated rules for Veeam to allow access to specific ports.
Use Veeam encryption while storing backups on the repository.
"Single Use Credentials"
Disable SSH - No root!!! -- For security reasons, it's not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.
Leverages chattr/setfattr file system feasture
Hardened Repository - Veeam Help Center
Limitations and Considerations - Veeam Help Center
Experimental Python script
Visit https://github.com/tdewin/veeamhubrepo for an experimental Python script to quickly setup an immutable repository. NOTE: Initially made to quickly setup demo labs but feedback is appreciated. Tested only on Ubuntu 20.04 LTS (and this is the only target for this project until the next LTS). -
Veeam Help Center:Hardened (Immutable) Repository - VBR User Guide
V11: Immutable primary backup storage with a hardware-agnostic touch - Veeam (5 min read)
New in Veeam v11: Hardened Repository - Wolfgang Tait...
Great information from Paolo Valsecchi in Milan (Italy) on the Veeam v11 Hardened Repository...
Veeam Hardened Linux Repository - StarWind...
NOTE from Daniel Klemz: The Starwind instructions do not go over cleaning up and removing the service account from the Sudoers group after you’ve deployed the Veeam software. They tell you to add the user to the sudo group –
sudo usermod -a -G sudo veeamrepouser
But when you’re done, you should remove the permission –
sudo gpasswd -d veeamrepouser sudo
Otherwise if the veeamrepouser account is compromised this is an attack surface.
Hardening Backup Repository - Linux - Veeam Best Practices
User Guide for VMware vSphere - Hardened (Immutable) Repository - Veeam Helpcenter