Connecting iSCSI only for Backup

Availability for the Always-On Enterprise

Connecting iSCSI only for Backup

Veeam Logoby final » Wed Jul 05, 2017 11:21 am 3 people like this post

Hi,

One of the things everyone recommends these days is to keep offline backups in case of a ransomware attack. The question is: How do you do it without having to change tapes every day (or plug / unplug a wire)?

We've implemented a secondary backup target that is only connected to the server when a backup copy job actually needs it. Since we run forever forward jobs, this is only about 40 minutes a day! The secondary NAS has a completely separate login password and is not domain joined, so it should be save during a attack on your network if the storage is not connected.

Our setup is:
- Veeam Backup Server + primary iSCSI Backup target at the data center (always connected)
- Proxy Server + secondary iSCSI Backup target at our main office.

If you connect the secondary iSCSI target to the veeam server direcly, you can put the code of connectToNAS.ps1 into preCopy.ps1 and the code of disconnectFromNAS.ps1 into postCopy.ps1

I've spent some time to get this to work (Powershell iSCSI commands are buggy and incomplete), so I thought I'd share the scripts involved. Basically, you need a pre- and post-script of your Copy job. We've been running this for two weeks now with perfect results. After the disconnect, there is no trace of an iSCSI target on the Server, so even if an attacker checked manually, he wouldn't find the target unless he finds the scripts. Note that this only works if $DestServer has a single iSCSI target. If you have multiple, you need to adjust the code respectively. The script will disconnect all iSCSI targets on the server! The scripts involved are:

preCopy.ps1
Code: Select all
$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\ConnectToNAS.ps1 }
Remove-PSSession $session

postCopy.ps1
Code: Select all
$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\DisconnectFromNAS.ps1 }
Remove-PSSession $session


On $DestServer, we have the following files.
ConnectToNAS.ps1
Code: Select all
New-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -IsHeaderDigest $true -IsDataDigest $true
Get-IscsiTarget | Connect-IscsiTarget -IsDataDigest $true -IsHeaderDigest $true -IsPersistent $false -AuthenticationType ONEWAYCHAP -ChapUsername <ChapUsername> -ChapSecret <ChapSecret>
start-sleep -Seconds 3 #Wait for get-disk to actually list the disks
get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Offline" } | Set-Disk -IsOffline $false
start-sleep -seconds 3 #wait for the disk to actually become available


DisconnectFromNAS.ps1
Code: Select all
get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Online" } | Set-Disk -IsOffline $true
Start-Sleep -Seconds 5 #Wait for disk to go offline, we can't disconnect iSCSI if it isn't
Remove-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -Confirm:$false
Get-IscsiTarget | Disconnect-IscsiTarget -Confirm:$false
$session = Get-IscsiSession
foreach ($s in $session) {
    iscsicli logouttarget $s.SessionIdentifier
}


Maybe you'll find this helpful or you have any feedback for it. Unfortunately, the script needs a Admin account on the DestServer and the password for that account is cleartext in the file, but Veeam launches its pre / post-script as localsystem on the backup server, and that account is not allowed to execute remote powershell on the dest server.
final
Enthusiast
 
Posts: 25
Liked: 8 times
Joined: Sun Aug 14, 2016 7:19 pm

Re: Connecting iSCSI only for Backup

Veeam Logoby final » Thu Sep 14, 2017 9:10 am

I've extended our script a little - turns out it would also be nice to still have the veeam config after an attack. Just add those 4 lines on top of postCopy.ps1

head of postCopy.ps1
Code: Select all
Add-PSSnapin VeeamPSSnapIn
Set-VBRConfigurationBackupJob -Repository "Name of secondary Repository"
Start-VBRConfigurationBackupJob
Set-VBRConfigurationBackupJob -Repository "Name of primary Repository"


In my case, a config backup takes about 45 seconds, but I guess there are systems with very large configs. Keep in mind that pre- and post-script are limited to 15 minutes runtime.
final
Enthusiast
 
Posts: 25
Liked: 8 times
Joined: Sun Aug 14, 2016 7:19 pm


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: DaveWatkins, Google Feedfetcher, sg1 and 5 guests