Veeam v11 - Hardened Repository aka Immutable backups



Show first post

88 comments

Userlevel 7
Badge +6

I'm seeing this tool for the first time; is it really intended to be used interactively? Normally you just have to create a user, setup the directory permissions and then you add the system via the Veeam console; and all config is done by Veeam itself. In my case, the Ubuntu server image had all dependencies already installed out of the box; it didn't have to install any packages at all.

Have you tried this way or is there a reason why you use the veeamhubrepo executable?

Userlevel 2

I don’t see a method thru veeam server.. I was given a link in which to follow al the instructions to configure it.. and btw, Ubuntu does not come with everything Veeam needs, the xfsprogs needs to be installed before, as well as the configuration of the veeamhubrepo.

This is the link I followed:

 

https://24xsiempre.com/veeam-hardened-immutable-repository/

Userlevel 7
Badge +6

Ok, now I get it; thanks for providing the link to the blog post. I didn't now that script but according to the github page it's experimental and so I wouldn’t use it in production. I would suggest that you can contact the authors via github for some help. Or perhaps @poulpreben can give you an advice here in the community? 

Regarding the setup in general. You can setup everything manually and don't necessarily need a script. I went with the information from @vNote42 and after having some problems with Ubuntu I checked out this blog series:

https://www.starwindsoftware.com/blog/veeam-hardened-linux-repository-part-1

Userlevel 7
Badge +7

Hi Wolfgang,

 

If the Linux machine is a VM, how do you prevent root from just connecting through vSphere and changing the file attributes and just removing everything?

 

Thanks,

 

Hi Adam!

As @regnor already mentioned, it is definitely not recommended to use a virtualized Linux Server as Hardened Repository Server!

If you still want to do this, I would recommend not to install VMware Tools there, so the VIX-Interface shouldn’t be available. Furthermore, you should implement at least certificate-based authentication.

I want to stretch this: Do not use a VM for Backup Repository in production!

Userlevel 7
Badge +6

I'm not sure if it works, but if you remove the Linux server in Veeam, does it uninstall all components and cleanup the system?

Userlevel 2

I’m not getting to that step yet… this is before adding it to a Veeam Server.

Userlevel 2

It is supposed that, once enabling ssh access the next screen will be:

 

 

Once there.. the number 3 option must be selected, and then add it to the Veeam Server 11.

Userlevel 7
Badge +8

I'm seeing this tool for the first time; is it really intended to be used interactively? Normally you just have to create a user, setup the directory permissions and then you add the system via the Veeam console; and all config is done by Veeam itself. In my case, the Ubuntu server image had all dependencies already installed out of the box; it didn't have to install any packages at all.

Have you tried this way or is there a reason why you use the veeamhubrepo executable?

This seems to be the way it is done as I have not seen the other method shown.  Interesting.

Userlevel 7
Badge +6

That was quick, thanks @poulpreben 🙂

Userlevel 7
Badge +7

aamm… let me explain a little more.. I did several installations, and in all of them I did something wrong, and I can not reset the veeamhubrepo in a way so I can start all over again and succeed, so.. a used a virtual machine with a snapshot and returned to the initial state before using the veeamhubrepo and begin configuring again.. well… I have a physical server with Ubuntu Server 20 LTS and I did something wrong, and the veeamhubrepo won’t star again, so I need to re-install  the server in order to do everything correctly, but with no opportunity to fail AT ALL! or else.. I need to re-install the server again, that’s why I need to know how to reset the veamhubrepo tool in order to avoid any re-installation. Where are the configuration files? So I can delete them and start a fresh install.

 

The image you see on one of my comments is when I succeeded on a virtual machine, but not with my physical server.

Thanks for your description! You may ask in R&D forum for help?

Userlevel 7
Badge +7

I don’t see a method thru veeam server.. I was given a link in which to follow al the instructions to configure it.. and btw, Ubuntu does not come with everything Veeam needs, the xfsprogs needs to be installed before, as well as the configuration of the veeamhubrepo.

This is the link I followed:

 

https://24xsiempre.com/veeam-hardened-immutable-repository/

Thanks for the link! Never used a script to do the installation. There are just a few steps to do at the linux server, I do not see that much advantages to use a script for these.

I agree with @regnor , I never installed any tools after the ubuntu installation. Everything I needed was there. Even tools for XFS.

Hi Wolfgang,

 

If the Linux machine is a VM, how do you prevent root from just connecting through vSphere and changing the file attributes and just removing everything?

 

Thanks,

 

Userlevel 7
Badge +6

I dont know if it's possible to restrict root access via the local console. You could disable root and only work with sudo, but that wouldn't change anything. Perhaps you can setup something like multifactor to increase the security.

But the bigger problem I see in you case, is running the repository virtualized. If an attacker can login to you vSphere management, then he could just wipe or delete your repository VM; so no need to use the root user itself. If you want to virtualize, then I would take care to lockdown or even disable any management possibility.

Comment