Veeam v11 - Hardened Repository - how it behaves



Show first post

40 comments

Userlevel 7
Badge +14

[update] 

What happens, when choosing immutable repository for backup types that are not supported for immutability? For example: DB logs, NAS.

Backup runs anyway! File are just not immutable after job is finished. See in screenshot, SQL log backups (*.vlm, *.vlb, *.vsm) are not flagged.

https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110

Was so happy to see this as it means we don’t need to split out repositories based on whether the job is supported for immutability!

Userlevel 7
Badge +12

[update] 

What happens, when choosing immutable repository for backup types that are not supported for immutability? For example: DB logs, NAS.

Backup runs anyway! File are just not immutable after job is finished. See in screenshot, SQL log backups (*.vlm, *.vlb, *.vsm) are not flagged.

https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110

Userlevel 7
Badge +14

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Good point, BUT :grin: :

As it’s a pre-hardened image, does it give you the ability to configure this NTP as IP Address via any deployment or do we need to manually consider this?

 

It’d be good to confirm if NTP is going to ignore these panic thresholds.

I have the feeling there is a misunderstanding. There is no pre-hardened image with immutable repositories. Linux host must be installed and configured (like a windows repository server). So you can configure Linux as you wish.

Good to know! Have been just gleaming different bits of information since we can’t play with it yet.

 

Thanks for sharing :)

Userlevel 7
Badge +10

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Good point, BUT :grin: :

As it’s a pre-hardened image, does it give you the ability to configure this NTP as IP Address via any deployment or do we need to manually consider this?

 

It’d be good to confirm if NTP is going to ignore these panic thresholds.

Not sure you need to worry about this, but you could send out which NTP servers to use via DHCP option 42. On Linux, I think you can add ntp-servers to the dhclient.conf. More info in https://unix.stackexchange.com/questions/327954/how-do-you-set-up-a-linux-client-to-use-ntp-information-provided-through-dhcp

Userlevel 7
Badge +12

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Good point, BUT :grin: :

As it’s a pre-hardened image, does it give you the ability to configure this NTP as IP Address via any deployment or do we need to manually consider this?

 

It’d be good to confirm if NTP is going to ignore these panic thresholds.

I have the feeling there is a misunderstanding. There is no pre-hardened image with immutable repositories. Linux host must be installed and configured (like a windows repository server). So you can configure Linux as you wish.

Userlevel 7
Badge +14

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Good point, BUT :grin: :

As it’s a pre-hardened image, does it give you the ability to configure this NTP as IP Address via any deployment or do we need to manually consider this?

 

It’d be good to confirm if NTP is going to ignore these panic thresholds.

Userlevel 7
Badge +12

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Good point, BUT :grin: :

Userlevel 7
Badge +14

Do we know what time servers are being used? It was an interesting point you raised about changing the time on Veeam not causing any issues but I’d assume NTP is via DNS and to resolve internal resources it would require internal DNS servers (or even be supplied them via DHCP), so hijacking the FQDN of the NTP server could be an attack to wipe immutability?

Userlevel 7
Badge +12

[Update]

… trying to add a non-immutable repository on a Linux server hosting a immutable repository?

Currently mixing immutable with non-immutable repositories on the same Linux server is not supported. So you get an error:

 

Userlevel 7
Badge +12

Another great post @vNote42! I really love how you took the time to think through different scenarios and test them out in the lab. Thank you for sharing.

Thank you for the compliment! It is always great to get such a feedback!

Userlevel 7
Badge +10

Another great post @vNote42! I really love how you took the time to think through different scenarios and test them out in the lab. Thank you for sharing.

Userlevel 7
Badge +6

Excellent Post !!! :ok_hand:

Userlevel 7
Badge +12

“Permission denied”, even root gets this error. Your really have remote immutable-flag before removing/changing.

Userlevel 7
Badge +4

Awesome post! Didn’t take the time to test this, it’s on my list! How is the answer from the system if you try dd or rm -f on it? Or Encryption?

Userlevel 7
Badge +12

PS: If you think about other situations, let me know. If possible I will test it ...

Comment