secure backup - script

[chanklish]

hello
i am trying to secure my backups against ransomware ( using different non domain passwords on the shares ) , i use the below script with Veeam Backup & replication community version
the script works beautifully if the storage location is part of my domain security per example - i cannot find a place to add credentials for a non domain NAS
is it doable ? i am trying to do the same for some NGO where i work in Congo

Code: Select all

# Author: Vladimir Eremin
# Contributor: Trinh Nguyen (www.dangtrinh.com)
# 

##################################################################
#                   User Defined Variables
##################################################################

# Names of VMs to backup separated by comma (Mandatory). For instance, $VMNames = “VM1”,”VM2”
$VMNames = 

# Name of vCenter or standalone host VMs to backup reside on (Mandatory)
$HostName = 
# Directory that VM backups should go to (Mandatory; for instance, C:\Backup) - IS IT POSSIBLE TO ADD CREDENTIALS HERE ?!!
$Directory = "\\10.1.5.111\VM-Backup"

# Desired compression level (Optional; Possible values: 0 - None, 4 - Dedupe-friendly, 5 - Optimal, 6 - High, 9 - Extreme) 
$CompressionLevel = "5"

# Quiesce VM when taking snapshot (Optional; VMware Tools are required; Possible values: $True/$False)
$EnableQuiescence = $True

# Protect resulting backup with encryption key (Optional; $True/$False)
$EnableEncryption = $False

# Encryption Key (Optional; path to a secure string)
$EncryptionKey = ""

# Retention settings (Optional; By default, VeeamZIP files are not removed and kept in the specified location for an indefinite period of time. 
# Possible values: Never , Tonight, TomorrowNight, In3days, In1Week, In2Weeks, In1Month)
$Retention = "In1Week"

##################################################################
#                   Notification Settings
##################################################################

# Enable notification (Optional)
$EnableNotification = $False

# Email SMTP server
$SMTPServer = "smtp.gmail.com"

# Email SMTP port
$SMTPPort = "587"

# Email SMTP user
$SMTPUser = "myemail@gmail.com"

# Email SMTP password
$SMTPPasswd = "mygmailpasswrod"

# Email FROM
$EmailFrom = "myemail@gmail.com" 

# Email TO
$EmailTo = "myadmin@gmail.com", "another@gmail.com"

# Email subject
$EmailSubject = "VeeamZIP backup - My VMWare backups"



##################################################################
#                   Email formatting 
##################################################################

$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "</style>"

##################################################################
#                   End User Defined Variables
##################################################################

#################### DO NOT MODIFY PAST THIS LINE ################
Asnp VeeamPSSnapin

$Server = Get-VBRServer -name $HostName
$MesssagyBody = @()

foreach ($VMName in $VMNames)
{
  $VM = Find-VBRHvEntity -Name $VMName -Server $Server
  
  If ($EnableEncryption)
  {
    $EncryptionKey = Add-VBREncryptionKey -Password (cat $EncryptionKey | ConvertTo-SecureString)
    $ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention -EncryptionKey $EncryptionKey
  }
  
  Else 
  {
    $ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention
  }
  
  If ($EnableNotification) 
  {
    $TaskSessions = $ZIPSession.GetTaskSessions().logger.getlog().updatedrecords
    $FailedSessions =  $TaskSessions | where {$_.status -eq "EWarning" -or $_.Status -eq "EFailed"}
  
  if ($FailedSessions -ne $Null)
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={$FailedSessions.Title}})
  }
   
  Else
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={($TaskSessions | sort creationtime -Descending | select -first 1).Title}})
  }
  
  }   
}
If ($EnableNotification)
{
# $Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo
# $Message.Subject = $EmailSubject
# $Message.IsBodyHTML = $True
# $message.Body = $MesssagyBody | ConvertTo-Html -head $style | Out-String
# $SMTP = New-Object Net.Mail.SmtpClient($SMTPServer)
# $SMTP.Send($Message)


$secpasswd = ConvertTo-SecureString $SMTPPasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($SMTPUser, $secpasswd)
$MailSplat = @{
    To         = $EmailTo
    From       = $EmailFrom
    Subject    = $EmailSubject
    Body       = ($MesssagyBody | ConvertTo-Html -head $style | Out-String)
    BodyAsHTML = $True
    SMTPServer = $SMTPServer
    port       = $SMTPPort
    Credential = $mycreds
}

Send-MailMessage @MailSplat -UseSsl

}

[chanklish]

Should this be moved to the script section ?!

[veremin]

Have you tried to specify -NetworkCredentials parameter in Start-VBRZip cmdlet? Thanks!

[chanklish]

Hello Veremin ..please give me more details

[jhoughes]

Vlad is speaking about the 'NetworkCredentials' parameter of the Start-VBRZip cmdlet that you are using in your script.

It is used in Example 2 of the documentation for the cmdlet here.

[chanklish]

I will check tomorrow at my office but where should i add it in the script ??
Thank you guys

[chanklish]

i am trying to use the add and get VBR credentials but i am not knowing how to ( https://helpcenter.veeam.com/docs/backu ... ml?ver=100)

where should i add these lines in the above script

Code: Select all

Add-VBRCredentials -Type Windows -User Administrator -Password "Password_1" -Description "Administrator Credentials"

Code: Select all

Get-Credential | Add-VBRCredentials -Description "Administrator Credentials"

and this :

Code: Select all

$vm = Find-VBRViEntity -Name "Tech"

$netcreds = Get-VBRCredentials -Name "Shared"

Start-VBRZip -Folder "D:\Repository\VeeamZIP" -Entity $vm -Compression 4 -DisableQuiesce -NetworkCredentials $netcreds -RunAsync

[veremin]

To make life eaiser you can simply add share credentials to the backup server, using credentials manager.

Then, within the script you should get these credentials:

Code: Select all

$netcreds = Get-VBRCredentials -name "Name of your credentials"

After that, within the script you need to pass these credentials:

Code: Select all

Start-VBRZip -Folder "D:\Repository\VeeamZIP" -Entity $vm -Compression 4 -DisableQuiesce -NetworkCredentials $netcreds -RunAsync

Thanks!

[chanklish]

where should i put this line in the script after adding the credentials ?

$netcreds = Get-VBRCredentials -name "Name of your credentials"

[chanklish]

i added the credentials (picture attached )
and updated the code like this , i see the backup start but cannot backup to the location ( due to permissions )
what am i doing wrong ?!

Code: Select all

# Author: Vladimir Eremin
# Contributor: Trinh Nguyen (www.dangtrinh.com)
# 

##################################################################
#                   User Defined Variables
##################################################################

# Names of VMs to backup separated by comma (Mandatory). For instance, $VMNames = “VM1”,”VM2”
$VMNames = "Mainsocitrans"

# Name of vCenter or standalone host VMs to backup reside on (Mandatory)
$HostName = "hyperv.socitrans.local"

# Directory that VM backups should go to (Mandatory; for instance, C:\Backup)
$Directory = "\\192.168.140.10\offline"

# Desired compression level (Optional; Possible values: 0 - None, 4 - Dedupe-friendly, 5 - Optimal, 6 - High, 9 - Extreme) 
$CompressionLevel = "5"

# Quiesce VM when taking snapshot (Optional; VMware Tools are required; Possible values: $True/$False)
$EnableQuiescence = $False

# Protect resulting backup with encryption key (Optional; $True/$False)
$EnableEncryption = $False

# Encryption Key (Optional; path to a secure string)
$EncryptionKey = ""

$netcreds = Get-VBRCredentials -name ".\Superuser"

# Retention settings (Optional; By default, VeeamZIP files are not removed and kept in the specified location for an indefinite period of time. 
# Possible values: Never , Tonight, TomorrowNight, In3days, In1Week, In2Weeks, In1Month)
$Retention = "In2Weeks"



##################################################################
#                   Notification Settings
##################################################################

# Enable notification (Optional)
$EnableNotification = $False

# Email SMTP server
$SMTPServer = "smtp.gmail.com"

# Email SMTP port
$SMTPPort = "587"

# Email SMTP user
$SMTPUser = "myemail@gmail.com"

# Email SMTP password
$SMTPPasswd = "mygmailpasswrod"

# Email FROM
$EmailFrom = "myemail@gmail.com" 

# Email TO
$EmailTo = "myadmin@gmail.com", "another@gmail.com"

# Email subject
$EmailSubject = "VeeamZIP backup - My VMWare backups"



##################################################################
#                   Email formatting 
##################################################################

$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "</style>"

##################################################################
#                   End User Defined Variables
##################################################################

#################### DO NOT MODIFY PAST THIS LINE ################
Asnp VeeamPSSnapin

$Server = Get-VBRServer -name $HostName
$MesssagyBody = @()

foreach ($VMName in $VMNames)
{
  $VM = Find-VBRHvEntity -Name $VMNames -Server $Server

  
  If ($EnableEncryption)

  {
    $EncryptionKey = Add-VBREncryptionKey -Password (cat $EncryptionKey | ConvertTo-SecureString)
    $ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention -EncryptionKey $EncryptionKey
  }
  
  Else 
  {
    $ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention -NetworkCredentials $netcreds
  }
  
  If ($EnableNotification) 
  {
    $TaskSessions = $ZIPSession.GetTaskSessions().logger.getlog().updatedrecords
    $FailedSessions =  $TaskSessions | where {$_.status -eq "EWarning" -or $_.Status -eq "EFailed"}
  
  if ($FailedSessions -ne $Null)
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={$FailedSessions.Title}})
  }
   
  Else
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={($TaskSessions | sort creationtime -Descending | select -first 1).Title}})
  }
  
  }   
}
If ($EnableNotification)
{
# $Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo
# $Message.Subject = $EmailSubject
# $Message.IsBodyHTML = $True
# $message.Body = $MesssagyBody | ConvertTo-Html -head $style | Out-String
# $SMTP = New-Object Net.Mail.SmtpClient($SMTPServer)
# $SMTP.Send($Message)


$secpasswd = ConvertTo-SecureString $SMTPPasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($SMTPUser, $secpasswd)
$MailSplat = @{
    To         = $EmailTo
    From       = $EmailFrom
    Subject    = $EmailSubject
    Body       = ($MesssagyBody | ConvertTo-Html -head $style | Out-String)
    BodyAsHTML = $True
    SMTPServer = $SMTPServer
    port       = $SMTPPort
    Credential = $mycreds
}

Send-MailMessage @MailSplat -UseSsl

}

[chanklish]

it is working now - i will wait till after work to reboot the server and try everything

[oleg.feoktistov]

Glad you got it working! Please share your results here after all tests.

[chanklish]

this solution works perfectly but i dont know why the 2 VM are saved in one backup ( when i open the backup it shows the 2 vm )

[jhoughes]

The problem is that your foreach loop is using the wrong variable.

You have this in your code:

Code: Select all

foreach ($VMName in $VMNames)
{
  $VM = Find-VBRHvEntity -Name $VMNames -Server $Server

You should be using your singular '$VMName' variable for the Name parameter, not the '$VMNames' variable which contains all VMs you queried earlier.

[chanklish]

can you explain more ?!

[jhoughes]

Replace this:

Code: Select all

$VM = Find-VBRHvEntity -Name $VMNames -Server $Server

With this:

Code: Select all

$VM = Find-VBRHvEntity -Name $VMName -Server $Server