With ransomware threats still runnin’ afoot, I’m sure I’m not alone when I say that securing backup data is crucial. :closed_lock_with_key:

Now, the Veeam Hardened Linux Repository is a popular option amongst Veeam enterprise customers for immutable and secure backup storage. We chat about the pros and cons depending on your environment, here, if you’re curious!

What’s your experience been like?

Have you ever implemented Veeam Hardened Repository?

  • Yeah!
  • No…
  • I’m not sure.
0 voters

We are 75 users SMB environment (100% windows) using Veeam software to backup all windows server VMs. Currently using local Synology NAS device to store Veeam backups. From local Synology files are copied to AWS S3 storage(offsite).

What are the options available for SMB environment like ours to use the Hardened Repository ?

Unless this feature is only for bigger enterprise customers with big budget and not for SMB like us.

Get a server and install Linux on it. Use xfs filesystem. That’s all you really need to have hardened immutable backup repository. There’s more to hardening it, but that’s just to get you started.

From there you could add S3 storage with object locks, either onsite, Minio for example, or offsite, Wasabi is a popular choice. Or use existing Amazon solution.

I’ve setup Linux immutable repo for our backups just couple of months before pretty bad ransomware incident, and it was the only thing that saved us.

3 Spice ups

In simple way, all you have to do in your case is not to use a Domain account to copy the backup data sets from NAS to S3 ? So if Domain is compromised, Domain account cannot be use to make changes to the backup data sets on S3.

This is just wrong. Just because backup server is off the domain, it doesn’t mean it’s secure. If you can access backups over network in any way, it’s not secure. Linux hardened repo with immutability and all remote access disabled, including ssh and out of band, ie ipmi, idrac and the likes, gets you as close as you can get to it. The only way to get in is either physical access or exploiting Veeam agent. Not impossible but highly unlikely.

3 Spice ups

Depend on how much data you got. Not sure what level of protection AWS S3 give to your data, but you could take a old desktop, but a few HDD in there and install Linux and make a immutable repository.

For a few hundred dollar, you are safe from ransomware if you don’t mess up the config. Only physical access would let’s someone mess with the backup.

3 Spice ups

Yes, we have. Stuffing a server with drives and installing linux is a very easy way to do this.

2 Spice ups

But you need to also consider that its only 75 user environment…

It doesn’t matter if it’s 75 users or 75k users, threat is the same. In fact, smaller orgs are more likely to get compromised due to lack of talent, funding, cyber security resources, the list is long. That makes them easy target for cyber criminals. There are ransomware groups that only target small businesses, because it’s just easier.

Yup…but having a linux machine is not fool-proof…

For the case where the backup data sets are stored on AWS, the next method is to move them to another S3 location ?
Try not to over-think … unless building another solution?

Then won’t prevention be better than cure ?