WORM Storage with Veeam Hardened Repository
Veeam Hardened Repository is a WORM storage solution that protects against unwanted changes to the backup files. It’s available since version 11. Veeam Hardened Repository passed an external audit for WORM storage and meets highest compliance standards
For general information on the Hardened Repository on Linux, please refer to the the user guide.
As a reminder or complement to the user guide, consider the following actions to create a hardened repository
Deploy Veeam repository using single use credentials
Veeam will not store repository root account, keeping backup files safe if the Veeam Backup server is compromised.
Do not forget to remove the user from sudoers group after installation.
Disable SSH after deployment
SSH connection is necessary only for deployment or upgrade of Veeam data mover. After Veeam has been deployed, it is possible to disable SSH for better security.
If you keep SSH enabled, then MFA on SSH shall be considered.
IPMI
Any management tool, such as ILO or DRAC can be used to access the repository, and even to wipe the hard drives. It is strongly recommended to unplug these tools from the network when not in use.
NTP
Time management is crucial when speaking about immutability.
It is not advised to use public NTP servers, since it would mean internet exposure of the repository server.
Using your own NTP server is an option, but still a security breach in case an attacker takes control of it.
Using CMOS clock is an advised option, but the counterpart is to regularly check and manually set system time. Also, a time difference between the repository and the backup server would make logs analysis more complex by forensics.
A second advised and interesting option is to use a DCF77 (or locally equivalent) dongle with XNTP package to synchronize the repository on long wave signal.