Hardened Backup Repository
What exactly is a Veeam hardened Backup Repository?
Veeam now provides the option for a hardened Linux repository (using XFS) with a landing zone that you can configure to be malware-proof via policies that make the data immutable.
The Backup Repository is created by adding a managed Linux server using Single-use credentials.
It's not quite the same as immutability, but it can be made MORE immutable,
SSH is only required at the time of deployment.
Reliable Ransomware Protection: Keep backups safe with immutable, hardened Linux repositories compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations, preventing encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.
No special appliance or hardware needed
Works with many versions of Linux OS (5.4+ Kernel – XFS)
Easy setup
Usable for Primary and Secondary backups and backup copy jobs
Veeam Hardened Repository passes independent compliance assessment - April 13, 2021 - 2 min to read
Protect your backups: Veeam v11 hardened repository with immutability - NOTE: See ports listed below
Consider a HLR a "Designated Survivor" tactic ("The practice of designating a successor is intended to prevent a hypothetical decapitation of the government and to safeguard continuity in the office of the president in the event the president along with the vice president and multiple other officials in the presidential line of succession die in a mass-casualty incident").
Recommendations... (Veeam Legends - Veeam Backup & Replication Pocketbook v1)
Credentials: Recommendation: Use one-time credentials instead of username and password when adding Linux server to VBR.
Credentials: Recommendation: Assign minimal privileges to the Linux user for backup and to add the Linux server.
SSH: Recommendation: Disable SSH after installation.
Time Synchronization/NTP: Recommendation: Do not use internal NTP Server. Use a GPS dongle or Dongle for time signal (e.g., DCF77). Alternatively trust in your CMOS clock instead.
Design Principles...
K.I.S.S. design (Keep It Simple and Straightforward).
Create a dedicated repository account for Veeam, that can access the folder where you store backups.
Set permissions on the repository directory to only that account.
You do not need 'root' to use a Veeam Linux Repository. Also do not use 'sudo'.
Modify the firewall, with dedicated rules for Veeam to allow access to specific ports.
Use Veeam encryption while storing backups on the repository.
How to set up Veeam Hardened Repository - A 6:15 video by Rasmus Haslund, Principal Technologist and VMCT Program Manager - A MUST WATCH VIDEO!!!
"Single Use Credentials"
Disable SSH - No root!!! -- For security reasons, it's not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.
Leverages chattr/setfattr file system feasture
Hardened Repository - Veeam Help Center
Limitations and Considerations - Veeam Help Center
Experimental Python script
Visit https://github.com/tdewin/veeamhubrepo for an experimental Python script to quickly setup an immutable repository. NOTE: Initially made to quickly setup demo labs but feedback is appreciated. Tested only on Ubuntu 20.04 LTS (and this is the only target for this project until the next LTS). -
Veeam Help Center:Hardened (Immutable) Repository - VBR User Guide
"Make recent backups immutable for __ days"
Additional information...
Installing Ubuntu Linux for Veeam Hardened Repository - January 25, 2023 - 10 min to read
January 25, 2023 - 10 min to read
V11: Immutable primary backup storage with a hardware-agnostic touch - Veeam (5 min read)
New in Veeam v11: Hardened Repository - Wolfgang Tait...
Great information from Paolo Valsecchi in Milan (Italy) on the Veeam v11 Hardened Repository...
Veeam Hardened Linux Repository - StarWind...
NOTE from Daniel Klemz: The Starwind instructions do not go over cleaning up and removing the service account from the Sudoers group after you’ve deployed the Veeam software. They tell you to add the user to the sudo group –
sudo usermod -a -G sudo veeamrepouser
But when you’re done, you should remove the permission –
sudo gpasswd -d veeamrepouser sudo
Otherwise if the veeamrepouser account is compromised this is an attack surface.
Veeam v11 - Hardened Repository aka Immutable backups - Wolfgang Tait
Protect your backups: Veeam v11 hardened repository with immutability - Andreas Lesslhumer
Veeam Hardened Linux Repository Part 1 - Christopher Glemont
Hardening Backup Repository - Linux - Veeam Best Practices
User Guide for VMware vSphere - Hardened (Immutable) Repository - Veeam Helpcenter
Ransomware Protection with VBR v11 Hardened Linux Repository - JD Wallace
Immutability of Linux files on the Veeam hardened Linux repository - Didier Van Hoye
Hardening your Veeam Backup strategy with immutable repositories on Linux XFS - ElasticSky
