How To Deploy Hardened Repository
Before you deploy a hardened backup repository, check limitations and considerations.
General recommendations to maximize the repository security:
- Add a Linux server that you want to use as a backup repository under non-root credentials.
- Use a newly-added host, not an old repository.
- Use single-use credentials for a hardened repository. If the Veeam Backup & Replication is compromised, the attacker will not be able to connect to the host because single-use credentials are not stored in the Veeam Backup & Replication database.
- Disable SSH connection on a hardened repository or disable specific users so that they do not have an access via SSH.
If you want to deploy a hardened repository, perform the following steps:
- Prepare the directory on a Linux server for backups.
- Add the Linux server to Veeam & Backup Replication infrastructure.
- Add the backup repository role to the Linux server and enable the immutability option.
Create a separate folder where immutable backups will be stored. Allow access to this folder only for the account that you plan to use to connect to the Linux server. Use the following commands:
- To create the folder:
- To assign the folder's owner:
chown -R owner:group <folder_path>
- To allow access to the folder only for its owner and root account:
chmod 700 <folder_path>
where <folder_path> — path to the folder you are creating.
Both owner and group can be the account that you plan to use to connect to the Linux server.
Alternatively, you can use a Linux server that is already added to the backup infrastructure.
- Use temporary credentials to avoid storing the credentials in the Veeam Backup & Replication database. To do that, click Add and select Single-use credentials for hardened repository.
- In the Credentials window, within the user account that you plan to use to connect to the Linux server, select the Elevate account privileges automatically and the Use "su" if "sudo" fails check boxes. Further you can use the immutability option with an existing repository if you have enough rights to use this repository as a user without root credentials. For more information, see Linux Accounts (User Name and Password).
Use the New Backup Repository wizard to add the backup repository. For more information, see Adding Backup Repositories. Pay attention to the Step 4. Configure Backup Repository Settings: select the Make recent backups immutable for check box and specify the immutability period.
After you added the host (for single-use credentials) or the repository (for persistent credentials), disable SSH connection for the account that you plan to use to connect to the Linux server. If you can work with the server from the console, disable SSH connection for the server itself.