Hi guys,
first of all, i really like the idea, the doing and all the efforts VEEAM has done for the immutable linux repo system in the V11 product.
I had a few thoughts about the topic and made up my mind. So here are some ideas for future improvements for the new immutable linux repo.
a) it would be good if the linux system could be not be reachable at all. So besides closing openssh, also closing veeamtransport on for instance 6162. One could solve it in such a way that the connection is established from internally (on the part of linux) to the VEEAM server stateful and thus no port on the linux side must be reachable from the outside at all.
b) at the same time there are possibilities where inexperienced linux users can make mistakes (for example, they have not cleaned the sudoers file when they accidentally used it, or not disabled NTP or not disabled SSH and so on). Here it might be a good idea if VEEAM could bring its own little hardened Linux, as a VM or ISO file in the future.
Thoughts?
Thanks,
Joerg
-
joergr
- Veteran
- Posts: 391
- Liked: 39 times
- Joined: Jun 08, 2010 2:01 pm
- Full Name: Joerg Riether
- Contact:
-
Gostev
- Chief Product Officer
- Posts: 31561
- Liked: 6725 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: future improvements for the new immutable linux repo
Hi, Joerg
Thanks for your kind words!
a) Since the Linux system does not know WHEN to establish the connection, it would have to keep a persistent connection to the backup server. This would require a major redesign of the core architecture and a long period of stabilization. Which is quite hard to justify, and it does not help security all that much as the hacker will still be able to connect to the data mover from the taken over backup server (which is how every attack starts).
b) Actually, we blocked the ability to accidentally populate the sudoers file right in the user interface in the V11 GA build. And there is a community tool already that helps inexperienced users with securing their hardened repository. As for a custom Linux distro, see my answer here.
Thanks!
Anton
Thanks for your kind words!
a) Since the Linux system does not know WHEN to establish the connection, it would have to keep a persistent connection to the backup server. This would require a major redesign of the core architecture and a long period of stabilization. Which is quite hard to justify, and it does not help security all that much as the hacker will still be able to connect to the data mover from the taken over backup server (which is how every attack starts).
b) Actually, we blocked the ability to accidentally populate the sudoers file right in the user interface in the V11 GA build. And there is a community tool already that helps inexperienced users with securing their hardened repository. As for a custom Linux distro, see my answer here.
Thanks!
Anton
-
joergr
- Veteran
- Posts: 391
- Liked: 39 times
- Joined: Jun 08, 2010 2:01 pm
- Full Name: Joerg Riether
- Contact:
Re: future improvements for the new immutable linux repo
Hi Anton,
thanks so much for the professional useful insight, as always, highly appreciated.
My though regarding a) was that you can not actively discover it on the network if you scan for it nor can you try to open a connection to it but then again you are very right regarding the situation where the Veeam server was hacked and thus access is given even if the linux repo would statefully connect from itself. One little advantage would be that you could prevent external finding without the Veeam server if for some reason the Veeam service on the linux repo would be vulnerable to an rce but then again, that is perhaps already thinking too far ahead and maybe too pessimistic.
Regarding b) yeah I hear you, maintaining a complete linux, even a mini linux can be quite a challenge and would certainly tie up many resources that are more importantly needed elsewhere in dev.
Thanks!
Joerg
thanks so much for the professional useful insight, as always, highly appreciated.
My though regarding a) was that you can not actively discover it on the network if you scan for it nor can you try to open a connection to it but then again you are very right regarding the situation where the Veeam server was hacked and thus access is given even if the linux repo would statefully connect from itself. One little advantage would be that you could prevent external finding without the Veeam server if for some reason the Veeam service on the linux repo would be vulnerable to an rce but then again, that is perhaps already thinking too far ahead and maybe too pessimistic.
Regarding b) yeah I hear you, maintaining a complete linux, even a mini linux can be quite a challenge and would certainly tie up many resources that are more importantly needed elsewhere in dev.
Thanks!
Joerg
Who is online
Users browsing this forum: Bing [Bot], Semrush [Bot] and 111 guests