[VEEAM 12] immutable backup

[AbdelO]

Hi Experts !

I have a question about immutable backup with Veeam 12. I know that from the Veeam console it is impossible to delete the backup before the retention period has passed, but on the Linux server side, can the root account delete backups directly from the repository server?

Knowing that I have created a specific Veeam service account to manage the connection between the Veeam console and Linux repositories and to apply the rights of this account to the backup destination folder.

Regards.

[ronnmartin61]

If you can gain console access to the Linux server hosting the backups as root yes the backups can be deleted

[AbdelO]

Hello ronnmartin61

Thanks for your feedback,

What are the best practices to avoid deleting backups?

[ronnmartin61]

There is a growing body of best practices information online. Here are a few links to get you on your way -

https://www.veeam.com/blog/installing-u ... itory.html

https://www.veeam.com/blog/backup-repos ... guide.html

A number of tools are also discussed in this thread -

veeam-backup-replication-f2/what-are-th ... IzLjAuMA..

[chris.childerhose]

These are the best links to follow, for sure. Have all of them bookmarked and follow them when we set up XFS Immutable repos.

[chris.childerhose]

Not sure if you saw at VeeamON (or attended) that there was a session with Rick and Hannes about using the ISO they are building to deploy Linux Hardened repos. This is an even better option for this.

[SomewhereinSC]

Here's the link to said .ISO and information
https://community.veeam.com/blogs-and-p ... QuNjAuMC4w

[Net Runner]

Of course, if a malicious actor has access to the root user either via ssh or local console, he can remove immutability flags from the files and therefore delete them. In this case, you can just disable root and disable ssh or make it a custom port. On the other hand, there are plenty of options for immutable storage for Veeam. You can check ObjectFirst (https://objectfirst.com/) as S3 storage for Veeam if you are looking for new hardware, or if you already have hardware and want to convert it into immutable storage, something like Starwinds SAN and NAS with Veeam Hardened Repo should do the trick (https://www.starwindsoftware.com/blog/s ... r-veeam-br).