All-Demo Session & Installable ISO for Veeam Hardened Repository

All-Demo Session & Installable ISO for Veeam Hardened Repository
Userlevel 7
Badge +9

 

22-February 2024 Update:  GOOD NEWS! We are scheming a big update and overhaul of this page at or around VeeamON time. I can’t say more!

 

During the lead-up to VeeamON, it was amazing to see what content was leading the pre-registration information. We have the most data here than ever before. Constantly back and forth with the “Architecting Veeam Backup for Microsoft 365 at Scale” session, the session that @hannesk, Christoph Meyer and I are delivering was racing to the finish line as the leader. The “All Demo Session for Veeam Hardened Repository” was in the end the most popular pre-registered session, and as promised in the delivery in Miami, here is your everything you need to know guide.

Post Publish Updates:

  • 1-June 2023:  The installation requirements for the .ISO have been added.
  • 1-June 2023:  Video of installation of the .ISO has been added.
  • 2-June 2023:  Clarification on support, formatting of document.
  • 5-June 2023:  Updated .ISO with support banner and logon screen update, link updated. No changes to Ubuntu configuration or hardening script.
  • 29-June 2023: Updated .ISO with one enhancement, offline installation works.

Recording Resources

You can watch one of my practice runs of the session from Miami here:

At the VeeamON virtual event experience, we will have the replay from Miami session up very soon. 

Markdown File & Write Up

I have made a markdown file with a lot of the key information ready, you can download it here: rickvanover/VeeamHardenedRepoHub (github.com) Additionally - you can download the Markdown file at the QR code below:
 

This link goes to the VHR Markdown file that I’ve written up.

If you are not doing Markdown or GitHub you can download this as a PDF at the bottom of the page.

Overall advice

My overall advice on the Veeam Hardened Repository is to plan your deployment, this will greatly improve your experience with using the VHR. For example, I’m notorious for not documenting the options I put during the Ubuntu installation at this important stage:

 

Installable .ISO & Hardening Script

Key Update 18-December 2023: We have taken down the link for the .ISO, there will be a  new one coming “Soon” :)! 

One of the key parts of the Miami experience is the update we had from Product Management on new functionality for the Veeam hardened repository, which includes the Hardening Script and the installable .ISO. I recommend watching the replay to hear from Hannes and Christop directly before using the script and .ISO. We recommend at least 100 GB for storage. You can get both below:

  • Hardening Script: https://www.veeam.com/sys507
  • Installable .ISO: )18-December 2023 - We’ve removed this download and a new one is coming “soon”!)

About this installable .ISO…. The principal benefit of the installable .ISO is that it sets up much of the installation pre-defined *and* applies the above linked hardening script. 

Installable .ISO Requirements

For the installable .ISO, we recommend you follow these prerequisites (mainly relevant if you try to install it in a VM for lab purposes):

  • This is now optional from the 29-June update:  Internet connection (HTTP to the Ubuntu update servers for automatic security updates)
  • 2 CPUs, 6 GB RAM
  • UEFI boot is required (BIOS does not work) UEFI secure boot strongly recommended
  • 1 disk with at least 100GB for the operating system (plus cache files)
  • 100GB is a hard requirement. If that’s too high, please give feedback below.
  • Then there should be at least one second disk that is larger 100GB for backup data that would be the Veeam repository

During the installation, follow the wizard and reboot after the installation finished. Then install the hardened repository role. The VHR final layout will have all disks are mounted to /mnt/backup<n>

Important: Reboot again (this second reboot locks down the whole system and you can only reboot / shutdown with sudo. there is no root / sudo anymore at this stage) - this is the result of the hardening.  Think of this result as taking a massive green pill that tells this system its role in life forever on is to be a VHR.

After reading all of this, you are now ready to watch my video of installing the VHR with the .ISO:



Installable .ISO General Information & Support Statement

  • It's a community project. please don't call Veeam support for use of the .ISO. Once a VHR is deployed and configured in Veeam Backup & Replication, it would be subject to support. 
  • Automatic updates are enabled.
  • The user does not have permissions to update manually.
  • We plan to add a note to the banner message where to find more information about the ISO installer.

Get Started with the Veeam Hardened Repository 

Getting started with the VHR doesn’t have to be overwhelming. Give it a try - and let us know how it goes in the comments below.


This topic has been closed for comments

199 comments

Userlevel 7
Badge +20

This was an amazing session. Great things coming from Veeam.

Great session. I followed the link but I didn’t see the customized Linux iso install used at the end of the demo. Thanks for sharing.

Said

Senior Network Admin

Userlevel 7
Badge +9

Great session. I followed the link but I didn’t see the customized Linux iso install used at the end of the demo. Thanks for sharing.

Said

Senior Network Admin

I fixed the link! Thanks.

Userlevel 7
Badge +12

The pre-configured hardened ISO will be a gamechanger. Although the manual setup hasn't been so complicated, Microsoft only shops with limited Linux skills will now likelier deploy the VHR. And so we will see a higher adoption rate and less successful ransomware attacks. 👏

Userlevel 7
Badge +10

This session rocks!

I deploy VHR on my homelab right now.

Just a question:

What are the steps that hardening script does on the system?

I didn't find this on the github.

Userlevel 7
Badge +15

I missed this session in MIA, but am about to re-watch. I deployed the LHR server; just need to add the server to VBR to deploy the role on the server. Can’t wait to watch the actual recorded session. Thanks for your efforts Rick!

@wolff.mateus - the script probably contains similar cmds as Paolo uses from his VHR post here...at least, that’s my guess. 😊

HI, I tried the iso of the hardened linux install and run into an error on physical and virtual test machines. See snip. Did anyone run into the same error and if yes, how did you get around it?

 

Thanks,

 

Userlevel 7
Badge +15

Hi @Assalihin - do you have (Legacy) BIOS enabled by chance? The install won’t work except for EFI-enabled machines, beit physical or VM.

Userlevel 7
Badge +15

I used a VM & was successful in installing it….I just had to remember to change the BIOS section to EFI in the VM Options tab.

Userlevel 7
Badge +10

I presume that you are running on a BIOS machine. Try the same on EFI like @coolsport00 said.

Userlevel 7
Badge +10

I missed this session in MIA, but am about to re-watch. I deployed the LHR server; just need to add the server to VBR to deploy the role on the server. Can’t wait to watch the actual recorded session. Thanks for your efforts Rick!

@wolff.mateus - the script probably contains similar cmds as Paolo uses from his VHR post here...at least, that’s my guess. 😊

No, the hardening script is here, however it does not have a resume what it exactly does on the system.

I’m not an expert in shell script, but I’m going to try ’’read’’ this.

 

Userlevel 7
Badge +15

Ah, I see. Yeah...I just scanned through the script a bit. It’s pretty long. I’ve learned quite a bit of BASH this yr, but there’s quite a bit in it I’m not familiar with 😬

Userlevel 7
Badge +12

@wolff.mateus Take a look at the following article: https://www.veeam.com/blog/backup-repository-security-disa-stig-ubuntu-step-by-step-guide.html

Userlevel 7
Badge +22

Very interesting. As someone said this could lead to mass usage. The only danger I see here is that it could get “windows only” admins to install this without them making an effort to learn at least some linux. I have run into situations with customers when say the Linux person left the company and the poor people left behind are like stranded on a desert island. The dreaded words that I have heard a few times on the service provider side of things is “would you mind taking a quick peak at this server, something does not look right and it has no GUI” :( 

Userlevel 1
Badge

Will sure try this out. But many of my customers use RedHat as their preferred Distibution.
So maybe it will make sense to do the same things with a RedHat .ISO ?:-)

 

Userlevel 7
Badge +9

Will sure try this out. But many of my customers use RedHat as their preferred Distibution.
So maybe it will make sense to do the same things with a RedHat .ISO ?:-)

 

We’ll see how this one goes before we engage with other Distros :)

I used a VM & was successful in installing it….I just had to remember to change the BIOS section to EFI in the VM Options tab.

Did you create the vm with 2 disks or just one? One for Os and the other for data or the iso took care of partitioning?

Thanks,

Said

Userlevel 1
Badge

Will sure try this out. But many of my customers use RedHat as their preferred Distibution.
So maybe it will make sense to do the same things with a RedHat .ISO ?:-)

 

We’ll see how this one goes before we engage with other Distros :)
 

THX. Sounds fair enough :-). I recently had to deal with a bit of RH 8.6 and 9 installs for hardened Repos. RH automatically brings in security profiles for different security standards. I miss that on UBUNTU.

 

Userlevel 1
Badge

Will sure try this out. But many of my customers use RedHat as their preferred Distibution.
So maybe it will make sense to do the same things with a RedHat .ISO ?:-)

 

We’ll see how this one goes before we engage with other Distros :)

THX. Sounds fair enough :-). I recently had to dela with a bit of RH 8.6 and 9 installs for hardenend Repo. And RH automatically brings in security profiles for different security standards. I miss that on UBUNTU.

 

 

Userlevel 1
Badge

Will sure try this out. But many of my customers use RedHat as their preferred Distibution.
So maybe it will make sense to do the same things with a RedHat .ISO ?:-)

 

We’ll see how this one goes before we engage with other Distros :)

THX. Sounds fair enough :-). I recently had to deal with a bit of RH 8.6 and 9 installs for hardened Repos. RH automatically brings in security profiles for different security standards. I miss that on UBUNTU.

 

 

 

Userlevel 7
Badge +6

@Assalihin I used a VM and 2 disks for a POC peice of work we are doing. 100GB boot drive and 500GB data drive and the install took care of everything

Userlevel 2

Hello Community and good day,

I am trying to deploy a test Veeam VHR VM in the lab. Although this test VM boots up just fine using the vanilla Ubuntu .ISO (ubuntu-20.04.6-live-server-amd64.iso), unfortunately there is no way for me to boot it from the most recent Veeam VHR 05 June ISO. UEFI secure boot is enabled.

I reproduced the same issue on a couple of VMs in the lab running on both ESXi 8.0 U1a as well as 6.7.

Has anyone experienced such a thing ?

Thanks and Regards,

Massimiliano

@Assalihin I used a VM and 2 disks for a POC peice of work we are doing. 100GB boot drive and 500GB data drive and the install took care of everything

Thanks.

Userlevel 7
Badge +12

@mrizzi2 I’m also no longer able to deploy the new ISO on a physical server. “sorry, there was a problem completing the installation”

@Rick Vanover@HannesK I’m not getting much out of the installer log/report. Can you reproduce the issue or can we provide you anything useful from the installer? 

Userlevel 7
Badge +9

@mrizzi2I’m also no longer able to deploy the new ISO on a physical server. “sorry, there was a problem completing the installation”

@Rick Vanover@HannesKI’m not getting much out of the installer log/report. Can you reproduce the issue or can we provide you anything useful from the installer? 

I can look into this.