Veeam: Linux Hardened Repository using iSCSI


If no physical server is available and a NAS device is the only repository installed in your network, you can configure a VM Linux as a Hardened Repository using iSCSI to make backups immutable.

Using a supported Linux distribution, it is possible to map a LUN via iSCSI to a Linux VM in your virtual infrastructure and use it as backup repository for your Veeam backup infrastructure.

The storage device used in this procedure is a Synology NAS and the OS installed on the VM is a Linux Ubuntu 22.04.3 LTS.


Configure a Linux Hardened Repository using iSCSI

Before starting the configuration of the Linux VM, you need to create an iSCSI Initiator as well as a LUN that will be used to store backups.


Configure the iSCSI Initiator

To configure an iSCSI LUN in Linux Ubuntu, make sure the open-iscsi package is installed in the system in use.

# sudo apt -y install open-iscsi


Enable the iSCSI service each time the server boots.

# sudo systemctl enable open-iscsi
# sudo systemctl enable iscsid


Edit the /etc/iscsi/initiatorname.iscsi file to specify the correct iSCSI Initiator.

# sudo vi /etc/iscsi/initiatorname.iscsi


The system is configured with a default InitiatorName setting that needs to be adjusted.


Retrieve the configured IQN from the storage device used as backup repository.


Replace in the /etc/iscsi/initiatorname.iscsi file the default InitiatorName with the IQN configured in the storage and save the file.


If the iSCSI connection requires authentication, edit the file /etc/iscsi/iscsid.conf.

# sudo vi /etc/iscsi/iscsid.conf


Enable the automatic startup.

node.startup = automatic


Enable and configure authentication settings.

node.session.auth.authmethod = CHAP
node.session.auth.username = username
node.session.auth.password = password


Restart the iSCSI service.

# sudo systemctl restart iscsid open-iscsi



Discovery and login to target

Run the following command to discover the iSCSI Target. The configured iSCSI Target has been discovered successfully (in the example, two iSCSI Targets have been discovered).

# sudo iscsiadm -m discovery -t sendtargets -p


Now login to the target.

# sudo iscsiadm --mode node --targetname --portal --login


Check if the connection has been established to the storage device.

# sudo iscsiadm -m session -o show



Create a new partition and file system

After connecting the iSCSI disk, check the configured partitions in Ubuntu. A new disk sdb is displayed.

# cat /proc/partitions


Retrieve the list of installed disks in Ubuntu to identify the disk used as repository.

# sudo fdisk -l


Since the partition to create is bigger than 2 TB, it is necessary to configure a GPT partition.

# sudo parted /dev/sdb mklabel gpt


Now create the partition using the entire disk formatted XFS.

# sudo parted -a opt /dev/sdb mkpart primary xfs 0% 100%


To check the just created partition, run the command:

# lsblk


Check the installed disks once again. Now the new /dev/sdb1 partition is displayed.

# sudo fdisk -l


To leverage the Fast-Clone technology in Veeam Backup & Replication, we need to enable reflink and CRC formatting the partition with the following command:

# sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdb1 -f -K



Mount the file system

Once the partition has been formatted, we mount the file system for use.

If you want to mount the partition under /mnt/veeamrepo, create the directory using mkdir.

# sudo mkdir -p /mnt/veeamrepo


Mount the file system with the command:

# sudo mount -o defaults /dev/sdb1 /mnt/veeamrepo


Run the following command to check the file system:

# df -Th


Now retrieve the UUID of the new partition to be configured in the /etc/fstab file.

# sudo blkid /dev/sdb1


Update the /etc/fstab file with the new UUID to mount the filesystem automatically each time the server boots.

# sudo vi /etc/fstab

UUID=88d1bd31-1996-4545-9e5a-2b410364f13a /mnt/veeamrepo xfs _netdev 0 0

Adding the value _netdev, the mount point will be mounted only after the network starts correctly.


Restart the server and make sure the iSCSI LUN is mapped after booting.

# sudo reboot
# df -Th



Create the Veeam user

You need to create a dedicated Veeam user with the correct permissions so that the Veeam Transport Service has the correct rights to the Veeam mount.

Create a new account and create the password.

# sudo useradd locveeam --create-home -s /bin/bash
# sudo passwd locveeam


To install the required Veeam components, we need to temporarily assign the just created user to the sudo group to execute the commands as root.

# sudo usermod -a -G sudo locveeam



Assign permissions to the mount point

Assign permissions to access the /mnt/veeamrepo folder to the locveeam account and check assigned permissions.

# sudo chown -R locveeam:locveeam /mnt/veeamrepo/
# sudo chmod 700 /mnt/veeamrepo
# ll /mnt



Test the Hardened Repository

Assigned the correct permissions, it's time to test the Hardened Repository using iSCSI.


1. Create the new Hardened Repository using iSCSI in Veeam

Open the Veeam Backup & Replication console and configure the new Hardened Repository (follow this step-by-step procedure).



2. Create a Backup Job

Create a Backup Job specifying the just created Hardened Repository to store the backup (follow this step-by-step procedure).



3. Run the Backup Job

Run the Backup Job.



4. Check Immutability

Try to delete the just created backup to test if the backup is immutable. As expected the backup can't be deleted due to its immutability status.



Secure the Hardeneded Repository

Once the configuration and backup tests have been successfully completed, the Hardened Repository using iSCSI must be secured to avoid unauthorized accesses:

  • Make sure the Veeam user (locveeam in the example) is not a member of the sudo group.
  • Unplug the Remote Server Management system (iDRAC, iLO, etc.) from the network.
  • Disable SSH access to the repository with the commands:

# sudo systemctl disable ssh.service
# sudo systemctl stop ssh.service


Because the Linux machine runs in the virtual infrastructure, also the the access to the virtual environment must be secured.

The configuration of the Linux Hardened Repository using iSCSI is now complete and the system is ready to use.



  1. RBL 22/02/2024
  2. Axel Krägelius 10/03/2024

Leave a Reply