Comprehensive data protection for all workloads
Post Reply
StephanF
Enthusiast
Posts: 64
Liked: 19 times
Joined: Mar 26, 2015 1:15 pm
Contact:

Security issue? Hardened repository accessible through Console Files section

Post by StephanF »

Hi,

we are using Veeam B&R 12.1 with a Ubuntu based Hardened Repository. This is working fine and I am pretty sure I used some good howto guides to set this up in a proper secure way.

Now I just noticed that the server hosting the Hardened Repository is listed as a Linux server in the Files section of the B&R Console. I am able to browse the whole hard drive server and even directly edit files their. For example I am able to edit files in the home folder of the repository user like the SSH authorized_keys file.

I am no security expert but for my understanding this is somewhat to much access that the Veeam Console has there. Shouldn't the access to a Hardened Repository be locked down as much as possible?
I would like to hear your thoughts on this. Thanks.

Best regard,
Stephan
Mildur
Product Manager
Posts: 9353
Liked: 2486 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Security issue? Hardened repository accessible through Console Files section

Post by Mildur »

Hi Stephan

Starting in v12.1, only users with the backup administrator role will have full access to most operations in the files tab.
Make sure the users who are doing the restores only have the "restore operator role".
We are planing to reduce that functionality even more in future releases.
For example I am able to edit files in the home folder of the repository user like the SSH authorized_keys file.
SSH should be disabled entirely. Editing the authorization keys won't be much of use for an attacker.

Best,
Fabian
Product Management Analyst @ Veeam Software
StephanF
Enthusiast
Posts: 64
Liked: 19 times
Joined: Mar 26, 2015 1:15 pm
Contact:

Re: Security issue? Hardened repository accessible through Console Files section

Post by StephanF »

Hi Fabian,

thanks for the fast feedback. Good to know that you are aware of this topic and working on improvements.
SSH should be disabled entirely.
You are right. This was just an example for an editable file.
Nevertheless less access possibilities are better in this case anyway.

Best regards,
Stephan
Post Reply

Who is online

Users browsing this forum: karsten123 and 408 guests