Veeam v11: Hardened Repository (Immutability) installation - pt.1

veeam-v11-hardened-repository-immutability-01

The new Veeam Backup & Replication 11 provides the capability to have immutable backups leveraging Linux with the Hardened Repository.

Already introduced in Veeam v10 to store backups on Object Storage S3 with Object Lock enabled, the Immutability feature protects your backups against overwriting, accidental deletion, ransomware attacks and internal intruders.

A good backup design is the key for a successful data protection strategy to avoid potential data loss that can affect the business. If data are not well protected, a ransomware attack could be a nightmare for administrators.

 

Blog Series

Veeam v11: Hardened Repository (Immutability) installation - pt.1
Veeam v11: Hardened Repository (Immutability) configuration - pt.2
Veeam v11: Hardened Repository (Immutability) add MFA - pt.3

 

Requirements

To configure the Immutability for data backups, you need to meet some requirements:

  • Veeam Backup & Replication v11.
  • Although the solution can run as virtual machine, a physical machine is strongly recommended for security concerns.
  • A 64bit Linux distribution to configure the repository. Suggested the Ubuntu 20.04 LTS or later distribution for highest quality of reflink, RHEL/CentOS 8.2 or later, SLES 15 SP2 and Debian 10.
  • The Linux Server should support XFS (enable the use of the Veeam fast cloning technology) and it is the recommended file system to use.

Since backups cannot be modified due to Immutability, only forward incremental with periodic synthetic or active full backups are supported. For Backup Copy Jobs, NAS backup, log shipping, RMAN/SAP HANA/SAP on Oracle backups won't take advantage of the Immutability option but can be stored on the same repository.

Backup Copy Jobs configured with GFS retention policy will be able to use the Immutability feature.

For Hardened Repository implementation, Veeam components only access the Linux Repository with non-root credentials and only port TCP 6162 is required for the communication between Proxy and Repository (TCP 2500 to 3300 are assigned when needed).

veeam-v11-hardened-repository-immutability-02

 

Enforce security for Hardened Repository

To better protect backup data, you should follow some guidelines to enforce the security:

  • Although persistent credentials can be used, is recommended the use of the new Single-use credentials for hardened repository during the deployment to avoid storing the credentials in Veeam Backup & Replication.

veeam-v11-hardened-repository-immutability-03

  • SSH should be disabled
  • iDRAC, iLO or other remote management solutions to the repository should be disabled or hardened
  • Time should be synced with a reliable NTP Server to avoid time changes from a potential attacker. Time changes could alter the Immutability retention.

 

Install Ubuntu Server

For this procedure the Ubuntu Linux distribution is used to implement the Hardened Repository. Download the .ISO file for Ubuntu Server 20.04 LTS then boot your machine to run the installation wizard.

Select the language to use and press Enter.

veeam-v11-hardened-repository-immutability-04

Specify the keyboard layout to use, select Done then press Enter.

veeam-v11-hardened-repository-immutability-05

By default the NIC is set to use DHCP. To assign a static IP address, select the NIC and press Enter. Select Edit IPv4 from the available options.

veeam-v11-hardened-repository-immutability-06

Select Manual as IPv4 Method and press Enter.

veeam-v11-hardened-repository-immutability-07

Fill all the requested information then select Save and press Enter.

veeam-v11-hardened-repository-immutability-08

When the static IP address has been set, select Done and press Enter.

veeam-v11-hardened-repository-immutability-09

If you don't use a Proxy, select Done and press Enter.

veeam-v11-hardened-repository-immutability-10

Leave default value, select Done and press Enter.

veeam-v11-hardened-repository-immutability-11

Set Custom storage layout to create a custom partitions schema. Select Done and press Enter.

veeam-v11-hardened-repository-immutability-12

In this example, the storage in use has two local disks:

  • One disk for the OS
  • One disk to store backups

Select the first disk /dev/sda and mark the disk as bootable by selecting Use As Boot Device.

veeam-v11-hardened-repository-immutability-13

Add a new partition to the first disk. Select the local disk then Add GPT Partition. Note there is a new bios_grub partition type.

veeam-v11-hardened-repository-immutability-14

Set the Size for the partition and the Format. In the example the file system used is ext4. Select Create then press Enter.

veeam-v11-hardened-repository-immutability-15

Now select the second local disk /dev/sdb and choose Add GPT Partition.

veeam-v11-hardened-repository-immutability-16

Specify the Size and use xfs as Format. Create a custom Mount point (in the example veeamrepo) and press Enter to confirm. XFS with Reflink works pretty the same way as ReFS to optimize performance and disk consumption (size of synthetic copies are smaller and the process faster). Veeam calls this technology Fast Clone.

veeam-v11-hardened-repository-immutability-17

Once the partition schema has been completed, select Done and press Enter.

veeam-v11-hardened-repository-immutability-18

Select Continue.

veeam-v11-hardened-repository-immutability-19

Enter the Name, Server name, Username and Password the select Done.

veeam-v11-hardened-repository-immutability-20

Select Install OpenSSH Server option to enable SSH. Select Done.

veeam-v11-hardened-repository-immutability-21

No need to install additional features. Select Done then press Enter to begin OS installation.

veeam-v11-hardened-repository-immutability-22

The Linux OS is being installed in the system.

veeam-v11-hardened-repository-immutability-23

When the installation has completed, select Reboot Now.

veeam-v11-hardened-repository-immutability-24

 

Configure the Repository

Login as the account configured during the OS installation (in the example administrator) and enter the password.

veeam-v11-hardened-repository-immutability-25

To keep the system up to date, install latest upgrades with the command:

# sudo apt-get upgrade

veeam-v11-hardened-repository-immutability-26

Check the file system in use for the partition that will be used by Veeam to store the backups. In the example, veeamrepo is the dedicated partition formatted as xfs.

# df -Th

veeam-v11-hardened-repository-immutability-27

 

Create a local account

You need to create a dedicated local user with the correct permissions so that the Veeam Transport Service has the correct rights to the Veeam mount.

Create the new account used by Veeam and create the password.

# sudo useradd locveeam --create-home -s /bin/bash
# sudo passwd locveeam

veeam-v11-hardened-repository-immutability-28

We need temporarily to allow the new user to execute commands as root to install the required Veeam services. The user is added to the sudo group.

# sudo usermod -a -G sudo locveeam

veeam-v11-hardened-repository-immutability-29

 

Configure the mount point

Now create a mount point for the partition under /mnt to make it available to all users.

# sudo mkdir -p /mnt/veeamrepo

veeam-v11-hardened-repository-immutability-29

Edit the /etc/fstab file and modify the mount point from /veeamrepo to /mnt/veeamrepo and save the file.

# sudo vi /etc/fstab

veeam-v11-hardened-repository-immutability-31

Run the mount command to mount the modified file system without rebooting the system.

# sudo mount -a

veeam-v11-hardened-repository-immutability-32

Assign the partition ownership to the created user locveeam.

# sudo chown -R locveeam:locveeam /mnt/veeamrepo/

veeam-v11-hardened-repository-immutability-33

Check the assigned ownership to veeamrepo partition.

# cd /mnt/veeamrepo
# ls -ld

veeam-v11-hardened-repository-immutability-34

Modify the permissions to veeamrepo folder.

# sudo chmod 700 /mnt/veeamrepo

veeam-v11-hardened-repository-immutability-35

Check assigned folder permissions.

# ll /mnt

veeam-v11-hardened-repository-immutability-36

 

Enable XFS with Reflink

If you want to take benefit of Fast-Clone technology (Fast Clone is based on the Reflink) to optimize space and performance during Synthetic Full operations, by default Ubuntu doesn't enable Reflink when partition is formatted XFS during the installation procedure. Veeam requires the file system to be formatted with Reflink enabled to leverage Fast Clone capability.

Access your hardened repository and retrieve the list of disks installed in Ubuntu to identify the disk used as repository.

# sudo fdisk -l

veeam-v11-hardened-repository-immutability-37

Since the partition has been mounted during the installation procedure, we need first to unmount the partition.

# sudo umount /mnt/veeamrepo

veeam-v11-hardened-repository-immutability-38

Once the partition has been unmounted, we need to format the partition with the parameters required by Veeam to leverage Fast-Clone technology: reflink and enable CRC.

# sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdb -f

veeam-v11-hardened-repository-immutability-39

Since the UUID has changed due to this operation, we need to retrieve the new UUID and amend the /etc/fstab file to mount the partition automatically.

# sudo blkid /dev/sdb

veeam-v11-hardened-repository-immutability-40

Update the /etc/fstab file with the new UUID.

# sudo vi /etc/fstab

veeam-v11-hardened-repository-immutability-41

Reload configured partitions.

# sudo mount -a

veeam-v11-hardened-repository-immutability-42

Assign permissions to /mnt/veeamrepo folder once again.

# sudo chown -R locveeam:locveeam /mnt/veeamrepo/
# sudo chmod 700 /mnt/veeamrepo

veeam-v11-hardened-repository-immutability-43

Check the assigned permissions.

# ll /mnt

veeam-v11-hardened-repository-immutability-44

The configuration of the physical Hardened Repository is now complete. Part 2 will cover the configuration of Veeam Backup & Replication v11 to take benefit of the Immutability feature.

signature

7 Comments

  1. Marius Redelinghuys 08/06/2021
    • Paolo Valsecchi 10/06/2021
  2. Stuart Burns 16/06/2021
  3. Gerardo Andrade 02/07/2021
    • Paolo Valsecchi 04/07/2021
      • Gerardo Andrade 04/07/2021

Leave a Reply