I think one of the main things with this is setting up the single use credential and correct permissions to the backup folder. I know this part stumped me some until I did some further reading on some blogs that others did. Other than that everything else is pretty straightforward.
The most important part, how to secure it. Setting up is the easiest part.
But show the people, what could happen if they leave ssh or other Remote Management Tools enabled.
Talk about how to protect the server from any intruder, so that it can be immutable :)
The ont time credentials are the hardest part for me. So, this would be fine to have in your video.
I would also say how to properly secure the server itself. So shutting down any management access, removing sudo permission, etc.
And, if it's not out of scope, the maintainance of such a Linux server. For example installing updates, both for the system and for Veeam.
Hello
I would say the security with firewall on the linux iptables or ufw and time synchronisation choice if no gps is present with chrony or disable it.
I agree with @Chris.Childerhose. Setting up the right permissions on Linux is common question.
The most important thing to me is set up the hardened repository with non root permissions.
Great @Rick Vanover ! In my company we are no Linux experts, so trying to avoid. So in this video it would be very nice to use the whole setup. So how to configure the Linux repository from A to Z and as @Mildur already mentioned : how to maintain, manage and keep secure. Thx a lot.
This is great stuff everyone - I appreciate the feedback, I’m building the outline this week!
if i could have a suggestion about management interfaces to have a good balance between maintainability and security to have a mecanism to up and down with an API (with rbac) the network access to management interfaces. It’s possible to activate Ilo/IDRAC with ipmi call too.
It could be not easy if you’re facing an incident on the hardware and you’re not on the site...
I think the non-windows-a-like steps are required to be explained.
A lot of linux-gurus will understand all those “strange” steps in linux, but for the main windows-admins that are not familiar with Linux those steps sounds like “hocus-pocus command line something”. I’m also suspecting they don’t jump into the linux hardened repo because of that…
limited user rights, mounting part of a subfolder, temporarily add a user to sudoers file,… I went through it on veeamclick hoping to help those windows-only-admins(like me).
Does anyone thing “MASSIVE SCALE” is important? I have access to a 2 PB JBOB system. Maybe.
Does anyone thing “MASSIVE SCALE” is important? I have access to a 2 PB JBOB system. Maybe.
2 PB JBOD - wow…
Is there a size limit for the hardened repo?
Does anyone thing “MASSIVE SCALE” is important? I have access to a 2 PB JBOB system. Maybe.
2 PB JBOD - wow…
Is there a size limit for the hardened repo?
Good question - no defined limit. But as a goal of a workshop - I don’t know if it’s necessary to cover the big part. There are system requirements (CPU/RAM, etc.) -» Which I will cover.
Good question - no defined limit. But as a goal of a workshop - I don’t know if it’s necessary to cover the big part. There are system requirements (CPU/RAM, etc.) -» Which I will cover.
Don’t forget to take a pause while doing “sudo mkfs.xfs -K -b size=4096 -m reflink=1,crc=1 /dev/sdb” if you plan to do that on 2PB :-)
Massive scale will become important in the “near” future I think. In my region not at the moment.
@Nico Losschaert ?
Cool, a Workshop Video! Great idea!
I add my my thoughts:
- It must be clear how easy it is to setup Linux for hardened Repo even without knowing Linux.
- Hardened Repos in SOBR.
- At least for further steps: Do not forget Hardware monitoring! And how to do it the right way.
Good add there @vNote42 → The monitoring… That’s a great ‘after install’ bit that matters!
The most important part, how to secure it. Setting up is the easiest part.
But show the people, what could happen if they leave ssh or other Remote Management Tools enabled.
Talk about how to protect the server from any intruder, so that it can be immutable :)
+1