To protect backups against deletion, overwriting and ransomware, a Hardened Repository must be configured in Veeam v11 to take benefit of the Immutability feature.
Making backups immutable is the most efficient way to protect your business data against intruders and ransomware attacks.
Veeam v11: Hardened Repository (Immutability) installation - pt.1
Veeam v11: Hardened Repository (Immutability) configuration - pt.2
Veeam v11: Hardened Repository (Immutability) add MFA - pt.3
Configure Veeam repository
Add the new Linux Server to the Veeam infrastructure. Go to Backup Infrastructure area and right click Managed Server. Select Add server.
Select Linux as server type.
Enter the DNS name or IP address then click Next.
Click Add and select Single-use credentials for hardened repository option to avoid storing the credentials in Veeam Backup & Replication.
Enter the credentials to connect the Linux Repository then click OK.
When the credentials has been specified, click Next.
When the component has been installed, click Next.
The new Managed Server has been added successfully. Click Finish to exit the wizard.
Since the Veeam services have been installed, the user locveeam created in the Hardened Repository must be taken away from sudo group. These credentials are not stored in Veeam Backup & Replication Server.
# sudo deluser locveeam sudo
Since SSH is only needed when the Managed Server is created in Veeam, the SSH service can be safely disabled on Hardened Repository to enforce security.
Create the new repository
Access the Backup Repositories section and click on Add Repository button.
Select Direct attached storage.
Select Linux as operating system.
Enter a Name for the new Backup Repository then click Next.
Select the Repository server configured and click Populate. From the listed paths, select the partition configured in the Hardened Repository to store the backups. Click Next.
Double check if the Path to folder is correct and click Populate to show Capacity and Free space. Enable the following options:
- Use fast cloning on XFS volumes (to take benefit of Fast Cloning technology)
- Make recent backups immutable for "xx" days specifying the retention requested
Specify the Mount server to use then click Next.
Click Apply to continue.
When the repository has been created, click Next.
Click Finish to complete the procedure.
The new Hardened Repository has been created successfully.
Create a Backup Job
From Home area, right click Backup and select Backup > Virtual machine > VMware vSphere.
Enter the Backup Job Name and click Next.
Click Add and select the VMs to backup then click Add. In the example TAGS are used.
Select the Hardened Repository as Backup repository and specify the Retention Policy. Keep in mind the retention specified in the Backup Job should be higher than the Immutability retention. Click Next.
You may receive this error.
Click Advanced and check if Create synthetic full backups periodically option is enabled.
Thick Enable application-aware processing if VMs need VSS processing. Click Next.
Configure the desired Schedule then click Apply.
Select Run the job when I click Finish option and click Finish to save the Backup Job configuration.
The Backup Job has been created successfully and started.
The Backup Job is being processed.
After few minutes, the backup completes.
To test the Immutability, we are going now to delete the backup.
From Backups > Disk, expand the created Backup Job and right click the backed up VM. Select Delete from disk option.
Click Yes to proceed.
As expected, the VM cannot be deleted due to the Immutability feature enabled for the specific job.
Check the Immutability on the Repository
To have a look at how Veeam works with Immutability, login to the Linux Repository and navigate to the folder of the Backup Job.
Run the following command to see the "i" attribute set to the backup files. This is the flag that makes the file immutable.
For a human friendly output run the same command with -l option at the end:
# lsattr -l
As you can see all backup files are set as Immutable. Only the .VBM file doesn't have this attribute since it needs to be updated by Veeam during the backup sessions.
Synthetic Full with Fast-Clone
If the XFS file system has been formatted enabling the Reflink option, during the Synthetic Full operation Veeam leverages the Fast-Clone technology optimizing space and performance.
Secure the Hardeneded Repository
Once the configuration and backup tests have been completed, the Hardened Repository must be secured to avoid unauthorized accesses:
- Make sure locveeam user is not member of the sudo group
- Unplug the Remote Server Management system (iDRAC, iLO, etc.) from the network
- Disable SSH access to the repository
To disable the SSH service in Ubuntu, from the console run the following commands:
# sudo systemctl disable ssh.service
# sudo systemctl stop ssh.service
Part 3 will cover how to add MFA to SSH logins if the SSH service cannot be disabled for policy reasons.