How do you monitor Hardened Repository hardware?

  • 13 December 2021
  • 7 comments
  • 302 views

Userlevel 7
Badge +13

When it comes to Veeam Hardened Repository Server, we hopefully talk about a dedicated hardware server. Because of the high secure implementation of this feature it makes perfect sense to disable any additional attack surface. So it is highly recommended to disable platforms like HPE ilO and Dell iDRAC.

On the other side, it is essential to monitor this piece of hardware. IMHO it is important not to open any incoming network ports for monitoring. Means, monitoring (agent, script, deamon, ...) should open a port from within the host to in external instance like mail-server, SNMP-host, syslog-server, … and closes it afterwards. Otherwise a service - most probably with root-permissions - is running and open for external access.

So how did you implement hardware monitoring?


7 comments

Userlevel 7
Badge +20

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

Userlevel 7
Badge +13

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

Thanks for your answer! How do you query iLO/iDRAC with Zabbix - with SNMP?

Userlevel 7
Badge +20

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

Thanks for your answer! How do you query iLO/iDRAC with Zabbix - with SNMP?

Yeah typically that is what we use.

Userlevel 7
Badge +13

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

Thanks for your answer! How do you query iLO/iDRAC with Zabbix - with SNMP?

Yeah typically that is what we use.

Are you able to get disk and array controller failures this way?

Userlevel 5
Badge +4

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

What about the risk of a takeover of vCenter, where the bad actor can just delete the datastore containing the repository? Gostev wrote about this in this morning’s Word from Gostev.

The monitoring tool suggestion is good thought!

Userlevel 7
Badge +20

Most of our hardened repository servers are VMs and we use Zabbix for monitoring on those.  If there is physical we still use Zabbix but also iLO or iDRAC.

Thanks for your answer! How do you query iLO/iDRAC with Zabbix - with SNMP?

Yeah typically that is what we use.

Are you able to get disk and array controller failures this way?

I am not sure to be honest as that is not my department but I know they do see failed hard drives somehow via this method.

Userlevel 7
Badge +8

Well, it will depends of your monitoring tools. We use Centreon for HP servers.

We use snmp (read) or XMLapi(Read Only - restrict to the monitoring poller). It could be different if you’re using OneView

https://docs.centreon.com/docs/plugins-packs/fr/latest/catalog.html#hardware-server

Example for XMLApi (not backup repo):

It’s an interresting topic, I hadn't thought of the hardened case.

Well from my pov it will depends of your security policy about it. Snmp could be “hardened”, v3 only read from a restricted @ip. XMLapi with a restricted configuration could be good too.

I’m not a huge fan of snmp traps but could be an idea (push model) or email alert :grimacing:

Comment