I wanted to write about this for a while now since I started testing and using the VBR v11 Beta, but now I finally can 🙂
Starting v11 of Veeam Backup & Recovery there will be a new feature that looks like it can be quite the gamechanger!
VBR v11 introduces Linux Immutability! Combine this with Linux XFS and you got yourself a very nice and efficient repository to store backups knowing it cannot be altered until the defined threshold time passes. If you have a Public Cloud to your disposal (for instance Azure) you can even deploy the Linux XFS repository in the Cloud so it is stored off-site even.
In this blog I want to show you how to set it up and demonstrate it really works. So here goes!
First of all, I deployed an Azure VM running Ubuntu 20.04 and set up XFS on a additional Azure Data Disk (1024GB) Premium SSD.
After deployment open up SSH to the machine and set up the XFS data disk.
Run the following commands (in my example /dev/sda is the Azure Data disk of 1024GB)
sudo fdisk -l /dev/sda
sudo fdisk /dev/sda
answer N
answer P (for primary)
answer 1 (for partition number)
press ENTER (to accept default first sector)
press ENTER (for complete disk size)
answer W (for writing partition table)
Run the following volume format string command to configure a Linux backup repository for work with Fast Clone:
https://helpcenter.veeam.com/docs/backup/vsphere/backup_repository_block_cloning.html?ver=100
sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sda1
Create a directory called “backups” (for example) and make sure to mount the drive during boot to it.
sudo mkdir /backups
sudo blkid /dev/sda1
su
sudo echo ‘UUID=uuid-from-blkid /backups xfs defaults 1 1′ >> /etc/fstab (you can ofcourse also use VI or nano to edit /etc/fstab)
sudo mount -a
df -h | grep /backups
Now XFS has been configured and is almost ready for use. We will create a user first with no rights and make him owner of the directory so we can add the repository to Veeam.
sudo useradd -m veeamrepo
sudo passwd veeamrepo
sudo chown -R veeamrepo:veeamrepo /backups
ls -alh /backups
For adding it to Veeam we need to give it sudo rights temporarily.
sudo vi /etc/sudoers
veeamrepo ALL=(ALL:ALL) ALL
Next step is to add this Linux Repository to VBR v11 to make use of it. Within VBR v11 we will be setting the Immutability option when we configure the repository.
For adding a Backup Repository you go to: “Backup Infrastructure” > “Backup Repositories” > “Right clik and select Add Backup Repository” > “Direct attached storage” > “Linux”. There you give it a name and click “Next”.
Now from this point you select “Add new” and fill in the required information.
Select “Yes” for the fingerprint message to trust the server.
Now VBR will start updating the infrastructure with the new information and do some checks to see if the Veeam Data Mover service is already there or needs to be installed and configured. After all checks have passed we can continue.
At the “New Backup Repository” screen we can now “Populate” it to find all the available Paths. Select the created XFS drive in my case /backups (/dev/sda1).
Select the “fast cloning” option for the repository AND also select the “Immutability” option (I set it for 7 days).
For the “Mount Server” and “Review” I left the defaults in my situation.
If we apply then al settings will be checked and I all goes well all lights turn to Green !
Now we have to remove the sudo rights from teh veeamrepo to make sure it is really hardened!
sudo visudo /etc/sudoers and remove the veeamrepo ALL line !
Now further harden the the Linux Repository by also disable SSH with the following commands:
sudo systemctl disable ssh
sudo systemctl stop ssh
Now we are ready to configure/add a backup job which uses our new “Linux XFS Repository with Immutability option”. Make sure to use Incremental with Synthetic Full option in the Advanced options for the job.
After this, we can take full use of XFS and Immutability on Linux!
Testing the Immutability
First we select the backup that is stored on the new XFS-Immutable repository and select “delete from disk”.
Veeam will try to delete the backup from disk but will give us a message:
As you can see it failed to delete the backup because of Immutability.
If we take a closer look at the Linux XFS Repository itself we can see the following if we try to delete it from there:
So now we have created a Linux XFS repository with the Immutability option from VBR v11 which allows us to secure backups for a certain amount of pre-defined time, this way ransomware has no change to compromise the backups.