Protect your backups: Veeam v11 hardened repository with immutability

veeam hardened repository

Backups are your treasure if the worst comes to the worst.

With Veeam Backup & Replication v11 the new hardened (immutable) repository is available to safeguard your valuable data in an easy but effective way.

So how does that work out?

The repository itself must be based on Linux.

It makes sense to use a distribution that supports Veeam Fast Clone (based on reflink technology). Doing so enables the XFS filesystem to reuse the same data blocks between files, providing “a kind of deduplication” (takes up less space) and makes copy operations much faster.

When you add the new linux repository to your Veeam infrastructure the wizard offers a new configuration setting:

Just configure a number of days to proctect backups from modification or deletion by ransomware or hackers.

As backup files are protected against modification/deletion in the hard way, you have to choose a compatible backup chain. Only forward incremental chains with active or synthetic fulls are possible.
So take care to chose the correct chain when configuring your backup jobs.

By the way, when talking about GFS full backups (eg. monthly, yearly,… backups) – they are made immuatable for the entire duration of their retention policy. Perfect protection even for long time retention!

Now we have a linux based repository with XFS filesystem and immutable backup files. To reach full protection, no connections except for Veeam transport service are allowed to be open/enabled (eg. no SSH,…).
As a consequence, no other Veeam roles can be hosted on this repository server.

From the outside, only port TCP 6162 and some highports (TCP 2500 to 3300 only assigned when needed) as transmission channels are in use:

All Veeam components are accessing the linux repository with non-root user credentials.

Inside the linux repository, a service with higher privileges is taking care of the immutability flag.

With the lsattr command you can list the file attributes in a Linux shell:

So even if your Veeam infrastructure and/or domain is compromised, there is no way to modify the backup files on your hardened repository.

Best practices:

  • use XFS as filesystem
  • disable all SSH connections
  • during setup: use single-use credentials to add the hardened repository at the SSH connection step of the “add new linux server” wizard
  • use a compatible backup chain (forward incremental with active or synthetic fulls)

Important note about time synchronization:

Synchonize time with a reliable NTP server!
Because if you sync time eg. with a domain controller which is compromised, attackers can perform a “time travel” to by-pass the configured immutability time.

You can reach this eg. with a hardware dongle syncing time via GPS.

Remote access to server console via IPMI interfaces:

HPE iLO, Dell IDRAC and other out-of-band management interfaces should be disabled or hardened as they offer remote access.

Are all job types supported?

Hardened repository can store all kind of Veeam backup data. But immutability will not apply to backup files created with NAS backup, Veeam Enterprise plugins (RMAN/SAP HANA/SAP on Oracle) and log shipping (transaction log backups)

You want to learn more about this feature?

Check out the following resources:

vnote42 – New in Veeam v11: Hardened Repository – Immutable backups

Leave a Comment

Your email address will not be published. Required fields are marked *