How to protect my backups?

[Thomas_VDB]

Hi,

We are using Veeam B&R to make a nightly backups and backup Copies.
All VM's of our 2 ESXi hosts are backed up each night to the HD of our Veeam Server, which is a physical server close to the 2 hosts.
Immediatly after the backups, the Backup copies are made to a NAS (Raid10) which is located on the other side of the building, and connected via iSCSI to the Veeam Server.

We have been hit before with ransomware, but Veeam saved the day with simple restores.

Because we are using 'always connected' hard drives as backup medium (for both backups and backup copies), it is not impossible that our backups should get encrypted as well.
I am a big fan of using HD as backup medium, because I like my backups as automated as possible. Manually rotating USB drives or
tapes just requires too much discipline .

Anybody got some advice to protect against backup encryption on 'always on' HD media?
Don't want to be hit by ransomware and discover that the backups are useless...
- We are using surebackup to test are backups nightly.
- Now our Veeam Backup server is joined to the domain. Which means that if the ransomware knows the domain admin pw, it can start encrypting our Server VM's AND the backups. Would it be usefull to throw the Veeam Backup Server off the domain and use a local account only (with different credentials)?

[Mike Resseler]

Thomas,

There are many additional defenses you can do. You already named one, making it a server outside of the domain and work with a dedicated account only known by limited people (not too mention to separate the writing account for the storage and so on and so forth.

But in your entire design, I seem to be missing the 1 in the 3-2-1 rule. Now you stated that you don't want to work with rotated drives / tapes and I assuming you don't have a remote datacenter so have you already looked at cloud connect? That could be your safety net here

Just a thought
Mike

[tpayton]

In support we've had some customers report that they are making the move to using Linux repositories. They seem to like the idea of having a system that is outside the domain, and a different OS than most ransomware is meant to affect. And since Veeam doesn't need that Linux server to have NFS or CIFS turned on there isn't much access into the Linux server other than through SSH.

[Thomas_VDB]

Hi,
Thanks for the replies. Both of them are very usefull.
Yes we are not using the 3 2 1 rule (only 2 copies of our data), and have no datacenter as we are an SMB (only 20 people).
To get closer to the 3 2 1 rule, we should add another Backup copy. This could then be to the cloud,
but also the linux repository is a very good idea.
I'll evaluate with my collegues and get to it.
Thanks!
Thomas.

[Mike Resseler]

Hi Ben,

While I agree with Tyler that the ransomware change on Linux is lower, it does exists. There is already ransomware for Linux. Not that many in the wild compared to Windows but they do exist which means you still can get infected so keep that also in mind when making a decision and if you go for Linux, don't forget to still use dedicated accounts