This site is depreciated
  • Veeam Backup & Replication Best Practices
  • Contacting Veeam Software
  • DNS Resolution
  • Veeam Backup Server
    • Deployment Method
    • Backup Server Placement
    • Sizing and System Requirements
    • Veeam Backup & Replication Database
    • Protecting Veeam Backup & Replication Configuration
  • Veeam Enterprise Manager
    • vCloud Director Self Service Portal
  • Search Server and Indexing
  • Proxy Servers - Introduction
    • Proxy - VMware vSphere
      • Transport Modes
        • Direct Storage Access
        • Virtual Appliance Mode
        • Network Mode
        • Backup from Storage Snapshots
          • NetApp Data ONTAP integration
          • Nimble Storage integration
        • Selecting a Transport Mode
      • Sizing a Backup Proxy
    • Proxy - Microsoft Hyper-V
    • Proxy - Nutanix AHV
  • Primary and secondary Storage BPs
    • HPE 3PAR VMs disks considerations
    • DellEMC Data Domain advanced scalability
  • Backup Repository
    • Repository Types
      • SMB
      • Deduplication Appliances
      • Integration specifics
      • Windows Server Deduplication
      • Object Storage
    • Repository Planning
      • Sizing
      • Per VM Backup Files
      • Scale-out Backup Repository
        • Capacity Tier
  • WAN Acceleration
    • Analyzing Wan Acceleration Workload
    • Comparing WAN Acceleration Modes
    • Sizing For WAN Acceleration
    • Sizing Targets for WAN Accereration Relationship
    • Deployments For WAN Acceleration
    • Is WAN Acceleration Right For me
  • Tape Support
    • Tape Deployments
    • Tape Media Information
    • Tape Config Requirements
    • Tape Parallel Processing
    • Tape Virtual Full
    • Tape Writing to Tape
    • Tape Restores
  • Veeam Explorers
  • Interaction with VMware vSphere
  • Interaction with Microsoft Hyper-V
  • Job Configuration
    • Backup Methods
    • Encryption
    • Deduplication and Compression
    • Backup Job
    • Backup Copy Job
    • Replication Job
    • Application-Aware Image Processing
  • Data Verification Using Virtual Labs
  • Overview of Applications Support
    • Active Directory
    • Microsoft Exchange
    • Microsoft SQL Server
    • Microsoft SharePoint Server
    • Oracle Database
    • MySQL
    • IBM Notes/Domino
    • SAP HANA
  • POC Guide
    • Assessment
    • Accelerated Evaluation
    • Enhanced Evaluation
      • Workshop Example
      • Preparation
      • Automation
  • Infrastructure Hardening
    • Segmentation using Zones
    • Hardening Backup Repository - Linux
    • Hardening Backup Repository - Windows
  • Backup & Replication Anatomy
    • Backup
    • VM Restore
    • Instant VM Recovery
    • Windows File-Level Restore
    • Replication
  • Networking Diagrams
    • Backup Server
    • Proxy Server
    • Repository Server
    • Storage Integration
    • Data Validation
  • Application-aware Image Processing
  • Enterprise Manager
  • Sizing Summary
Powered by GitBook
On this page
  • Create a Dedicated Repository Account
  • Set Permissions on the Repository Directory
  • Configure the Linux Repository in Veeam
  • Modify the Firewall
  • Use Veeam Encryption
  1. Infrastructure Hardening

Hardening Backup Repository - Linux

PreviousSegmentation using ZonesNextHardening Backup Repository - Windows

Last updated 5 years ago

Veeam Backup & Replication, even if it’s mainly Windows based software, can also consume Linux servers as its backup repositories. The requirements are bash shell, SSH and Perl. Please check the full list of required Perl modules here: https://www.veeam.com/kb2216.

Important: 64-bit edition of Linux must be able to run 32-bit programs. Pure 64-bit Linux editions are not supported (Perl installation must support 32-bit variables).

Best Practices for Hardening Veeam Backup Repositories based on Linux are: 0. K.I.S.S. design - Keep It Simple and Straightforward. 1. Make sure the servers are physical secured. 2. Create a dedicated repository account for Veeam, that can access the folder where you store backups. 3. Set permissions on the repository directory to only that account. 4. You do not need Root to use a Veeam Linux Repository. Also do not use SUDO. 5. Modify the Firewall, with dedicated rules for Veeam to allow access to specific ports. 6. Use Veeam encryption while storing backups on the repository.

Note: In the example below CentOS is used as linux distribution, please adapt the different commands to your own distribution if needed.

Create a Dedicated Repository Account

Veeam only needs a regular user that has sufficient permissions to the folder where you want to store backups. Not even sudo is required. Besides, it is generally not considered best practice to provide sudo access to accounts used for Linux repositories. Far better is to create a restricted user and set the permissions on the repository directory to only that user.

Actually, the only real reason Veeam may need a root account at all is to initially modify sudoers, but if people are willing to add the Veeam user account to sudoers manually (or via some configuration management) then we don’t need a root account as we’ll just use a regular account and sudo when required for things like file restore.

CentOS allows to create a new regular user directly during the installation process:

CentOS Example

Let’s say we didn’t create any user yet, so we only have the root account in this machine. We first create a new dedicated user for our backups:

useradd -d /home/repouser -m repouser

passwd repouser

Set Permissions on the Repository Directory

In this new Veeam Linux Repository we mounted a new backup volume as /mnt/veeamrepo with 200GB of free space.

Let's set the folder permissions so the newly created user is only allowed access to this folder /mnt/veeamrepo

chown repouser.repouser veeamrepo/

chmod 700 veeamrepo

With these commands we changed the ownership of the folder to the user repouser, and we gave full permissions to this user only, over the folder. Only this user has rwx permissions. All other accounts would be denied access.

Configure the Linux Repository in Veeam

Open the Veeam Backup & Replication console and add a Linux Repository. At the credentials step, register the username you created before, with its password:

Note: Before you can populate the list of available folders, remember you need to have the required Perl modules installed.

If the software prerequisites are all satisfied, you will see the volume among the available ones:

Select the volume and complete the wizard and have your Linux repository ready to be used.

Modify the Firewall

Before starting any backup, there’s one more thing you need to configure: just because you were able to connect through ssh, you may think that the Linux firewall is not enabled, but in reality, it is enabled. So, if you just try to run a backup, at the initializing storage step, you will get an error:

The error says, A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.10.51.51:2500. This error says that the proxy tried to connect to the repository over port 2500 (one of the dynamic RPC ports Veeam uses) but this port was not reachable. This is because the firewall is still up and running.

You can test if the firewall was enabled by running these two commands:

systemctl disable firewalld

systemctl stop firewalld

Run the backup again and if it did not fail this time you know that you have to create some dedicated rules for Veeam in the firewall.

Rules that need to be added are:

Use Veeam Encryption

Regarding keeping root out of the backup folder on the Linux Repository, there is really no practical way to do this. Some would say you can create a SElinux/Apparmor policy, but, the problem is, the user that is root can almost certainly reboot the system with these policies disabled and/or change these policies.

Otherwise, in every other scenario like the one described, root can access the folder as much as the dedicated user. The normal way in the Linux world is, if you want to protect your files from root, would be to use per-user encryption. This is why many Linux distributions ask you to setup home directory encryption during install. The root user can still access the files, but all of the data is encrypted and cannot be read without the passphrase. Veeam recommends using Veeam encryption for this use case to provide the same level of protection.

Mounted Example
Credentials
AddRepo
Error
Firewall Rules