Veeamagent open ports during backup

[Hejah]

Hallo,
during the backup run the veeamagent listens on all IP addresses of the system for incomming TCP connections on port 2500 and 2501.

Code: Select all

# ss -tulpen | grep veeam
tcp    LISTEN   0        128                0.0.0.0:2501          0.0.0.0:*      users:(("veeamagent",pid=19110,fd=21)) ino:1070444 sk:32a <->                  
tcp    LISTEN   0        128                0.0.0.0:2502          0.0.0.0:*      users:(("veeamagent",pid=19125,fd=22)) ino:1071625 sk:32b <-> 

From my understanding of the documentation there is no need for incoming connections from other systems.
https://helpcenter.veeam.com/docs/agent ... tml?ver=30

For what kind of communication is the agent listening?

How is the communication to those ports authenticate?
(Could someone send data or maybe exploit a hypothetical bug via internet if the port is not protected by a firewall?)

If this is only for connections on the system why it uses 0.0.0.0 and not 127.0.0.1?

Is there a way to prevent the agent from listening on public or all IP addresses but 127.0.0.1?


Veeam Agent for Linux 3.0.2.1185 (free)
Ubuntu Bionic Beaver 18.04
Backup target smb share

kind regards

[PTide]

Hi,

For what kind of communication is the agent listening?

It is listening for connections from VBR server.

How is the communication to those ports authenticate? (Could someone send data or maybe exploit a hypothetical bug via internet if the port is not protected by a firewall?)

When the agent works with VBR, it requires authentication via our internal mechanisms. So, no, sending data from outside to that port won't do anything unless it was sent by a VBR that is already known to the agent. Just don't block those ports on a loopback : )

Is there a way to prevent the agent from listening on public or all IP addresses but 127.0.0.1?

No, not really. We need to patch it and we will do that soon.

Thanks!

[Hejah]

Thanks!