Veeam v11 - Hardened Repository aka Immutable backups



Show first post

88 comments

Userlevel 7
Badge +6

I think this it’ll be the silver bullet of V11. It sounds like the best feature of this new version of Veeam, isn't? 

Just a question. The Linux repository (/veeam/Rep/xfs_1) on your example... Is it a sharing on operating system?

 

Userlevel 7
Badge +7

[additional information about immutable file handling in linux]

Check out this great post for details about how immutable files are stored in linux. There is also a xml-file and file-attributes for storing date until file is immutable.

https://blog.workinghardinit.work/2021/01/18/immutability-of-linux-files-on-the-veeam-hardened-linux-repository/

Userlevel 6
Badge +1

Excellent work !!! Thanks for sharing.

Userlevel 7
Badge +7

[Update information]

Veeam is planning to support fast cloning with Ubuntu LTS 18.04, RHEL/CentOS 8.2 or later, SLES 15 SP2 and Debian 10 as well! For other distributions: support will be experimental. Kernel version 5.4 or later recommended.

So there will be more options when is comes to distribution selection.

Userlevel 7
Badge +7

Oh, that’s a limitation... On the other hand it makes sense as you would need root-access for the proxy.

Wouldn’t running one or both roles inside a container open new attack possibilites? 

Yes it is. And it is - from my perspective - no technical limitation, it is for security reasons. 

I would say, you will always take a higher security risk when running a second role on the repository server. When - for example because of a kernel-bug - a user can break out/in a container, your backup data is in danger.

Userlevel 7
Badge +6

Oh, that’s a limitation... On the other hand it makes sense as you would need root-access for the proxy.

Wouldn’t running one or both roles inside a container open new attack possibilites? 

Userlevel 7
Badge +7

[Important update]

You CAN NOT run immutable repository AND proxy role on the same Linux server in v11!

PS: There is a workaround: you theoretically can run one of these roles in a container.

Userlevel 7
Badge +7

Thanks for posting this, interesting. Will Linux be the repo of choice after v11 is released, i think so?

I talk more and more with customers about Linux as repo-server. Yes, most of them are very interested in XFS with immutable backups!

Userlevel 2

Thanks for posting this, interesting. Will Linux be the repo of choice after v11 is released, i think so?

Userlevel 7
Badge +7

Update information:

How does it work, when I start now with v10 and XFS repo and want to use immutable backups when v11 is available? 

Short answer by @Gostev :

“After you upgrade to v11, you will only need to run a shell command to change the owner for the existing backup files. There's will be a message with instructions in the user interface if you enable immutable backups option on the existing repository. The rest is optional (additional hardening like disabling SSH server and remote consoles like iLO completely).”

https://forums.veeam.com/veeam-backup-replication-f2/v11-linux-immutability-t70932.html

Userlevel 7
Badge +6

Great post, thank you for taking the time to go in-depth and provide the screenshots with useful commands for checking even the network ports listening.

Userlevel 7
Badge +7

Thanks for the great article on immutability! So chattr should be restricted with selinux on linux host, good to know! I will put a ML task specific with elastic auditbeat on it

“ML task specific with elastic auditbeat” sounds interesting! And what I just read it is for sure!

Userlevel 7
Badge +3

Thanks for the great article on immutability! So chattr should be restricted with selinux on linux host, good to know! I will put a ML task specific with elastic auditbeat on it

Comment