All-Demo Session & Installable ISO for Veeam Hardened Repository

All-Demo Session & Installable ISO for Veeam Hardened Repository
Userlevel 7
Badge +10

 

22-February 2024 Update:  GOOD NEWS! We are scheming a big update and overhaul of this page at or around VeeamON time. I can’t say more!

 

During the lead-up to VeeamON, it was amazing to see what content was leading the pre-registration information. We have the most data here than ever before. Constantly back and forth with the “Architecting Veeam Backup for Microsoft 365 at Scale” session, the session that @hannesk, Christoph Meyer and I are delivering was racing to the finish line as the leader. The “All Demo Session for Veeam Hardened Repository” was in the end the most popular pre-registered session, and as promised in the delivery in Miami, here is your everything you need to know guide.

Post Publish Updates:

  • 1-June 2023:  The installation requirements for the .ISO have been added.
  • 1-June 2023:  Video of installation of the .ISO has been added.
  • 2-June 2023:  Clarification on support, formatting of document.
  • 5-June 2023:  Updated .ISO with support banner and logon screen update, link updated. No changes to Ubuntu configuration or hardening script.
  • 29-June 2023: Updated .ISO with one enhancement, offline installation works.

Recording Resources

You can watch one of my practice runs of the session from Miami here:

At the VeeamON virtual event experience, we will have the replay from Miami session up very soon. 

Markdown File & Write Up

I have made a markdown file with a lot of the key information ready, you can download it here: rickvanover/VeeamHardenedRepoHub (github.com) Additionally - you can download the Markdown file at the QR code below:
 

This link goes to the VHR Markdown file that I’ve written up.

If you are not doing Markdown or GitHub you can download this as a PDF at the bottom of the page.

Overall advice

My overall advice on the Veeam Hardened Repository is to plan your deployment, this will greatly improve your experience with using the VHR. For example, I’m notorious for not documenting the options I put during the Ubuntu installation at this important stage:

 

Installable .ISO & Hardening Script

Key Update 18-December 2023: We have taken down the link for the .ISO, there will be a  new one coming “Soon” :)! 

One of the key parts of the Miami experience is the update we had from Product Management on new functionality for the Veeam hardened repository, which includes the Hardening Script and the installable .ISO. I recommend watching the replay to hear from Hannes and Christop directly before using the script and .ISO. We recommend at least 100 GB for storage. You can get both below:

  • Hardening Script: https://www.veeam.com/sys507
  • Installable .ISO: )18-December 2023 - We’ve removed this download and a new one is coming “soon”!)

About this installable .ISO…. The principal benefit of the installable .ISO is that it sets up much of the installation pre-defined *and* applies the above linked hardening script. 

Installable .ISO Requirements

For the installable .ISO, we recommend you follow these prerequisites (mainly relevant if you try to install it in a VM for lab purposes):

  • This is now optional from the 29-June update:  Internet connection (HTTP to the Ubuntu update servers for automatic security updates)
  • 2 CPUs, 6 GB RAM
  • UEFI boot is required (BIOS does not work) UEFI secure boot strongly recommended
  • 1 disk with at least 100GB for the operating system (plus cache files)
  • 100GB is a hard requirement. If that’s too high, please give feedback below.
  • Then there should be at least one second disk that is larger 100GB for backup data that would be the Veeam repository

During the installation, follow the wizard and reboot after the installation finished. Then install the hardened repository role. The VHR final layout will have all disks are mounted to /mnt/backup<n>

Important: Reboot again (this second reboot locks down the whole system and you can only reboot / shutdown with sudo. there is no root / sudo anymore at this stage) - this is the result of the hardening.  Think of this result as taking a massive green pill that tells this system its role in life forever on is to be a VHR.

After reading all of this, you are now ready to watch my video of installing the VHR with the .ISO:



Installable .ISO General Information & Support Statement

  • It's a community project. please don't call Veeam support for use of the .ISO. Once a VHR is deployed and configured in Veeam Backup & Replication, it would be subject to support. 
  • Automatic updates are enabled.
  • The user does not have permissions to update manually.
  • We plan to add a note to the banner message where to find more information about the ISO installer.

Get Started with the Veeam Hardened Repository 

Getting started with the VHR doesn’t have to be overwhelming. Give it a try - and let us know how it goes in the comments below.


This topic has been closed for comments

199 comments

Userlevel 5
Badge +2

if you rebooted, then you don’t have permissions to upgrade… 

To answer the question: it should work fine and not break anything. But it sounds like wasted time. The purpose of the current ISO is to get feedback. A later version would support smooth upgrades of course.

Userlevel 7
Badge +21

if you rebooted, then you don’t have permissions to upgrade… 

To answer the question: it should work fine and not break anything. But it sounds like wasted time. The purpose of the current ISO is to get feedback. A later version would support smooth upgrades of course.

Thanks Hannes.

Userlevel 7
Badge +14

@Chris.Childerhose Ubuntu 20.04 LTS is supported till May 2025. So from a security perspective it's not necessary to upgrade.

Userlevel 7
Badge +21

@Chris.Childerhose Ubuntu 20.04 LTS is supported till May 2025. So from a security perspective it's not necessary to upgrade.

Thanks Max. I was just asking in case I get asked about it when we start deployment of these. 😉

Userlevel 2

It is very good tools, thank you very much.

I tried to install on my ESxi and I cant make a connection between the Veeam backup and VHR as you can see below, what I missed her? Thank you

 

 

Userlevel 7
Badge +10

It is very good tools, thank you very much.

I tried to install on my ESxi and I cant make a connection between the Veeam backup and VHR as you can see below, what I missed her? Thank you

 

 

Hi George, did you reboot it after the .ISO the second time? Then the hardening is applied and SSH is gone.

Userlevel 7
Badge +21

Yes need to add the VHR before reboot two otherwise no go.

Userlevel 1

Would it be possible to dual boot this AND Windows Server 2019?

 

My thought process was that most of the time my 12TB server would be the VHR but in the event that I needed it as a backup server to run the company I could load windows on boot instead.

Has anyone found a solution to the Dell R-series servers erroring out as soon as the network connections show?  I have an R720 that will install fine with the vanilla 20.04 LTS, but errors out with this .ISO.  I have tried several different suggestions on this thread, but nothing seems to be working.  I’ve even tried changing from the Intel NIC I was using to a spare Broadcom unit I had laying around, but it didn’t seem to help.

Server specs:

  • Dell R720
  • PERC H710P RAID controller
  • Intel X520 NIC
  • Running in UEFI mode
  • 112 GB SSD Boot Mirror
  • 73 TB Storage Array

If the .ISO won’t work, what do I need to do before I use the hardening script?

Thanks!

Bob

Userlevel 5
Badge +2

Hello Bob,
unfortunately I have no idea how to solve it with the ISO. But I put your configuration to the bugs list.

https://www.veeam.com/blog/backup-repository-security-disa-stig-ubuntu-step-by-step-guide.html describes how to use the script manually.

Best regards,
Hannes

Userlevel 1

It is very good tools, thank you very much.

I tried to install on my ESxi and I cant make a connection between the Veeam backup and VHR as you can see below, what I missed her? Thank you

 

 

Hi George, did you reboot it after the .ISO the second time? Then the hardening is applied and SSH is gone.

Let me ask a question related to this, If installed properly and the connection is initially established before the reboot to harden...what would happen if the connected Veeam backup machine later is ransomwared and completely wiped out at a later date? Would one be able to start fresh with a new OS install and then reconnect to the VHR to utilize the immutable backups?

Userlevel 5
Badge +2

yes, just create a new backup server and re-connect to the Hardened Repository. 

 

Userlevel 7
Badge +14

Would it be possible to dual boot this AND Windows Server 2019?

 

My thought process was that most of the time my 12TB server would be the VHR but in the event that I needed it as a backup server to run the company I could load windows on boot instead.

While you would be able to dual boot Windows, you won’t be able to access any backups stored on the VHR volumes; Windows can’t read the filesystem.

Userlevel 1

Would it be possible to dual boot this AND Windows Server 2019?

 

My thought process was that most of the time my 12TB server would be the VHR but in the event that I needed it as a backup server to run the company I could load windows on boot instead.

While you would be able to dual boot Windows, you won’t be able to access any backups stored on the VHR volumes; Windows can’t read the filesystem.

You’re sure that this iso file would allow me to install a VHR (Machine 1) along side of windows (Also Machine 1), and then, after hardening the VHR, I could kill the power to (Machine 1) and then before the VHR starts I could have the option to boot windows instead, though?

 

I would be using a 2nd separate machine (Machine 2) with Veeam installed, while the VHR on (Machine 1) was loaded, if I needed the backups that are stored on the VHR (Machine 1). I would not try to access the files on (Machine 1 VHR) using (Machine 1 Windows).

The reason I would want this is I really only need 2 database files to run our company for the day, so, in case of a hardware failure on my primary server (Machine 3) I would retrieve those 2 files from the VHR (Machine 1) using (Machine 2) which would only take an hour or so of downtime. However, I still want the ability to completely backup the primary server (Machine 3) so that I could do a complete restore on the weekend when there was no business happening. Currently, as long as I have the database files I need, (Machine 1) can seamlessly operate the business, I’d like to leave it that way in case of an emergency.

 

I just need the potential dual-boot VHR(Machine 1)/Windows (Machine 1) to be versatile enough to perform one action at a time depending on my choice at the moment. VHR OR Windows server, but with the ability to switch between the two on the fly.

I hope that’s not overly complicated I tried to make it as clear as possible.

Userlevel 7
Badge +14

Oh sorry. I was talking about a manual Linux installation in parallel to the Windows server. The VHR ISO itself won't work in dual boot as it completely wipes the server including the existing windows installation.

Userlevel 1

Oh sorry. I was talking about a manual Linux installation in parallel to the Windows server. The VHR ISO itself won't work in dual boot as it completely wipes the server including the existing windows installation.

Ok, so I can’t make it work with this iso. Thanks for the help.

 

Do you know if I could create my own VHR manually that would allow for what I’m describing?

Userlevel 7
Badge +14

This should be possible. You install the Windows Server first, and afterwards do the Ubuntu setup which should detect the existing Windows installation and include it in the boot manager. Then you can do the hardening and setup the hardened repository.

Userlevel 7
Badge +5

Hello @bob.lenz 

I have the same issue, I have tried with my vCenter Lab with ESXi 6.7 (HPE ProLiant DL380 G10) and my PC (HP CPU i7, 16 GRAM, 500 G SSD) with Workstation 16 but I receive same error when try to install this .ISO

 

 

If I try to install the same version Ubuntu LTS not customized I don’t have any issues.

Userlevel 7
Badge +5

Hello @bob.lenz !

I have solved this issue 🤓 
I have changed the dimension of second disk installation finish without issues.

First disk need 100 GB.

For example this my configuration:

 

 

Good luck !

Has anyone found a solution to the Dell R-series servers erroring out as soon as the network connections show?  I have an R720 that will install fine with the vanilla 20.04 LTS, but errors out with this .ISO.  I have tried several different suggestions on this thread, but nothing seems to be working.  I’ve even tried changing from the Intel NIC I was using to a spare Broadcom unit I had laying around, but it didn’t seem to help.

Server specs:

  • Dell R720
  • PERC H710P RAID controller
  • Intel X520 NIC
  • Running in UEFI mode
  • 112 GB SSD Boot Mirror
  • 73 TB Storage Array

If the .ISO won’t work, what do I need to do before I use the hardening script?

Thanks!

Bob

The Veeam User guide for VSphere has the information you are looking for, to save you the searching though I have linked the page below that i followed in it initial install of Ubuntu LTS 20.04. After that page i copied the Hardening script(downloaded from the github) to the server then ran it. verifying access to the drives and adding to the B&R before rebooting. 

Installing Ubuntu Linux Server - User Guide for VMware vSphere (veeam.com)
VHR Script
GitHub - VeeamHub/veeam-hardened-repository: Sample code for hardening a Veeam Repository(Same as above just saves a click by going directly to the github, instead of the veeam page first)

The Veeam User guide for VSphere has the information you are looking for, to save you the searching though I have linked the page below that i followed in it initial install of Ubuntu LTS 20.04. After that page i copied the Hardening script(downloaded from the github) to the server then ran it. verifying access to the drives and adding to the B&R before rebooting. 

Installing Ubuntu Linux Server - User Guide for VMware vSphere (veeam.com)
VHR Script
GitHub - VeeamHub/veeam-hardened-repository: Sample code for hardening a Veeam Repository(Same as above just saves a click by going directly to the github, instead of the veeam page first)

Thanks.  Tried this.  The script showed some errors (files not found) near the end of the script.  I successfully installed Veeam from B&R and then rebooted the server.

Several things I noticed after the reboot of the Linux box:

  • SSH is still enabled and functional (I thought this would be turned off?)
  • The server is still responding to Veeam B&R, however I was getting permission denied errors when trying to run a copy job to the machine.  I was able to change permissions using sudo chown, which I thought sudo would be disabled from the script.

As I’m thinking about it, maybe I’m supposed to do the entire Veeam guide before the script instead of just the initial install?

Thanks!

Bob

Userlevel 5
Badge +2

Hello,
yes, the script does not disable SSH. That’s manual steps as described in the blog posts mentioned earlier in this thread (yes, this thread is a mix of many topics and having one thread instead of a dozen is sub-optimal… we know)

Errors sounds wrong, but I can say that we will continue work on the ISO / script after 12.1 is out. 

For now it would be great to hear if specific hardware works / does not work (we know that it works with VMs if system requirements are met :-))

Best regards,
Hannes

Userlevel 7
Badge +10

Feature requests from me:

  • Optional hardening application in setup wizard
    • Ability to re-launch the setup wizard to do just the hardening
  • An optional banner script on supportability (customer driven line to say email/phone#/etc. of supportability of system)
Userlevel 7
Badge +10

FYI I am closing this thread as we are close with V12.1 - and after 12.1 goes GA - the .ISO will be back on deck for new release and we’ll make a new post for that build’s feedback.