The new Veeam Backup & Replication 11 provides the capability to have immutable backups leveraging Linux with the Hardened Repository.
Already introduced in Veeam v10 to store backups on Object Storage S3 with Object Lock enabled, the Immutability feature protects your backups against overwriting, accidental deletion, ransomware attacks and internal intruders.
A good backup design is the key for a successful data protection strategy to avoid potential data loss that can affect the business. If data are not well protected, a ransomware attack could be a nightmare for administrators.
Veeam v11: Hardened Repository (Immutability) installation - pt.1
Veeam v11: Hardened Repository (Immutability) configuration - pt.2
Veeam v11: Hardened Repository (Immutability) add MFA - pt.3
To configure the Immutability for data backups, you need to meet some requirements:
- Veeam Backup & Replication v11.
- Although the solution can run as virtual machine, a physical machine is strongly recommended for security concerns.
- A 64bit Linux distribution to configure the repository. Suggested the Ubuntu 20.04 LTS or later distribution for highest quality of reflink, RHEL/CentOS 8.2 or later, SLES 15 SP2 and Debian 10.
- The Linux Server should support XFS (enable the use of the Veeam fast cloning technology) and it is the recommended file system to use.
Since backups cannot be modified due to Immutability, only forward incremental with periodic synthetic or active full backups are supported. For Backup Copy Jobs, NAS backup, log shipping, RMAN/SAP HANA/SAP on Oracle backups won't take advantage of the Immutability option but can be stored on the same repository.
Backup Copy Jobs configured with GFS retention policy will be able to use the Immutability feature.
For Hardened Repository implementation, Veeam components only access the Linux Repository with non-root credentials and only port TCP 6162 is required for the communication between Proxy and Repository (TCP 2500 to 3300 are assigned when needed).
Enforce security for Hardened Repository
To better protect backup data, you should follow some guidelines to enforce the security:
- Although persistent credentials can be used, is recommended the use of the new Single-use credentials for hardened repository during the deployment to avoid storing the credentials in Veeam Backup & Replication.
- SSH should be disabled
- iDRAC, iLO or other remote management solutions to the repository should be disabled or hardened
- Time should be synced with a reliable NTP Server to avoid time changes from a potential attacker. Time changes could alter the Immutability retention.
Install Ubuntu Server
For this procedure the Ubuntu Linux distribution is used to implement the Hardened Repository. Download the .ISO file for Ubuntu Server 20.04 LTS then boot your machine to run the installation wizard.
Select the language to use and press Enter.
Specify the keyboard layout to use, select Done then press Enter.
By default the NIC is set to use DHCP. To assign a static IP address, select the NIC and press Enter. Select Edit IPv4 from the available options.
Select Manual as IPv4 Method and press Enter.
Fill all the requested information then select Save and press Enter.
When the static IP address has been set, select Done and press Enter.
If you don't use a Proxy, select Done and press Enter.
Leave default value, select Done and press Enter.
Set Custom storage layout to create a custom partitions schema. Select Done and press Enter.
In this example, the storage in use has two local disks:
- One disk for the OS
- One disk to store backups
Select the first disk /dev/sda and mark the disk as bootable by selecting Use As Boot Device.
Add a new partition to the first disk. Select the local disk then Add GPT Partition. Note there is a new bios_grub partition type.
Set the Size for the partition and the Format. In the example the file system used is ext4. Select Create then press Enter.
Now select the second local disk /dev/sdb and choose Add GPT Partition.
Specify the Size and use xfs as Format. Create a custom Mount point (in the example veeamrepo) and press Enter to confirm. XFS with Reflink works pretty the same way as ReFS to optimize performance and disk consumption. Veeam calls this technology Fast Clone.
Once the partition schema has been completed, select Done and press Enter.
Enter the Name, Server name, Username and Password the select Done.
Select Install OpenSSH Server option to enable SSH. Select Done.
No need to install additional features. Select Done then press Enter to begin OS installation.
The Linux OS is being installed in the system.
When the installation has completed, select Reboot Now.
Configure the Repository
Login as the account configured during the OS installation (in the example administrator) and enter the password.
To keep the system up to date, install latest upgrades with the command:
# sudo apt-get upgrade
Check the file system in use for the partition that will be used by Veeam to store the backups. In the example, veeamrepo is the dedicated partition formatted as xfs.
# df -Th
Create a local account
You need to create a dedicated local user with the correct permissions so that the Veeam Transport Service has the correct rights to the Veeam mount.
Create the new account used by Veeam and create the password.
# sudo useradd locveeam --create-home -s /bin/bash
# sudo passwd locveeam
We need temporarily to allow the new user to execute commands as root to install the required Veeam services. The user is added to the sudo group.
# sudo usermod -a -G sudo locveeam
Configure the mount point
Now create a mount point for the partition under /mnt to make it available to all users.
# sudo mkdir -p /mnt/veeamrepo
Edit the /etc/fstab file and modify the mount point from /veeamrepo to /mnt/veeamrepo and save the file.
# sudo vi /etc/fstab
Run the mount command to mount the modified file system without rebooting the system.
# sudo mount -a
Assign the partition ownership to the created user locveeam.
# sudo chown -R locveeam:locveeam /mnt/veeamrepo/
Check the assigned ownership to veeamrepo partition.
# cd /mnt/veeamrepo
# ls -ld
Modify the permissions to veeamrepo folder.
# sudo chmod 700 /mnt/veeamrepo
Check assigned folder permissions.
# ll /mnt