Category: Backup (Page 1 of 3)

Veeam: Veeam Hardened Repository information and basic installation with Rocky Linux

Even if the ready-to-use “Veeam Hardened Repository Installer ISO” is now available from Veeam, in some cases it still makes sense to install the hardened repository manually.

In this blog post, I would like to explain the basic installation of a hardened repository with Rocky-Linux as well as the multihoming of a hardened repository in several IP address ranges.

What is a hardened repository?

First of all, the question is: What is a hardened repository?
Veeam Hardened Repositories provide secure, efficient and reliable backup storage. This repository is based on an x86 server installed with Linux (with XFS and chattr support) and storage via Fibre Channel/iSCSI or the use of internal hard disks.

The Linux systems should receive a DISA STIG hardening after or during installation. After integration into Veeam via single-use credentials, the SSH protocol is completely deactivated and all further communication only takes place via the proprietary Veeam protocols. The XFS file system that is used has immutability functions that can be configured from within Veeam. In the XFS file system, the immutability function is activated by setting the i flag. Once the immutability period has been set, no deletion/modification is possible before the period expires ( except when the i flag is removed manually with root rights).

Why immutability?

In the backup context, immutability refers to the unchangeability of backup data over a defined period of time. This means that backed-up data cannot be changed, deleted or overwritten during a defined period of time. This function is essential to protect the integrity of backups against malware attacks, deletions or other forms of data manipulation

VBR – Hardened Repository 1:1 relationship

What you need to be mindful of when planning: a hardened repo can only be connected to one VBR server at the same time (i.e. a 1:1 relationship). The VBR installs its installer service, agent, transport service,… and issues a certificate for the repository. This ensures that the repo cannot be accessed by multiple VBR servers to prevent manipulation.
This must be observed in project planning with multiple VBR servers.

Why install it manually when there is a ready-to-use installation ISO?

In one of my other posts, I have reported on the “Veeam Hardened Repository ISO”. This naturally raises the question of why you should still install the repo manually. There are restrictions on the external disks for the Hardened Repository ISO. As of January 2025, iSCSI or Fibre Channel LUNs that are provisioned to the server are not supported and multipathing for storage volumes is not supported.
The multipath restriction in particular often occurs in my projects due to the path reliability.
If one of the restrictions applies, manual installation is required. Alternatively, I would recommend using the ready-to-use ISO.

What OS?

In the past, I always liked to use Ubuntu for my installations. Ubuntu is quite easy to install and is also suitable for beginners. However, the use of security guidelines is not integrated into the installer (except with Ubuntu Pro). The security guidelines have to be applied afterwards using additional scripts. That’s why I now rely on Rocky Linux. The installation is also quite simple and the DISA STIG profile can be selected and applied directly during the installation.
Rocky Linux is an open source Linux distribution that was developed as a replacement for CentOS. It was created by the community after Red Hat announced that they would no longer support CentOS. Rocky Linux focuses on providing a stable and reliable platform for companies and developers based on Red Hat Enterprise Linux (RHEL).

The support period for the major version (Rocky Linux 9) is 10 years, for the minor version (9.4,9.5,..) the support period is 6 months. More information on support can be found under the following link: Rocky Linux Release and Version Guide – Rocky Linux Wiki

Virtual or physical repo?

Sometimes I get asked if the Linux hardened repo can also be installed virtually as a VM for productive usage and simply run alongside the VBR. Here a clear NO!
The hardened repo can also be installed virtually for test purposes (or for illustration purposes as in the instructions below). However, it is not recommended for productive usage. Backup data on a hardened repository is immutable and cannot be modified or deleted. A physical installation ensures that these properties are not affected by the hypervisor level (deletion of the VM, manipulation of the VM, encryption on the datastore, etc.). Backup data must be stored separately from production data. A physical installation is also less vulnerable to security vulnerabilities that can occur on hypervisors.

IP-Multihomed Repository

In one of my last projects, there was a separate backup network (in this network is the VBR and all backup components), where the Hyper-V servers are connected with an additional IP address. Servers that are installed with an Veeam agent (physical Servers, Exchange Cluster, SQL Server,…) are located in a different network. The networks are not routed and are both configured on the switch (separate VLANs). After configuring the backup, the problem occurred that the agent backup did not work because the repository is in the other network and the agent transfers the data directly to the repository (a gateway setting in the agent backup jobs would be useful here, but unfortunately does not exist). Routing between the networks is currently not possible. I have created the second VLAN and an IP from the agent network on the repository.
I know that this configuration is not necessarily nice (especially in terms of security), but it makes it possible to backup to the repository from both (non-routed) networks.
If someone has a similar situation, this would be a way to back up to the repository from both networks.

Important: The repository is only added with the primary IP address on the VBR server. Adding with both IP addresses is not possible (e.g. because of the certificate, duplicate DB entries, etc.).
And IP-Multihomed is only possible with the manual installation!

I will explain the configuration of an additional IP in a following blog post.

Hardware + Software Requirements:

  • x86 Server with matching OS support
    • OS Support for hardware
    • OS Support for Veeam
  • Same CPU & RAM resources as Linux Repositories
  • RAID1 for OS (SSD, min 100GB)
  • RAID6 or RAID60 for backup data (min 1 Spare)
    • Write-back cache: enabled
    • Internal Disk-Cache: disabled
    • RAID stripe size: 128KB or 256KB
  • UEFI Secure Boot
  • Correct time configuration
  • TPM chip
  • Redundant network (LACP at best)
  • Static IP
  • Connection to DNS Server (all used IPs forward and reverse resolvable)
  • Connection to NTP Server
  • Temporary access to the Internet for updates

Installation Veeam Rocky Linux Hardened Repository

Download Rocky Linux

Rocky Linux can be downloaded directly from the official website.
Here you need the “normal” DVD-ISO (the minimum does not include all the required packages selected by the DISA STIG guidelines).

Download – Rocky Linux

If you choose the minimal ISO you will get the following error message.

Boot

Mount ISO to server via virtual disk or boot stick and boot into installer.

Installation Summary

After startup, you will be aksed for the language in which you want to run the installation wizard.

Then the Installation summary appears.

Localization

  • Keyboard
    • Choose the correct keyboard layout
  • Language Support
    • Select the required language (I recommend selecting English here. This is often easier in the case of support, as English is the most frequently used language)
  • Time&Date
    • Choose region and city
    • Possibly adjust time and date
    • Set time server or time server pool (connection can first be tested when network configuration is set)

Software

  • Installation Source
    Nothing needs to be adjusted here, as we are installing from the local ISO
  • Software Selection
    Select minimal installation (sufficient for our requirements. Required packages are installed with DISA STIG guideline)

System

  • Installation Destination

Partitioning is probably the most difficult part of the installation.
For partitioning, it makes sense to use the LVM (logical volume manager) due to the higher flexibility in the future. This allows you to add further partitions at any time in the future and expand the repository. You can also combine all RAIDs from the server into one repository (instead of a scale-out backup repository and one mount point per RAID).
To have a DISA STIG compliant installation, the disk layout of the OS disk must be adjusted.

The layout must look like this according to Veeam Best Practice (I use the maximum values here if possible, minimum values are based on a 100GB disk):

All disks must be marked and “Custom” must be set for “Storage Configuration”. After clicking on “Done”, the partitioning wizard appears.

Here we decide on “LVM” as the “partitioning scheme”

In the partitioning wizard, one partition after the other is now created by clicking on “+”.

We start with the “/boot” partition.

After specifying the mount point and the size, the correct disk must be set under “Devices” using “Modify”. The same applies to “/boot/efi”

Then we start with the first data partition “/home”.

After specifying the mount point and the size, the “Volume Group” must now be modified to the operating system disk using “Modify”.

All further partitions can be created without further adjustment of the disks according to the table above.

For the “/swap” partition, the file system must be set to “swap” and confirmed with “Update Settings”.

The last partition that needs to be created is the Veeam repository partition.For this we create a new mountpoint “/mnt/veeam” and do not specify a size (so the remaining free space is simply used).

Select the mountpoint and create a new volume group.

Select the appropriate disks and click on “save”.

Now we have to adjust the size of the mountpoint to the maximum and confirm with “Update Settings”.

During installation via the wizard, the correct block sizes required for fastcloning are already set. These can also be checked afterwards:

By clicking on “Done” we get an overview of what will be changed. We confirm this with “Accept Changes”

  • Network & Host Name
  • Hostname

It’s best to add the hostname first, otherwise it’s easy to forget 🙂

  • Network

Build a BOND from the two (or more) adapters.
Click on “+” and select “Bond”.
(If no LACP/BOND is used, simply assign the correct IP/Network settings to the appropriate adapter.)

Now add both adapters with the type “Ethernet”.

I prefer an LACP here, which is spanned over 2 switches. This offers additional path reliability. Select “802.3ad” for the mode.

Enter the desired IP address, netmask, GW, DNS server and search domains in the IPv4 settings.

Click on “Done” to apply the settings.

  • Security Profile 

Select the “DISA STIG for Red Hat Enterprise Linux 9” profile and click on “select profile” (this will apply it).

The profile automatically sets the security configuration and adjusts the partition parameters.
If there are errors, you must check the partition layout again.

Additionally some packages are selected for the installation.

User Settings

The users and ILO/iDRAC/… passwords should be stored securely and if possible, not in the central Password Manager (if the central Password Manager (often also in AD) is compromised, the attacker has the login credentials to the repository).

The password must match the DISA STIG complexity requirements:

  • 1 numeric character
  • 1 lower case
  • 15 characters
  • 1 special character
  • Maximum 4 characters of the same character class in a row (e.g. 4 lower case, 4 numbers etc.)
  • 24h minimum lifetime of password (that means you can change a password only once per day)
  • Root Password
    The root user is not really needed and should not necessarily be used. As I had problems with entering passwords from time to time during the installation and the other user was locked (after 3 incorrect logins/change password/… the user is locked), we activate the user and set a password. In addition, without a root user, I will no longer be able to make any changes to the repo, as the other user’s root rights will be removed. Here you have to decide whether you want to use the root user or not.
  • User Creation
    This user will be needed for the administration and adding the repo.
    Fill in the fields here and activate the “Make this user administrator” checkbox (Veeam must install its software later).
    The password will be used for the installation and the first login. A new password must be set immediately afterwards.

Start installation

Once all the parameters have been entered, the installation can be started by clicking on “Begin installation”. Depending on the system, this will take a few minutes.

First login

After installation, you can log in via ILO/iDRAC or via SSH.

When logging in for the first time, the password that was set during installation must be entered and replaced with a new password. However, this must not be too similar to the old password (adding numbers or similar is not sufficient) and must also match the DISA STIG criteria mentioned above. If one of the points does not match, the Putty window closes or the login screen appears again (an error message is still displayed here).
After a successful change, the window will also close, but without an error message. You can now log in with the new password.

Customize data folder permissions

The permissions for the mount path of the backup data must be adjusted.
To do this, execute the two commands:

sudo chown veeamrepo:veeamrepo /mnt/veeam/
sudo chmod 700 /mnt/veeam/

Configuration/Adding to Veeam

The repository is added as a “Hardened Repository” within Veeam.

Basic installation completed

The basic installation of the Veeam Hardened Repository is now complete.
I will describe the further configuration (user, firewall, etc.) in a separate blog post. This is essential for protecting the repo in the best possible way.

Veeam: Community Preview of Managed Hardened Repository ISO by Veeam

Yesterday, Veeam released the Community Preview of the Hardened Repository ISO (Build 0.1.15).
The ISO respectively the project was presented at the Veeam ON in Fort Lauderdale this year. I have been eagerly awaiting this installation ISO since the information was published.

What is this Managed Hardened Repository ISO by Veeam?

The Managed Hardened Repository ISO is an installation ISO to correctly install a Veeam Hardened Repository with Veeam’s best practices and a full hardening.
Inside the installer you have to specify some settings, but everything else is predefined, so that after the guide guided installation you have a DISA STIG hardened repository. The whole thing without any further necessary adjustments.

Benefits of the ISO

  • The biggest benefit of the ISO is that you don’t have to make any further customizations or run any scripts (the system is already hardened through the customized installer).
  • There is no root user.
  • Due to the use of Rocky Linux as the base, you have 10 years of support.
  • After the official version is released, you will also receive support from Veeam.

Important!
At the moment this is a technical preview and not intended for productive use.

 

Requirements

  • RedHat supported hardware (for productive deployment physically is recommended, for LAB a VM is also possible) (ISO is Rocky based)
  • Same CPU & RAM resources as Linux Repositories
  • 2 disks with at least 100GB each
  • Only internal storage or direct attached storage with hardware RAID controller with write-back cache are supported
  • UEFI must be activated
  • Min. Veeam V12.2

 

Installation of the Hardened Repository

Boot from ISO

Select “Install Hardened Repository (deletes all data)” in Grub –> it deletes all data on the machine

 During boot required system/disk requirements getting checked if the are met (for exampe are there 2 disks, each min 100GB?)

 GUI Installer

After booting, the GUI installer appears. The displayed options must be set here

 

Keyboard Layout

Set the correct keyboard layout after booting –> important for entering the password correctly

 Time &Date

Region, City and NTP servers must be set

Device

Nothing can be customized in the Device Section. The installer always takes all disks and splits them up as follows:

  •  smallest disk is the operating system
  • All other disks are bundled into one LVM and mounted under /mnt/veeam-repository01

Network

Only one adapter is activated by default; if you want more than one, you must activate them.
Bond should always be configured for reliability if possible (As I am working with a LAB VM here, I have decided not to use it).
Hostname must also be set (don’t forget).

A static IP address, DNS and search domains should be set. –> After confirming, the IP should be accessible/pingable.

Start installation

The installation can be started by clicking on “Begin Installation”

 When the installation is complete, you can reboot.

 

Configuration of the Hardened Repository

Boot

When booting, the Grub bootloader is displayed and the system starts automatically.

First Login

You must log in to the server with the default credentials (User: vhradmin, PW:vhradmin).

The password must be changed directly. The password must match the DISA STIG complexity requirements:

  • 1 numeric character
  • 1 lower case
  • 15 characters
  • 1 special character
  • Maximum 4 characters of the same character class in a row (e.g. 4 lower case, 4 numbers etc.)
  • 24h minimum lifetime of password (that means you can change a password only once per day)

License Agreement

The license agreement must be confirmed (jump down with tab)

Main Menu

Certain settings can now be modified. But as you can see, there is not much you can adjust.

  • Proxy must be adjusted if the server cannot access the Internet directly (Internet connection is required for updates to repository.veeam.com for security updates).
  • “Reset time lock” is only used if the machine has been off for a longer period of time and you have a problem with the timeshift (if the time jump is too large)
  • The other points should explain themselves

 

Start SSH

SSH is required to add the machine to Veeam.
To activate SSH, simply navigate to the option and confirm.

The password is generated automatically according to DISA STIG specifications. If the password is not readable, simply stop SSH and restart, then you will receive a new password.
You have to write down the password temporarily. This is required for adding the server to Veeam.
(SSH must be stopped after the repo has been added to Veeam.)

 Click Continue to close the window and start the configuration in Veeam.

Create DNS entry

A DNS entry must  be created before adding it to Veeam. Otherwise the Veeam server cannot resolve the DNS name of the repo.

  

Configuration inside Veeam

In Veeam, the community hardened repository is added in the same way as any other hardened repository.

 When entering the user, make sure that you enter the username from the SSH prompt “veeamsvc” and not “vhradmin”

 When selecting the path, the LVM is specified with the mount path “/mnt/veeam-repository01”

The desired path and immutability must be set here.

 And that’s it inside Veeam. The hardened repository has now been added.

 

SSH disable

After adding the repository, SSH must be deactivated on the hardened repo server

 

Finished

The hardened repository is now installed and ready to be tested.

 

Tests

I have done some tests such as creating backups, restoring or deleting backups and everything worked correctly.

When trying to delete backups, the wanted message appears that the backups can only be deleted after the retention period has expired.

 

Conclusion

I’m already looking forward to using the ISO in productive environments after the official stable release.

Until that happens, test it diligently in the LAB and report any problems via the R&D forum. Iwill also carry out further tests with hardware systems.

 

###############################

more

Known issues and limitations

Here are the current known issues and limitation from the Community Preview with build number 0.1.15

####

The following known issues and limitation apply to the Community Preview build only and will be addressed in the final release.

ISO Installer

  • Current sudo permissions for the veeamsvc user allow to install additional packages that are signed by a trusted key.
  • The Installer does not discard systems with UEFI Secure Boot disabled (this is on purpose not to create barriers for preview testing)
  • The Help button does not function. Please use the included manual.

Hardened Repository Configurator Tool

  • The License Agreement wizard and files are incomplete.
  • Some texts and error messages are not final.

[PREVIEW] Managed Hardened Repository ISO by Veeam – R&D Forums

####

« Older posts