How do I backup a physical Hardened Repository server

[ratkinsonuk]

I have a physical Dell server with Ubuntu 20.x installed that's going to be used as a Hardened Repository (with NetApp iSCSI attached disks). The server is currently being backed up using the Veeam Linux agent. I've also stored the admin credentials in Veeam B&R (for now).

When I try to add the server to Veeam as a hardened repository, it complains about the stored credentials.

What I can't get my head around is how to both backup the server and use it as a VHR at the same time. What privileges are required for Veeam to be able to continue the agent backups? Can I simply remove the credentials from B&R and use One-time credentials instead? What happens when I need to upgrade the agent or other Veeam components?

I've spent literally weeks reading all the articles I can find on installing a VHR, but some aspects of it still seem to be a black art or perhaps it's expected we have a firm grip on Linux and can fill in the gaps. Unfortunately, I'm primarily a Windows admin, so struggling with a lot of this.

[Mildur]

Hello Robert

The backup server cannot know about login credentials with administrative permissions. Or an attacker can export and leverage them to delete your backups.
Please also note, that you need to protect your NetApp admin interface. An attacker can delete the iSCSI LUNs on your NetApp and all backups are gone. NetApp and any other SAN storage will not care about immutable files on an iSCSI volume. Such appliances will happily delete iSCSI LUNs.

What I can't get my head around is how to both backup the server and use it as a VHR at the same time.

Do you really require to backup the operating system? It introduces additional security considerations if you deploy additional application to a hardened repository server.
In case you loose a Linux server, you can just deploy Ubuntu again and connect to your iSCSI volume.

If you want to backup your hardened repositories operating system, then use standalone agent not managed by your backup server. Or try <preinstalled agent>-protection group. Both options do not require storing credentials on the backup server.

Best,
Fabian

[ratkinsonuk]

Thanks Fabian.

Unfortunately, we need to take regular backups of the operating system for a number of reasons

- The original VHR server installation is currently 8 pages of notes, so can't be easily replicated from scratch if we needed to rebuild
- The server needs to be patched on a regular basis, so it's naturally changing quite frequently
- Prior to any major configuration changes, e.g. Veeam upgrades, I need a recoverable copy of the server
- The O/S drive is a local internal disk, and not on the SAN. It's also remote, so pulling a raid drive isn't an option either.

The standalone agent may be an alternative, although it's not a great solution given that we rely on a centralised backup application. Can you tell me a little more about the '<preinstalled agent>-protection group' option please. Would that be managed by B&R centrally, or is it still managed directly from the server?

Cheers, Rob.

[ratkinsonuk]

You're probably already aware, but I can't add a 'Managed by Agent' backup to B&R as that requires permanent SSH credentials as well. I'll take a look at the pre-installed option.

[ratkinsonuk]

Umm, looks like something broke in my v12 upgrade as I get "Selected data centre region does not support Sts endpoints" as soon as I click on the Create Protection Group link. So, I'm unable to test that option to see if it's viable.

(BTW, the case number for this is #07143514)

Rob.