Hardened Backup Repository

What exactly is a Veeam hardened Backup Repository?

Veeam now provides the option for a hardened Linux repository (using XFS) with a landing zone that you can configure to be malware-proof via policies that make the data immutable.

Reliable Ransomware Protection: Keep backups safe with immutable, hardened Linux repositories compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations, preventing encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.

Protect your backups: Veeam v11 hardened repository with immutability - NOTE: See ports listed below

IMPORTANT: A hardened repository CANNOT be a Backup Proxy. 

NOTE: For advanced XFS integration, only the following 64-bit Linux distributions are supported:

Consider a HLR a "Designated Survivor" tactic ("The practice of designating a successor is intended to prevent a hypothetical decapitation of the government and to safeguard continuity in the office of the president in the event the president along with the vice president and multiple other officials in the presidential line of succession die in a mass-casualty incident").

Recommendations... (Veeam Legends - Veeam Backup & Replication Pocketbook v1)

Design Principles...

How to set up Veeam Hardened Repository - A 6:15 video by Rasmus Haslund, Principal Technologist and VMCT Program Manager - A MUST WATCH VIDEO!!! 

Experimental Python script

Visit https://github.com/tdewin/veeamhubrepo for an experimental Python script to quickly setup an immutable repository. NOTE: Initially made to quickly setup demo labs but feedback is appreciated. Tested only on Ubuntu 20.04 LTS (and this is the only target for this project until the next LTS). - 

Veeam Help Center:Hardened (Immutable) Repository - VBR User Guide

"Make recent backups immutable for __ days"

Additional information...

NOTE from Daniel Klemz: The Starwind instructions do not go over cleaning up and removing the service account from the Sudoers group after you’ve deployed the Veeam software. They tell you to add the user to the sudo group –

sudo usermod -a -G sudo veeamrepouser

But when you’re done, you should remove the permission – 

sudo gpasswd -d veeamrepouser sudo

Otherwise if the veeamrepouser account is compromised this is an attack surface.