Agentless, cloud-native backup for Microsoft Azure
Post Reply
sumeet
Service Provider
Posts: 143
Liked: 25 times
Joined: Apr 23, 2021 6:40 am
Full Name: Sumeet P
Contact:

Risks highlighted for VBAz appliance/worker

Post by sumeet »

Hello,

We are protecting Azure SQL and files for our client.
Security team at our client has raised the below incidents, which appear to highlight a handful of risks found on the resources/workers used for the backup.

Identified Risks:
INC1121231 Wiz Issue: Weak SSH authentication configuration on a VM instance
INC1121507 Wiz Issue: Weak SSH authentication configuration on a VM instance
INC1121508 Wiz Issue: Weak SSH authentication configuration on a VM instance
INC1121512 Wiz Issue: Azure Virtual Machine with no endpoint protection
INC1121513 Wiz Issue: Azure Virtual Machine with no endpoint protection

On requesting further information from our client, this is what I have received.

For weak SSH configuration --
Edit to ssh configuration file
example path - /etc/ssh/sshd_config
Under this file ensure that:
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin prohibit-password

Wiz obviously is detecting them as Linux machines and has suggested the below -

Microsoft Defender for Endpoint on Linux | Microsoft Learn -- https://learn.microsoft.com/en-us/micro ... -worldwide


Since Veeam backup for Azure is Linux-based Azure VM where Veeam backup for Azure is installed, and this is a appliance provided by Veeam, I opened the following case 05921086.

==========

Veeam support got back with this information -- The SSH configuration can be applied since its basic SSH level access security that can be enabled. Also you can confirm network security group level access rules in place if the VB appliance is in a private subnet. For workers you may configure this SSH setting and enable min/max. workers per link https://helpcenter.veeam.com/docs/vbazu ... tml?ver=40 so that they dont get removed and use the SSH setting you have configured. Every new worker deployed will not have this setting and you will need to manually configure them.

For an endpoint protection its not recommended to install an AV since it may impact any ports/functioning of the appliance/workers if it blocks required Veeam processes. Hence you may want to test with a dummy appliance installing MS Defender or any other AV but Veeam has no guidelines for this and you can run any endpoint protection as long it does not block required Veeam tasks/ports

==========

I was not happy with applying these settings each time a new worker is deployed. So I questioned about how the workers are deployed. But looks like it is not possible to make changes in the VBAz appliance so that new workers have this set automatically when deployed.

I will request PMs to please re-check on this and if not possible, have this request taken for future enhancements. There should be options to be able to edit configuration within worker as part of deployment.
The same applies to the end-point option.

I personally feel that being in public cloud (even within VPN), the security aspects have to be of high priority.

Let me know if you need additional details.

Thanks,
-Sumeet.
nielsengelen
Product Manager
Posts: 5750
Liked: 1210 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Risks highlighted for VBAz appliance/worker

Post by nielsengelen »

Hi,

Are you running in private deployment mode by any chance? As this would lower the risk significantly. We'll look into this for a future release to make this a static change. In te mean time, I'll bring this up internally as well and report back if anything can be done now to ease this.

For the installation of AV, as long as it doesn't interfere with our used ports, it should not be an issue.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
sumeet
Service Provider
Posts: 143
Liked: 25 times
Joined: Apr 23, 2021 6:40 am
Full Name: Sumeet P
Contact:

Re: Risks highlighted for VBAz appliance/worker

Post by sumeet »

Hi Niels,
Can you please provide more details of what you mean by private deployment mode?

Thanks,
-Sumeet.
nielsengelen
Product Manager
Posts: 5750
Liked: 1210 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Risks highlighted for VBAz appliance/worker

Post by nielsengelen »

Within the worker section, you can enable private deployment which allows you to run workers via private endpoints. You can find more details in our user guide.

While it won't change the SSH configuration on our workers (which is the OS default), it will remove the public connection. We do not require port 22 for our workers. As an extra security step, I would suggest creating a dedicated Network Security Group in each region according to our user guide and deny all other communication. Then in the “Network Worker Configuration” wizard associate the workers with the Network Security Group. This combined with full private deployment should probably help in this "Wiz Issue".
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests