Comprehensive data protection for all workloads
Post Reply
YoMarK
Enthusiast
Posts: 55
Liked: 8 times
Joined: Jul 13, 2009 12:50 pm
Full Name: Mark
Location: The Netherlands
Contact:
Contact YoMarK

Linux hardened repo Veeam user permissions

Post by YoMarK »

Just typed an extensive post with all logging, but lost it all due to "you must be logged in to post..." phpBB error. When using browser back, everything was empty. :(

Anyway, attempt number 2, but now a bit shorter.

So, Ive used roughly this guide to setup my hardened XFS reflink Veeam repo on Ubuntu 20.4 LTS: https://nolabnoparty.com/en/veeam-v11-h ... lity-pt-1/

I'm blown away on how well this works in our tests. We see better performance then on out ReFS repo's in the shorts tests we did(few weeks), but now I notice something strange. It could be user error. It could be that I'm missing some knowledge here.

But like in the guide, Veeam user was in sudo group for a while during the installation, then I removed it.

I've also setup my firewall rules like this:

Code: Select all

ufw default deny incoming
ufw default deny outgoing
ufw allow in 6162/tcp
ufw allow out 6162/tcp
ufw allow in 2500:3300/tcp
ufw allow out 2500:3300/tcp
So only the bare necessities for Veeam.

In VeeamEnvironmentSvc.log I noticed these kind of messages:

Code: Select all

[CFirewallInvoker] Invoke result: 0 Status: active
[24.01.2022 10:48:48.971] <140487124694848> fir      |
[24.01.2022 10:48:48.971] <140487124694848> fir      |          To                         Action      From
[24.01.2022 10:48:48.971] <140487124694848> fir      |          --                         ------      ----
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 1] 2500:3300/tcp              ALLOW IN    Anywhere
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 2] 2500:3300/tcp              ALLOW OUT   Anywhere                   (out)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 3] 22                         ALLOW IN    10.1.3.141
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 4] 6162/tcp                   ALLOW IN    Anywhere
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 5] 6162/tcp                   ALLOW OUT   Anywhere                   (out)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 6] 2500:3300/tcp (v6)         ALLOW IN    Anywhere (v6)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 7] 2500:3300/tcp (v6)         ALLOW OUT   Anywhere (v6)              (out)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 8] 6162/tcp (v6)              ALLOW IN    Anywhere (v6)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [ 9] 6162/tcp (v6)              ALLOW OUT   Anywhere (v6)              (out)
[24.01.2022 10:48:48.971] <140487124694848> fir      |     Filter out firewall rules which is missing 'ALLOW IN' and contain 'v6'
[24.01.2022 10:48:48.971] <140487124694848> fir      |     '2501/tcp' is not found in rules table
[24.01.2022 10:48:48.971] <140487124694848> fir      |     [CFirewallInvoker] Invoke: ufw allow in proto tcp to 0.0.0.0/0 port 2501 comment Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[24.01.2022 10:48:48.971] <140487124694848>          |     Creating child process: ufw with arguments: allow, in, proto, tcp, to, 0.0.0.0/0, port, 2501, comment, Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[24.01.2022 10:48:49.047] <140487124694848> fir      |     [CFirewallInvoker] Invoke result: 0 Rule added
[24.01.2022 10:48:49.047] <140487124694848> fir      |     Filter out firewall rules which is missing 'ALLOW OUT' and contain 'v6'
[24.01.2022 10:48:49.047] <140487124694848> fir      |     '2501/tcp' is not found in rules table
[24.01.2022 10:48:49.047] <140487124694848> fir      |     [CFirewallInvoker] Invoke: ufw allow out proto tcp to 0.0.0.0/0 port 2501 comment Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[24.01.2022 10:48:49.047] <140487124694848>          |     Creating child process: ufw with arguments: allow, out, proto, tcp, to, 0.0.0.0/0, port, 2501, comment, Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[24.01.2022 10:48:49.123] <140487124694848> fir      |     [CFirewallInvoker] Invoke result: 0 Rule added
[24.01.2022 10:48:49.123] <140487124694848> fir      |   [CFirewallController] Open 2501 port ok.
[24.01.2022 10:48:50.324] <140487124694848>          |   Change OOM for pid 251608 to 10 score
[24.01.2022 10:48:50.334] <140487124694848> fir      |   [CFirewallController] Check firewall availability
When I have e backup job running, ufw shows this:

Code: Select all

 ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 2500:3300/tcp              ALLOW IN    Anywhere
[ 2] 2500:3300/tcp              ALLOW OUT   Anywhere                   (out)
[ 3] 22                         	ALLOW IN    xxxx		TEMP rule
[ 4] 6162/tcp                   ALLOW IN    Anywhere
[ 5] 6162/tcp                   ALLOW OUT   Anywhere                   (out)
[ 6] 2501/tcp                   ALLOW IN    Anywhere                   # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[ 7] 2501/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[ 8] 2503/tcp                   ALLOW IN    Anywhere                   # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[ 9] 2503/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[10] 2504/tcp                   ALLOW IN    Anywhere                   # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[11] 2504/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[12] 2505/tcp                   ALLOW IN    Anywhere                   # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[13] 2505/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[14] 2506/tcp                   ALLOW IN    Anywhere                   # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[15] 2506/tcp                   ALLOW OUT   Anywhere                   (out) # Veeam rule 2ea3f314-eb60-4eb6-9743-f53796b1411b
[16] 2500:3300/tcp (v6)         ALLOW IN    Anywhere (v6)
[17] 2500:3300/tcp (v6)         ALLOW OUT   Anywhere (v6)              (out)
[18] 6162/tcp (v6)              ALLOW IN    Anywhere (v6)
[19] 6162/tcp (v6)              ALLOW OUT   Anywhere (v6)              (out)
Veeam user is not in sudo group:

Code: Select all

 
 groups veeam
veeam : veeam veeamgroup
So, Veeam doesn't detect that the ports are already open, and tries to add them.

And now the issue: that seems to work and it shouldn't(but like I said, maybe i'm missing something).
If veeam user somehow has root(or a lot) permissions necessary to add firewall rules, it could also for example change the server time and delete all immutable backups, right?
My understanding was that something like this would not be possible.

What am I missing here?
Top
YoMarK
Enthusiast
Posts: 55
Liked: 8 times
Joined: Jul 13, 2009 12:50 pm
Full Name: Mark
Location: The Netherlands
Contact:
Contact YoMarK

Re: Linux hardened repo Veeam user permissions

Post by YoMarK » 1 person likes this post

Some extra info:

Code: Select all

veeam@srvimmutable01:~$ sudo -i
[sudo] password for veeam:
veeam is not in the sudoers file.  This incident will be reported.
veeam@srvimmutable01:~$ ufw status
ERROR: You need to be root to run this script
veeam@srvimmutable01:~$ ufw allow in 6163/tcp
ERROR: You need to be root to run this script
veeam@srvimmutable01:~$
And this shows why Veeam is able to add firewall rules

Code: Select all

root@srvimmutable01:~# ps aux | grep veeam
veeam       1298  0.0  0.0 4894900 102104 ?      Ssl  Jan21   0:57 /opt/veeam/transport/veeamtransport --run-service
root        1364  0.0  0.0  85776  7132 ?        Sl   Jan21   0:02 /opt/veeam/transport/veeamtransport --run-environmentsvc 7:6
root        1388  0.0  0.0 158896  8612 ?        Sl   Jan21   0:08 /opt/veeam/transport/veeamimmureposvc --subprocess --stdio 9:7
veeam       3341  0.1  0.0 1147652 30352 ?       Sl   Jan21   5:25 veeamagent -g2500-3300 -i{20a2f474-e780-41ad-9ed4-6d2e618eb3f2}  -lflush,/var/log/VeeamBackup/BRO__naar__Immutable/Agent.LinuxFileCommander.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
root      253785  0.0  0.0  13928  8808 ?        Ss   12:56   0:00 sshd: veeam [priv]
veeam     253798  0.0  0.0  18512  9812 ?        Ss   12:56   0:00 /lib/systemd/systemd --user
veeam     253802  0.0  0.0 168936  3564 ?        S    12:56   0:00 (sd-pam)
veeam     253926  0.0  0.0  14060  6028 ?        S    12:56   0:00 sshd: veeam@pts/1
veeam     253927  0.0  0.0   8276  5216 pts/1    Ss+  12:56   0:00 -bash
veeam     253962  0.1  0.0 1148680 25092 ?       Sl   13:01   0:00 veeamagent -g2500-3300 -i{045e0a5a-7343-4689-9bf1-2b00dcbe92fc}  -lflush,/var/log/VeeamBackup/Immutable__test/Agent.LinuxFileCommander.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
veeam     254256  0.2  0.0 2824712 40908 ?       Sl   13:02   0:00 veeamagent -g2500-3300 -i{ee3685c8-c2f0-425f-b677-1d9b2a5a98c9}  -lflush,/var/log/VeeamBackup/Immutable__test/Agent.Immutable__test.Target.pfSenseVDItst.vm_B180870.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
veeam     254365  0.3  0.0 2824712 40928 ?       Sl   13:02   0:00 veeamagent -g2500-3300 -i{39430fc5-967d-4cab-9a2f-66fcfdacc052}  -lflush,/var/log/VeeamBackup/Immutable__test/Agent.Immutable__test.Target.srvarrtest.vm_B146172.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
veeam     254444  0.9  0.0 4618780 57836 ?       Sl   13:02   0:00 veeamagent -g2500-3300 -i{fd5cae36-7bdc-41f3-bc49-eecb8d5d3a3d}  -lflush,/var/log/VeeamBackup/Immutable__test/Agent.Immutable__test.Target.srvviewplanner.vm_B172044.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
veeam     254533  3.8  0.0 4619888 124216 ?      Sl   13:02   0:01 veeamagent -g2500-3300 -i{47645dd3-b9de-4e9b-b1eb-dd443c387790}  -lflush,/var/log/VeeamBackup/Immutable__test/Agent.Immutable__test.Target.srvwebserver.vm_B103813.log  --setFileLimit=4096 --maxLogCount=10 --mgmtConnKey <snip>
root      254956  0.0  0.0   6432   668 pts/0    R+   13:03   0:00 grep --color=auto veeam
root@srvimmutable01:~#
A veeamtransport and a veeamimmureposvc proces does not run as the Veeam user, but as root.
The other processes do run as user Veeam.

Is this normal?

Edit:
And to answer my own question: https://community.veeam.com/blogs-and-p ... ackups-275

So, it's normal, but it's something i did not expect. I assumed the immutable flag itself was something you could only "set" once as a XFS file system feature. But it works differently, so root is needed to do some stuff.
Well, at least I learned something today. :)
Top
tom_nl
Enthusiast
Posts: 43
Liked: 7 times
Joined: Nov 02, 2018 9:13 am
Contact:
Contact tom_nl

Re: Linux hardened repo Veeam user permissions

Post by tom_nl »

Interesting thread.

Does this mean I only have to allow port 6162 for the transport agent in ufw, and Veeam will open the rest of the needed ports on the fly?
Top
Post Reply

Return to “Veeam Backup & Replication”



Who is online

Users browsing this forum: No registered users and 96 guests