Veeam hardened Linux repository with Dell Compellent

[emcclure78]

Hello,

Apologies if this has already been asked. I tried a search on here and on google and didn't seem to find what I was looking for. Perhaps I used the wrong terms.

I am converting a Windows repository server to a Linux hardened repository for Veeam. I've found some steps here that I'm going to follow: https://nolabnoparty.com/en/veeam-v11-h ... lity-pt-1/

However I'm not sure how this works with the compellent. When I'm formatting and installing Linux do I need to have the Compellent somehow attached? Will it see the drives at all? Or do I need some sort of Dell software on for it to be seen which would be tricky if I'm doing a fresh install of Ubuntu 20.04 LTS. Would the Compellent be the /dev/sda or /dev/sdb? Or do I just follow the steps from that page, setup the server and then install some sort of software for Dell to see the Compellent and then continue with the hardened repository setup? Apologies for all the questions, just new to setting this up and want to get this right.

Thanks in advance.

[Mildur]

Hi

Looks like this Dell compellent is a storage appliance.
I don‘t know this hardware, but a short google search shows me that it supports iscsi.

You can create a iscsi target and a Lun on the storage appliance.

Then install ubuntu on your other hardware server and use an iscsi initiator to connect to the dell compellent appliance.

Create the partition inside ubuntu on the connected iscsi LUN and create the xfs file system with reflink support enabled on the partition.

Please don’t use a vm as the ubuntu server. A hardened repo looses it’s effectiveness when it’s a vm. If the vm is running on hypervisor which can be accessed from the normal network, then it‘s possible to use the management console to reboot the vm to the rescue mode to reset the root password. And with a known root password, the immutability can be disabled on all backup files.

And the Dell compellent Appliance should be protected by firewalls. An intruder with access to the management interface of the storage appliance can delete the iscsi LUNS with the immutable backup files on it. The appliance will not check inside the lun if something is immutable or not. It will delete all data. In my view, a linux hardened repo makes only sense with physical linux server with built in disks.

[micoolpaul]

Mildur is right, the use of a storage appliance creates a second “out-of-band” management way to access this device. I tend to recommend if you’re serious about immutability, a hardware internal firewall that you have to VPN into to access your management network (hardware because you can use the firewall as a sole way to access an isolated dedicated management switch). Then put 2FA on the firewall and only allow firewall management either manually plugged into an out of use port, or when you’re within the VPN. There’s always a usability/security trade off with these things so it depends how easy it would be to plug in manually when you need access vs a full-time remote access requirement

[emcclure78]

I am so sorry. I never saw a notification for this, so I didn't know anybody had replied until I saw this in a google search.

So I wouldn't dream of using a VM for this. We do have a physical server that's attached to the Compellant that we will use.

I'm new to my company, so I'll talk to them about this. As for accessing the server, I'd only use iDRAC as I'm remote. That's only limited to a couple of people anyway. It does make the most sense to me to have it all on one server and not have any attached storage, but I'm not sure that's something they'll be willing to do, as they have this storage and want to use it. As for 2FA, are there good articles on setting this up with the hardened repo? Is there a good authenticator to use, like google, microsoft, etc? Do any of them require a cost?

Thanks in advance and sorry for the delayed reply.