Tips for Enhanced Security of Hardened Repository
We recommend to follow the tips below to maximize the repository security and protect your data from different attacks:
- Change file permissions for authentication certificates on the Linux server, and unwelcome non-root users cannot connect to Veeam Data Mover. Use the following commands:
- To create the folder:
mkdir -p /opt/veeam/transport/certs
- To change the folder's owner:
chown owner:group /opt/veeam/transport/certs
Both owner and group can be the account that you plan to use to connect to the Linux server.
- To allow access to the folder for root account and account for Veeam Data Mover functioning:
chmod 700 /opt/veeam/transport/certs
Keep in mind that a hardened repository requires persistent Veeam Data Movers. For Veeam Data Mover to be persistent, you must specify an account with equivalent to root permissions when adding the Linux server to the backup infrastructure. For security purposes, the rights of Veeam Data Mover are reduced: SSH connection is necessary only for a deployment of Veeam Data Mover to the Linux server. After Veem Data Mover is deployed, you can disable SSH, so that backup infrastructure components use server and client certificates for authentication.
You can also use the chmod 770 command to add same permissions to the group.