Hardened Repository best practice deployment

[Backup.Operator]

I wonder if there is a best practice guidelines on how to plan, architect and deploy the Hardened Backup repository.
Shall I configure it as Backup Job from the VMware or the Backup Copy job from the XFS repo?

[FrenchBlue]

Hello,

It's quite simple, just follow this guide https://bp.veeam.com/vbr/Security/harde ... linux.html
I don't understand the second question?

[Mildur]

Hi Backup Operator

Hannes has created some blog post with guidelines:

• Selecting Hardware and Setting Up Environment for Veeam Hardened Repository
• Installing Ubuntu Linux for Veeam Hardened Repository
• Securing Veeam Hardened Repository Against Remote Time Attacks
• Ubuntu Linux Essentials: Booting Into Single User Mode and Protecting Against Unauthorized Access
• Securing Veeam Hardened Repository

You can also check out or new hardening script, which applies additional Linux OS hardening settings.
https://www.veeam.com/sys507

Best,
Fabian

[FrankCl2]

I dont want to hijack this topic, but I've been playing around with these blogpost myself for a couple of days and I was wondering how this auditing works.
I'm not a real Linux guy and pretty green when it comes to security as well. And the hardening script does a lot of changes when it comes to generating audit logs. But how or where do I find those audit logs? Is this something which is generated autmatically after running that script? Or do I need to configure this myself?

Any info would greatly appreciated!

[HannesK]

Hello,
audit logs are in /var/log/audit/

auditd uses the path automatically, yes.

Best regards,
Hannes

[johannesk]

Hi Fabian,

If one has setup Rocky linux according to the Veeam documentation (as documented in the blog by Hannes), thus with root disabled, ssh disabled and the DISA STIG profile, minimal install, is the VHR script doing anything more?
https://www.veeam.com/sys507

Or is it just to apply to Linux repository setup that was not initially setup according to the Veeam documentation on VHR?

Regards,
Jóhannes

[FrenchBlue]

Hello,

Generic question: how do you connect to the repo once SSH is disabled? Especially if it's not a VM. Using the server KVM over ip console and then enabling ssh temporarily? Then sudo if root login is disabled?

[pybfr]

ideally you don't
But when it's required, yes you can use a KVM or better a physical console, so you do not need to enable SSH at all.

[FrenchBlue]

Thanks. Yeah in theory you don't, but of course irl you sometimes have to log in there

[IanBolton]

Hello,

Generic question: how do you connect to the repo once SSH is disabled? Especially if it's not a VM. Using the server KVM over ip console and then enabling ssh temporarily? Then sudo if root login is disabled?

For my linux repos, SSH is generally disabled, the firewall doesn't have the ssh rule enabled, the iLO card uses unique credentials per host, each is connected to a disabled LAN port.

So although it isnt impossible, an attacker must compromise multiple layers to gain access.

The flipside of that is that there's a lot to unpick on the rare occasions that I need to jump on!