Hardened Backup Repository

What exactly is a Veeam hardened Backup Repository?

Veeam now provides the option for a hardened Linux repository (using XFS) with a landing zone that you can configure to be malware-proof via policies that make the data immutable.

  • The Backup Repository is created by adding a managed Linux server using Single-use credentials.

  • It's not quite the same as immutability, but it can be made MORE immutable,

  • SSH is only required at the time of deployment.

Reliable Ransomware Protection: Keep backups safe with immutable, hardened Linux repositories compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations, preventing encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.

Protect your backups: Veeam v11 hardened repository with immutability - NOTE: See ports listed below

IMPORTANT: A hardened repository CANNOT be a Backup Proxy.

NOTE: For advanced XFS integration, only the following 64-bit Linux distributions are supported:

Consider a HLR a "Designated Survivor" tactic ("The practice of designating a successor is intended to prevent a hypothetical decapitation of the government and to safeguard continuity in the office of the president in the event the president along with the vice president and multiple other officials in the presidential line of succession die in a mass-casualty incident").

Recommendations... (Veeam Legends - Veeam Backup & Replication Pocketbook v1)

  • Credentials: Recommendation: Use one-time credentials instead of username and password when adding Linux server to VBR.

  • Credentials: Recommendation: Assign minimal privileges to the Linux user for backup and to add the Linux server.

  • SSH: Recommendation: Disable SSH after installation.

  • Time Synchronization/NTP: Recommendation: Do not use internal NTP Server. Use a GPS dongle or Dongle for time signal (e.g., DCF77). Alternatively trust in your CMOS clock instead.


Design Principles...

  1. K.I.S.S. design (Keep It Simple and Straightforward).

  2. Make sure the servers are physical secured (iLO, iDRAC).

  3. Create a dedicated repository account for Veeam, that can access the folder where you store backups.

  4. Set permissions on the repository directory to only that account.

  5. You do not need 'root' to use a Veeam Linux Repository. Also do not use 'sudo'.

  6. Modify the firewall, with dedicated rules for Veeam to allow access to specific ports.

  7. Use Veeam encryption while storing backups on the repository.


How to set up Veeam Hardened Repository - A 6:15 video by Rasmus Haslund, Principal Technologist and VMCT Program Manager - A MUST WATCH VIDEO!!!

Experimental Python script

Visit https://github.com/tdewin/veeamhubrepo for an experimental Python script to quickly setup an immutable repository. NOTE: Initially made to quickly setup demo labs but feedback is appreciated. Tested only on Ubuntu 20.04 LTS (and this is the only target for this project until the next LTS). -

Veeam Help Center:Hardened (Immutable) Repository - VBR User Guide

"Make recent backups immutable for __ days"

Additional information...

NOTE from Daniel Klemz: The Starwind instructions do not go over cleaning up and removing the service account from the Sudoers group after you’ve deployed the Veeam software. They tell you to add the user to the sudo group –

sudo usermod -a -G sudo veeamrepouser

But when you’re done, you should remove the permission –

sudo gpasswd -d veeamrepouser sudo

Otherwise if the veeamrepouser account is compromised this is an attack surface.

HOL