Ports 6160 and 6162 always opened by default?

[aj_potc]

When setting up Veeam Agent for Linux, or when using a Linux-based system as a repository, Veeam seems to always open ports 6160 (installer) and 6162 (data mover).

This is documented here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

That makes sense, as the Veeam components have to communicate with the VBR server. However, what if we want to open those ports only for a specific firewalld zone or a specific network interface? According to the documentation, we can tell Veeam to use a specific firewalld zone:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

But this doesn't seem to work as written. Even if you designate a firewalld zone for Veeam traffic, the software still opens ports 6160 and 6162 in all active zones, which includes the public one. You can see this in action here (see the first two screenshots, which show 6160/6162 open in the public and veeamonly zones):
https://community.veeam.com/yara-and-sc ... zones-5064

The author of that article doesn't seem to see any problem; he's happy that ports 2500+ are now properly firewalled.

In my particular case, I have a virtual network interface assigned to a particular zone which should handle all Veeam communication. However, on all of my Veeam agents and repositories, ports 6160 and 6162 are being opened on my public interface. Is there any way to prevent this? Or should I not worry about it as long as ports 2500+ are not publicly accessible?

Thanks very much for any insight!

[Mildur]

Hi AJ_Potc

The help center article you have shared talks about "automatically opens ports used by the Veeam Data Mover".
Veeam Data Mover ports are Port 2500 to 3300. When we start a job session, for each task we start VeeamAgent process. The first VeeamAgent process will start with Port 2500, the second will use Port 2501, ...
Those ports are automatically opened in your Linux firewall in the specified zone. But Port 6160 + 6162 are not part of that automatic configuration.

But this doesn't seem to work as written.

To conclude my comment, it works as expected.
Data Mover ports are automatically opened in the specified zone. Other ports do not use the /etc/VeeamNetConfig configuration.

Best,
Fabian

[aj_potc]

Hi Fabian,

Thanks for your reply, and I appreciate the correction.

The article I cited indeed doesn't mention port 6160, but it does say:

Port 6162 is opened by default. It is a port used by Veeam Data Mover.

For this reason, and because I see 6160 being opened as well, I assumed the article was referring to these two ports in addition to the data mover port range from 2500-3300.

However, this still leaves the important questions open:

- Is there any security risk of having ports 6160 and 6162 open on my public, Internet-accessible interfaces on all Linux agents and repositories?
- If there is some risk, then how can I limit Veeam to using only a specific interface and prevent it from opening those ports?

As I mentioned in my post, regardless of my firewalld settings, I can't find a way to stop Veeam from opening these ports on all active interfaces. Even if I manually remove the rules that open ports 6160 and 6162, Veeam will immediately open them again when I do a Rescan of the agent/repository. I assume this is by design.

Thanks for any help.

[Mildur]

- Is there any security risk of having ports 6160 and 6162 open on my public, Internet-accessible interfaces on all Linux agents and repositories?

There is always the possibility for a security risk with open ports. But it always depends on the service behind the port.
A hacker can only leverage this open port if the service behind the port has design flaws which makes it attackable.

Please allow me to ask a question.
Why are the agents and repositories published directly to the internet, with Port 6160 and 6162 available from everywhere? That either requires a Port forwarding on your firewall or assigning those machines public IP addresses.
Normally there is a firewall at the entry point to your network. Which blocks every request from the internet.

- If there is some risk, then how can I limit Veeam to using only a specific interface and prevent it from opening those ports?

Instead of removing the entries, can you adjust the firewall rules to only allow connection from backup server to the installer service?

Best,
Fabian

[aj_potc]

Hi Fabian,

Thanks for the reply.

It's my understanding that best practice is to run Veeam services only on private/firewalled networks. Each of my systems has a private, virtual network interface that allows Veeam to communicate over a mesh VPN via non-Internet routable IP addresses.

Why are the agents and repositories published directly to the internet, with Port 6160 and 6162 available from everywhere?

It's certainly not by my choice. Veeam is opening these ports in all active firewalld zones when I install Veeam Agent for Linux or set up a Linux system as a repository. You can see it happening in the example I linked in my first post (https://community.veeam.com/yara-and-sc ... zones-5064).

That either requires a Port forwarding on your firewall or assigning those machines public IP addresses.

I'm using firewalld as my only firewall for certain remote systems, most of which are virtual servers rented from various providers. And these systems must have publicly routable IP addresses, as they are providing Web services.

Instead of removing the entries, can you adjust the firewall rules to only allow connection from backup server to the installer service?

I haven't tested this, and I'm not sure if it would conflict with Veeam's rules or be overridden by them. But I really don't want any extra ports opened on my public network interface, as Veeam already has a private network interface that it should be using.

Is there any way to tell Veeam that it shouldn't be touching my firewalld settings? I wish the solution were as easy as removing the rules, but Veeam recreates them.

Thanks for your insight.