Connecting iSCSI only for Backup

[final]

Hi,

One of the things everyone recommends these days is to keep offline backups in case of a ransomware attack. The question is: How do you do it without having to change tapes every day (or plug / unplug a wire)?

We've implemented a secondary backup target that is only connected to the server when a backup copy job actually needs it. Since we run forever forward jobs, this is only about 40 minutes a day! The secondary NAS has a completely separate login password and is not domain joined, so it should be save during a attack on your network if the storage is not connected.

Our setup is:
- Veeam Backup Server + primary iSCSI Backup target at the data center (always connected)
- Proxy Server + secondary iSCSI Backup target at our main office.

If you connect the secondary iSCSI target to the veeam server direcly, you can put the code of connectToNAS.ps1 into preCopy.ps1 and the code of disconnectFromNAS.ps1 into postCopy.ps1

I've spent some time to get this to work (Powershell iSCSI commands are buggy and incomplete), so I thought I'd share the scripts involved. Basically, you need a pre- and post-script of your Copy job. We've been running this for two weeks now with perfect results. After the disconnect, there is no trace of an iSCSI target on the Server, so even if an attacker checked manually, he wouldn't find the target unless he finds the scripts. Note that this only works if $DestServer has a single iSCSI target. If you have multiple, you need to adjust the code respectively. The script will disconnect all iSCSI targets on the server! The scripts involved are:

preCopy.ps1

Code: Select all

$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\ConnectToNAS.ps1 }
Remove-PSSession $session

postCopy.ps1

Code: Select all

$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\DisconnectFromNAS.ps1 }
Remove-PSSession $session

On $DestServer, we have the following files.
ConnectToNAS.ps1

Code: Select all

New-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -IsHeaderDigest $true -IsDataDigest $true
Get-IscsiTarget | Connect-IscsiTarget -IsDataDigest $true -IsHeaderDigest $true -IsPersistent $false -AuthenticationType ONEWAYCHAP -ChapUsername <ChapUsername> -ChapSecret <ChapSecret>
start-sleep -Seconds 3 #Wait for get-disk to actually list the disks
get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Offline" } | Set-Disk -IsOffline $false
start-sleep -seconds 3 #wait for the disk to actually become available

DisconnectFromNAS.ps1

Code: Select all

get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Online" } | Set-Disk -IsOffline $true
Start-Sleep -Seconds 5 #Wait for disk to go offline, we can't disconnect iSCSI if it isn't
Remove-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -Confirm:$false
Get-IscsiTarget | Disconnect-IscsiTarget -Confirm:$false
$session = Get-IscsiSession
foreach ($s in $session) {
    iscsicli logouttarget $s.SessionIdentifier
}

Maybe you'll find this helpful or you have any feedback for it. Unfortunately, the script needs a Admin account on the DestServer and the password for that account is cleartext in the file, but Veeam launches its pre / post-script as localsystem on the backup server, and that account is not allowed to execute remote powershell on the dest server.

[final]

I've extended our script a little - turns out it would also be nice to still have the veeam config after an attack. Just add those 4 lines on top of postCopy.ps1

head of postCopy.ps1

Code: Select all

Add-PSSnapin VeeamPSSnapIn
Set-VBRConfigurationBackupJob -Repository "Name of secondary Repository"
Start-VBRConfigurationBackupJob
Set-VBRConfigurationBackupJob -Repository "Name of primary Repository"

In my case, a config backup takes about 45 seconds, but I guess there are systems with very large configs. Keep in mind that pre- and post-script are limited to 15 minutes runtime.

[nvolle]

Hello,

Thank you very much for the hard work you have done here.
I am now using your scripts and they work like a charm.

For not putting a password into a script files I have used this little trick.

Precopy.bat file is looking like this :

Code: Select all

PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""ConnectToNas.ps1""' -Verb RunAs}";

And Postcopy.bay file is looking like this :

Code: Select all

PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""DisconnectFromNas.ps1""' -Verb RunAs}";

Doing like this allow me to run my powershell scripts as Admin but without the need of settings a password.
I just needed to disable UAC on my server but I prefere this rather than an admin password into a script.

[oleg.feoktistov]

Hi,

Or else you can add a credential to Windows Credential Manager beforehand, install CredentialManager Powershell module
and import stored credential directly into your script. Password will be already stored as a secure string:

Code: Select all

Install-Module CredentialManager
$adminCreds = Get-StoredCredential | Where-Object {$_.UserName -eq 'username'}

Best regards,
Oleg