Rocky Linux / RHEL installation

[VMG]

Moderator split as the topic changed from Hardened Repository ISO to general Rocky / Red Hat Linux installation: the original topic is here

My understanding of the purpose of the ISO, is two fold. To make the setup / installation easier, and to secure the Linux OS. Since we have to wait until an ISO is provided. Can the Veeam forum group provide instructions / suggestions for the securing the Linux OS? I am not a Linux user, however, I am capable of following instructions in regards to the installation. Thank you

[HannesK]

Hello,
and welcome to the forums. Yes, I wrote two blog posts for Ubuntu (outdated) and Red Hat (Rocky Linux is the same as Red Hat except for the license part, but not published yet).

https://www.veeam.com/blog/install-disa ... itory.html - I would go with this one if you start today

In general: if you go with minimum installation, automatic updates and disable SSH after installation of the Hardened Repository Role, then you are pretty fine already. All additional hardening options are adding relatively little security because by disabling SSH, you removed the main attack vector.

Best regard,
Hannes

[stryker54141]

@HannesK

As usual, terrific write-up for the non-Linux users, myself included. I'll go the RHEL route.

Thanks again!!!

[VMG]

I tried to install Rocky 9 according to your instructions. As I mentioned I don't know Linux.

I have 3 questions.

1. I have a partition 900 GB for the Linux Rocky9 version, and 49 TB for the Backup Data. The numbers that you gave for the various mount points, what values would you suggest for a 900 GB partition?

2. The Rocky 9 doesn't allow to make extra directories. (I am not sure of the correct terminology to use). That would be for Var/log, var/temp. Only Var. I also can't make a mount or directory for Temp.

3. I messed up the partition when first installing. Used Automatic instead of Custom. How do I delete the partition of the 900 GB and start over again.

Thank you

[HannesK]

Hello,

1. In the exiting blog post it says "make /home /var/log and /tmp larger, but agree, that might not be clear enough. Also the 12.2 feature "direct to archive tier" requires some more space in /tmp that were not considered at the time of writing the article. I will ask to update the blog with this table if you confirm it's better understandable



2. For sure it does, but hard to say where in the wizard the problem is. The wizard is a bit hard, agree. Can you try to follow this video and let me know whether this works? https://veeam.wistia.com/medias/ezcyrqn8pj

3. I think reboot and start from scratch is the easiest way.

Best regards,
Hannes

[VMG]

Thank you for the reply.

Can you please clarify the space amount for /home /temp and /.... which I presume is the folder for the rest of Linux. You wrote HALF Of WHAT IS LEFT-OVER.

If I have a 960 GB Hard Drive. After the creating the various folders. According to what you said; the /home would be 390 GB. /temp would be 390. And the last one / would be 20GB.

So, far the video is excellent. We are at this point.

[VMG]

As for the video. It is excellent. Did you do this recently?

1) I presume if one is using a USB, the Installation Source Selection will show the USB?
2) The link that you supplied, for adding the Hardened Repository role. Is this part supported by Veeam Tech Support? (Installing Linux is not)
3) At the end of your video, I would attach an article directing them to your link https://www.veeam.com/blog/install-disa ... itory.html.
4) You wrote a warning that if the password is mistyped; after 3 times the account is locked out forever. If it happens, what does one do?
5) If possible; I suggest you add in the video, the other commands / steps that applies to the Linux installation. i.e. sudo chown etc, and sudo chmod 700. And any other commands before setting up the Veeam software.
6) Rick Hanover recommends to block the Linux server from accessing the Internet, once everything is completed. And extra step of protection. However, that means the Linux will not be able to update itself automatically. One would have to Disable the firewall policy, to allow the Linux to download any updates. Afterwards, enable the firewall policy. What is your view?

Thank you very much.

[HannesK]

Hello,
looks like there is nothing to clarify as you figured out correctly

Yes, the video is new and not published yet on the blog. There is a pending blog post and I need to re-record the second video because I made a mistake in that one.

1) maybe. I never tried. The Rocky update servers need to be in there to get updates anyway (doing updates with USB stick does not sound feasible to me)
2) everything in the user guide is supported by Veeam support, yes
3) yes, that would be in the blog article
4) single user mode would be a way to unlock. There are plans to create a KB article for Hardened Repository ISO how to unlock the account and this would then also be possible for self-installed Rocky / RHEL
5) yes, that's the second video (the one I need to re-record)
6) The only practical approach for me is to allow access to the update servers (HTTP proxy or firewall controlled). I don't see USB updates or setting up local mirrors (like Windows WSUS server) as realistic option.

Best regards,
Hannes

[VMG]

Thank you for the reply.

1) In regards to your TABLE, HALF of LEFT-OVER for /home and /tmp. I didn't see an answer that the correct size for /home and /tmp should be 390 GB and 20 GB for the / (root). Based on the size of a 960 GB Hard Drive. I want to confirm that I understood your TABLE correctly.

2) I did a query on Google. Many people are suggesting 50 GB - 60 GB for the /root.
I don't know what programs install itself in the root, nor do I know what the root is used for. Since this machine will only have Linux and Veeam installed, perhaps there will be no future growth. Remember I don't know Linux, therefore I can easily misunderstand what I am reading. Do you still recommend only 20 GB for the / (root) ?

3) I saw a comment that Red Hat is recommending 4 GB for the Swap file. Depending on the Ram. Not much Ram is required in order to use the the 4 GB recommendation.

4) From your reply (1) about the Installation Source Selection. I totally misunderstood what the purpose for it. I only saw what you did on the video. No explanation what it is. I assumed you were installing Rocky 9 from the network and not from a USB. That is the basis for my question. So what is the purpose of the Installation Source Selection?

Thank you

[HannesK]

Hello,
it took a while, but now all videos are online https://www.veeam.com/blog/rocky-linux-veeam.html

On the partition sizes: that is not an "exact science". It's totally okay to change the values if you like to follow other recommendations (e.g. making swap or root (/) larger). On a Hardened Repository, there should be no other software. That means the only relevant paths are the following:
- /var/log
- /tmp (if "direct to archive tier" is used)
- /home (if capacity tier is used)

The table is optimized for the Veeam use case and it's fine to change it as long as there is enough "minimum space".

the installation source: yes, the latest package versions come from the network. That is also where the updates come from. Configuring it here is the easiest way for me, that's the main purpose.

Best regards,
Hannes

[VMG]

I successfully installed the Harden Repository a month ago. I used the videos provided by HannesK. My version of Veeam is 12.1.2.172.

I didn't use the ISO because it wasn't ready at that time.

I used Rufus to create a bootable ISO, and Linux Rocky 9.4.

If you need to redo the Harden Repository Server again. At the point you are creating folders / partitions; boot, var, home, root,etc. The + command at the bottom is to create the folders / partitions. The - command is to delete the folders / partitions. Just in case Tech Support wants you to recreate the Linux server. Read the notes for the proper size for the root (about 50 GB) and the other the sizes for the other folders / partitions.

I have very little knowledge about Linux. HannesK video and his emails were what allowed me to install and setup everything successfully.