Restoring from .vbk on Linux repo when .vbm is deleted?

[dcolpitts]

I've been playing around with v11 and a 24TB iSCSI NAS (which is is my repository). I built a couple of Windows 2019 VMs, and a 2019 VBR server (v11, the build for partners that was available last week before going GA today), and a Ubuntu 18.04 VM. All these VMs are on a single ESXi host. The iSCSI is cross connected to a 10GbE port on the ESXi host and the Ubuntu 18.04 VM has two vmxnet3 NICs. One on the data vSwitch and one the iSCSI vSwitch (which uses the vnmic that the NAS is plugged into). I've mounted the iSCSI NAS in the Ubuntu VM and formatted with XFS and reflinks. I added this as my repo in VBR and enabled immutability. All things considered, the performance is decent given the bonus of immutability at the price point of the NAS.

In my testing, I wanted to see what happens if an attacker is able to delete the Ubuntu VM. I shut it off, built another new Ubuntu VM (this time with 20.04), and was able to re-add the iSCSI target, rescan in VBR, and perform a restore of one of the Windows VMs - again all at an acceptable performance level and in a reasonable amount of time.

After this I wanted to take it to the next step and see what damage the attacker is able do via to SSH in Ubuntu VM and sudo... So I logged into to 20.04 VM with the Veeam repo user credentials, went to the folder were my repo is mounted and ran "rm -rf *". I was kinda shocked to see it deleted all the vib files and vbm files present, but it was unable able to remove the vbk files (I'm only shocked because in my previous testing under 18.04, I don't recall seeing this occur). Ok - so we still got "some" immutability going on here, and a full backup that is 6 or 7 days old is way better than no backups at all!

When I went back to VBR and rescanned the repo, it did not detect any backups, and all my disk based backups are now gone on the Home tab. I edited the repo and told it import any existing backups in it the repo. Again no backups were found.

So my question is - I know there are still .vbk files there - how would I restore them from the Linux XFS repo at this point should an attack like this actually occur? I'm pretty sure if it was a Windows repo, I could just browse to it in Explorer, double click the .vbk and open it. But since it's a Linux XFS repo, I'm not sure what steps I'd take here.

**Edit... I guess I could maybe configure CIFS/SMB on the Ubuntu VM and then browse the repo with Explorer and double the .vbk to open it. But is there a more elegant / easier way than this?

dcc

[HannesK]

Hello,

what damage the attacker is able do via to SSH in Ubuntu VM and sudo

I just updated the FAQ that covers your question: post402811.html#p402811

The VBM is by far your smallest issue then...

Best regards,
Hannes

[tsightler]

In the UI you should see "Import" button. Simply click this, select the Linux system from the dropdown, browse for files, import VBK/VIB. Manual import this way should not require the VBM file.

But, as Hannes correctly points out, a person that has sudo access to run any command can do whatever they want. For the repo to be secure you must secure sudo access.

[dcolpitts]

tsightler - that works. In the 8 or 9 years I've selling and supporting Veeam, I've never had to do that before - I didn't realize that worked with the Linux repos too. Thanks.

Hannes - I don't disagree with you that the missing VBM would be the smallest issue at that point. However - for a vast majority of smaller customers or more frugal customers, there is only so much we can do with limit resources they allow us. Case in point - the eventual owner of the equipment I'm testing with is going to be a small customer (but definitely not a frugal customer), and are replacing a 5 year Windows server with a new single ESXi host and will be adding Citrix Virtual Apps and MFA to the mix. Until now they have relied on a daily RDX cartridge and BackupExec. Going to ESXi, Veeam ESS+, and external iSCSI NAS repo (plus the daily RDX cartridge via VBR now) is a huge step forward for them. But creating a separate management network (for the ILO for example) is a bit much for an organization such as this. At the end of the day we have to balance cost vs usability vs risk, and draw the line where both we (the reseller /msp and the customer) are comfortable with our due diligence.

Your list of security recommendation is pretty much spot on - however, there is always someone out there smarter / luckier / more determined than you or I and will find a hole or way - history has repeated this lesson over and and over and over (this entire Solarwinds ClusterF for example). My entire objective in testing is to plan for the worst, document the steps to recover the customer's data in the event of that worst case event for the rest of my support team (in case I'm not around), and generally be prepared for anything.

Thanks guys and have a great day!

dcc