Hi,
we are using Veeam B&R 12.1 with a Ubuntu based Hardened Repository. This is working fine and I am pretty sure I used some good howto guides to set this up in a proper secure way.
Now I just noticed that the server hosting the Hardened Repository is listed as a Linux server in the Files section of the B&R Console. I am able to browse the whole hard drive server and even directly edit files their. For example I am able to edit files in the home folder of the repository user like the SSH authorized_keys file.
I am no security expert but for my understanding this is somewhat to much access that the Veeam Console has there. Shouldn't the access to a Hardened Repository be locked down as much as possible?
I would like to hear your thoughts on this. Thanks.
Best regard,
Stephan
-
- Enthusiast
- Posts: 64
- Liked: 19 times
- Joined: Mar 26, 2015 1:15 pm
- Contact:
-
- Product Manager
- Posts: 9353
- Liked: 2486 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Security issue? Hardened repository accessible through Console Files section
Hi Stephan
Starting in v12.1, only users with the backup administrator role will have full access to most operations in the files tab.
Make sure the users who are doing the restores only have the "restore operator role".
We are planing to reduce that functionality even more in future releases.
Best,
Fabian
Starting in v12.1, only users with the backup administrator role will have full access to most operations in the files tab.
Make sure the users who are doing the restores only have the "restore operator role".
We are planing to reduce that functionality even more in future releases.
SSH should be disabled entirely. Editing the authorization keys won't be much of use for an attacker.For example I am able to edit files in the home folder of the repository user like the SSH authorized_keys file.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Enthusiast
- Posts: 64
- Liked: 19 times
- Joined: Mar 26, 2015 1:15 pm
- Contact:
Re: Security issue? Hardened repository accessible through Console Files section
Hi Fabian,
thanks for the fast feedback. Good to know that you are aware of this topic and working on improvements.
Nevertheless less access possibilities are better in this case anyway.
Best regards,
Stephan
thanks for the fast feedback. Good to know that you are aware of this topic and working on improvements.
You are right. This was just an example for an editable file.SSH should be disabled entirely.
Nevertheless less access possibilities are better in this case anyway.
Best regards,
Stephan
Who is online
Users browsing this forum: karsten123 and 408 guests