Hardened Backup Repository

What exactly is a Veeam hardened Backup Repository?

Veeam now provides the option for a hardened Linux repository (using XFS) with a landing zone that you can configure to be malware-proof via policies that make the data immutable.

• The Backup Repository is created by adding a managed Linux server using Single-use credentials.

• It's not quite the same as immutability, but it can be made MORE immutable,

• SSH is only required at the time of deployment.

Reliable Ransomware Protection: Keep backups safe with immutable, hardened Linux repositories compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations, preventing encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.

• No special appliance or hardware needed

• Works with many versions of Linux OS (5.4+ Kernel – XFS)

• Easy setup

• Usable for Primary and Secondary backups and backup copy jobs

• Veeam Hardened Repository passes independent compliance assessment - April 13, 2021 - 2 min to read 

Recommendations... (Veeam Legends - Veeam Backup & Replication Pocketbook v1)

• Credentials: Recommendation: Use one-time credentials instead of username and password when adding Linux server to VBR.

• Credentials: Recommendation: Assign minimal privileges to the Linux user for backup and to add the Linux server.

• SSH: Recommendation: Disable SSH after installation.

• Time Synchronization/NTP: Recommendation: Do not use internal NTP Server. Use a GPS dongle or Dongle for time signal (e.g., DCF77). Alternatively trust in your CMOS clock instead.

Design Principles...

1. K.I.S.S. design (Keep It Simple and Straightforward).

2. Make sure the servers are physical secured (iLO, iDRAC).

3. Create a dedicated repository account for Veeam, that can access the folder where you store backups.

4. Set permissions on the repository directory to only that account.

5. You do not need 'root' to use a Veeam Linux Repository. Also do not use 'sudo'.

6. Modify the firewall, with dedicated rules for Veeam to allow access to specific ports.

7. Use Veeam encryption while storing backups on the repository.

How to set up Veeam Hardened Repository - A 6:15 video by Rasmus Haslund, Principal Technologist and VMCT Program Manager - A MUST WATCH VIDEO!!! 

• • "Single Use Credentials"

  • chown / chmod 700 - See Hardening Backup Repository - Linux

  • Disable SSH - No root!!! -- For security reasons, it's not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.

  • Leverages chattr/setfattr file system feasture

  • Used Ports

  • Hardened Repository - Veeam Help Center

  • Limitations and Considerations - Veeam Help Center

Experimental Python script

Visit https://github.com/tdewin/veeamhubrepo for an experimental Python script to quickly setup an immutable repository. NOTE: Initially made to quickly setup demo labs but feedback is appreciated. Tested only on Ubuntu 20.04 LTS (and this is the only target for this project until the next LTS). - 

Veeam Help Center:Hardened (Immutable) Repository - VBR User Guide

Additional information...

• Installing Ubuntu Linux for Veeam Hardened Repository - January 25, 2023 - 10 min to read

• January 25, 2023 - 10 min to read

• V11: Immutable primary backup storage with a hardware-agnostic touch - Veeam (5 min read)

• Veeam Help Center - Hardened (Immutable) Repository

• New in Veeam v11: Hardened Repository - Wolfgang Tait...

  • Part 1 / Part 2 

• Great information from Paolo Valsecchi in Milan (Italy) on the Veeam v11 Hardened Repository...

  • Part 1 / Part 2

• Veeam Hardened Linux Repository - StarWind...

  • Part 1 / Part 2 / Part 3

NOTE from Daniel Klemz: The Starwind instructions do not go over cleaning up and removing the service account from the Sudoers group after you’ve deployed the Veeam software. They tell you to add the user to the sudo group –

sudo usermod -a -G sudo veeamrepouser

But when you’re done, you should remove the permission – 

sudo gpasswd -d veeamrepouser sudo

Otherwise if the veeamrepouser account is compromised this is an attack surface.

• Veeam v11 - Hardened Repository aka Immutable backups - Wolfgang Tait

• Protect your backups: Veeam v11 hardened repository with immutability -  Andreas Lesslhumer

• Veeam Hardened Linux Repository Part 1  - Christopher Glemont

• Hardening Backup Repository - Linux - Veeam Best Practices

• User Guide for VMware vSphere - Hardened (Immutable) Repository - Veeam Helpcenter

• Ransomware Protection with VBR v11 Hardened Linux Repository - JD Wallace

• Veeam Hardened Linux Repository - West Coast IT Hipster

• Immutability of Linux files on the Veeam hardened Linux repository - Didier Van Hoye

• Hardening your Veeam Backup strategy with immutable repositories on Linux XFS - ElasticSky