v11 Hardened Linux Build re: "nolabnoparty" documentation

[BackItUp2020]

Hey folks! I originally created my repo following fairly closely to the instructions laid out here: https://nolabnoparty.com/en/veeam-v11-h ... lity-pt-1/

I'm wondering why he may have chosen to create an "administrator" account during setup, and then manually create a "veeamloc" account after the fact. The hardening that follows removes "veeamloc" from sudoers, etc., but just leaves the "administrator" account sitting there which means its vulernable to attacks (assuming SSH is left on) or console is accessed somehow.

I realize once the bad guys have console access, things are pretty bad, but... any pros to leaving this administrator account alone? My inclination is to delete it and require any work that needs to be done as an administrator will require single-user mode.

Any thoughts?

[d.artzen]

The "administrator" account is only used to do maintenance on the system (i.e. updates of the linux or preperations for updates from veeam, since the "veemloc" account will need SSH and sudo rights to be able to update any veeam components on the system). The "veemloc" account is the one being used by veeam itself with the one-time credentials.
The recommendation for the Hardened Repos is to disable SSH on the system and only work on local console in case of updates to the OS. SSH is only necessary during registration of the server in Veeam (since it uses SSH to install its components) and during updates of those Veeam components when you update the B&R Server. That is also one of the reasons why the use of a physical server is strongly recommended. An attacker would need to be able to enter your server room/datacenter and would be unable to do any harm remotely. You could even go so far and disconnect this server from the internet and only connect it when you want do update the OS.

[Mildur]

Hi M. S.

Daniel is correct here.
The root account is used for physical console logon only.

The credentials for the repository (veeamloc) will be used for a one time to deploy all components over SSH. For all further communications, SSL certificates will be used. The credentials will not be stored in the configuration database.

and during updates of those Veeam components when you update the B&R Server.

After you have updated to V12, SSH won't be required anymore for future updates. With v12, we deploy a installer service. Future Updates (patches, major releases) will be deployed by the installer service. Credentials are not required anymore. Everything runs over the certificate based authentication between the backup server and installer service. For each update, signed binaries are checked on the hardened repository side. Installation is only allowed if it's signed by Veeam.

Best,
Fabian

[d.artzen]

After you have updated to V12, SSH won't be required anymore for future updates. With v12, we deploy a installer service. Future Updates (patches, major releases) will be deployed by the installer service. Credentials are not required anymore. Everything runs over the certificate based authentication between the backup server and installer service. For each update, signed binaries are checked on the hardened repository side. Installation is only allowed if it's signed by Veeam.

Oh, I didn't know that. Does that mean, that the "veeamloc" account also would not be need to be in the sudo group to update the components? For the last patch in V12 I still re-enabled SSH and temporarily added the user to the sudo group. After it was installed I removed the account again from sudo group and disabled SSH.
If sudo is also not necessary anymore for updates there would be no preparations needed on the hardened repo for a Veem Update. Did I understand that correctly?

[Mildur]

Yes. You understood it correctly.
No preparations needed when you are on V12 and you need to install a patch or our next minor/major version. The installer service (called veeamdeployer service) runs with root privilege's and takes care of the update.

Please see this screenshot from my colleague HannesK:

Source: post488842.html#p488842


Best,
Fabian

[BackItUp2020]

Thanks for the replies.

I understand how no SSH or sudo permissions are needed once the Veeam component is installed. The part that varies from any of the Veeam documentation I've seen, including their "Hardened Repository ISO" eazy-button installer is that they reduce the "veeamloc" account permission so that it can only shutdown and restart and that there is no secondary administrator account. All admin work must be done in single user mode from the physical machine. https://www.veeam.com/blog/backup-repos ... guide.html

I'm just wondering if there is any real difference between the two methods in practice. I like the idea of not having to reboot into single user mode, but that is the recommended best practice put forth by Veeam. However, I'm wondering if they do NOT have an administrator account on the system in the off-chance of a misconfiguration or SSH is enabled accidentally, or some other vulnerability allows access to a remote login.