Immutable Backup Repository Veeam

An immutable backup is a type of backup that cannot be altered, deleted, or overwritten for a defined period of time, even by administrators or ransomware.

This ensures that backup data remains tamper-proof and protected against threats like:

Accidental deletion
Malicious insider activity
Ransomware attacks

Immutable backups are a key component of data protection strategies and are often implemented using WORM (Write Once, Read Many) storage, object lock features (e.g., in S3-compatible storage), or backup software settings that enforce retention policies.

In short:

An immutable backup guarantees that once data is written, it stays unchanged and protected for the duration of its retention policy.

In this section we will learn how to make the immutable backup repository using the veeam backup and replication & ubuntu hardened image of DISA STIG (Defense Information Systems Agency Security Technical Implementation Guides) requirements.

Introduction & Pre-requisites

We will be using Ubuntu 22.04 LTS as our base operating system, configured to follow DISA STIG (Defense Information Systems Agency Security Technical Implementation Guides) requirements for enhanced security and compliance.

Pre-Requisites :

Ubuntu 22.04 LTS Live Server Image (Attached with backup storage)
Veeam Replication console server installed on the windows server OS
Machines with SSH Server & Internet access

Getting Ubuntu Server ready

We will be using ubuntu server 22.04 LTS live server image and flash it on the server by following the below given steps.

Ubuntu server ISO : https://ubuntu.com/download/server

Once downloaded we will load it onto the server and proceed with the installation steps:

Firstly we will select the installation language & the keyboard layout configuration. In this case we will proceed with English (US)

Now we will be configuring network interfcaes, We will be configuring static ip addressing scheme and proceed further

On storage section we will have to select custom layout to configure the OS partitions and the backup partitions manually using the setup partition manager.

Disks structure used in this section :

/dev/sda : OS Installation disk (100GB)

/dev/sdb : Backup repository (350 GB)

We will have to create the below given partitions on the disks to proceed further & smoother installation of OS & the backup partition

Disk Layout: `sda` (Total: 100 GB)

Mount Point

Size

Filesystem

/home

25 GB

EXT4

/tmp

5 GB

EXT4

/var

20 GB

EXT4

/var/log

20 GB

EXT4

/var/log/audit

5 GB

EXT4

/var/tmp

5 GB

EXT4

/ (root)

20 GB

EXT4

Disk Layout: `sdb` (Total: 350 GB)

Mount Point

Size

Filesystem

/mnt/backups

350 GB

XFS

Now we have configured all the partitions we will move further by acknowledging the data deletation warning to proceed further with the installation.

Now we will be creating the OS Users & configure the hostname and passwords

Now in the upcoming page we will be installaing the openssh server & other necessary packages to proceed to the final installation steps.

OpenSSH server will be used to configure the backup repository on the later stage & then will be disabled once the veeam transport channel is created for secure communication.

Now it will install the ubuntu server & will take 10 mins to completely install the server and then we will be hardening the server.

In the previous version we installed Ubuntu Linux Server from a fresh installation. Now we need to harden this installation according to the DISA STIG (Defense Information Systems Agency Security Technical Implementation Guides) requirements.

We are eventually going to remove the user we created (veeamrepo) from the sudo permissions group, but we still want the user to be able to boot and shutdown the server. Therefore we need to explicitly define this in the configuration using:

sudo visudo

We will add the below given entries to the sudoers file to allow the user to shutdown or reboot the server to maintain the immutable backups over time

<user> ALL = (root) NOEXEC: /usr/sbin/reboot 
<user> ALL = (root) NOEXEC: /usr/sbin/shutdown

These sudoers entries mean:

The specified <user> is allowed to run /usr/sbin/reboot and /usr/sbin/shutdown as root,
But with NOEXEC, which prevents execution of any other binaries from within these commands (for security).

In short: ✅ <user> can run reboot and shutdown as root, ⛔ but can't spawn subshells or execute other programs from within them.

Hardening Ubuntu server using script

We will hardern the OS with the veeam provided hardening script which can be downloaded from the below attached URL :

https://vee.am/harddisa

We will be fetching the script using `wget` & run on the server to automatically hardern the OS according to the indrustry standards for immutable backup systems.

wget https://vee.am/harddisa

once file is fetched we will install it using :

sudo bash harddisa

Script debug

✅ Purpose

Automates hardening of a Linux system (e.g. Veeam) to comply with DISA STIG standards.

🔧 Key Components

Logging & Setup: Sets up a log file, colors for output (print_job), and helper functions (run_cmd, update_file, replace_file).
System Update: Performs apt update and upgrade.
Service Management:
- Installs: auditd, aide, rsyslog, ufw, apparmor, chrony, libpam-pwquality, etc.
- Removes: telnetd, rsh-server
- Enables: Audit, logging, firewall, NTP, AppArmor
Security Hardening:
- SSH: Session timeout, no root login, FIPS-compliant configs
- Passwords: Policy enforcement, complexity, reuse, min length
- User sessions: Auto-lock, re-auth on sudo, max login sessions
- Banners: Legal warning via /etc/issue, /etc/issue.net
Auditd Config: Extensive audit rules for file access, syscalls, commands like passwd, sudo, etc.
Firewall (UFW):
- Default deny incoming, allow outgoing
- Only SSH is allowed
- Rate limiting (optional)
File & Directory Permissions: Ensures permissions & ownership (755, root) on:
- System binaries (/bin, /usr/bin)
- Libraries (/lib, /usr/lib)
- Logs (/var/log, /var/log/syslog)
System Hardening:
- Disables USB storage
- Enforces UTC time
- Disables Ctrl+Alt+Del
- Enables ASLR, disables core dumps
AIDE: Enables daily file integrity check cron job
APT Security: Prevents unsigned package installation

🔄 Final Steps

Restarts services: sshd, auditd, cron, ufw
Loads audit rules
Prints completion message

Once the hardening script completes execution we will change the owner of the backup partition to ensure user has full rights to manage the backup partition without root permissions or elevation controls using the following commands :

sudo chmod 700 /mnt/backup/
sudo chown -R <user>:<user> /mnt/backup/

We have completed the configuration on the ubuntu server side now we will be adding the backup repository on the veeam console in the next section.

Adding the immutable backup repository

We will now launch the veeam console which is installed on the windows server and perform the below given steps to install the backup repo.

Launch the veeam console and on the bottom left side select the Backup Infrastructure section

We will be selection the local storage section to select the locally created immutable backup disk on the ubuntu server inside the network.

Select the option Linux (Hardern Repository) to ensure the credentials provided to connect are only one time passwords which veeam will not save to any local disk or process as it will reside in memory until the configuration completes and the veeam transport agent is installed.

In the above images we have connected the ubuntu server with the veeam backup console using the SSH credentials (One time password) to initiate the connection and now we will be selecting the backup partition.

As from the above storage configuration we will be selecting the /mnt/backup partition

Now we have successfully added the immutable repository on the veeam backup console. In case it is asked Change the backup configuration location to the newly created repository the select NO

Now as setup is completed we will be making some final changes on the ubuntu server to disble the SSH server & reboot to ensure the visudo changes are applied.

sudo systemctl disable ssh
sudo systemctl stop ssh
sudo reboot

Backup Job Configuration & testing immutable backup

On the veeam backup console we will be selecting the Backup Job option to create the new backup job and select the source server whose backup is to be tested.

Here we have scheduled the backup job once the backup is completed the backup will be stored on the ubuntu server under /mnt/backup directory. Here I cannot perform deletion of the backup as it is production ready environment so attaching the SS from the veeam official labs section to describe the error deleting the backup

Once the tests are successful we can further check the compliance & security section to audit the veeam security and ensure section Harderned repositories should not have SSH enabled is passed.

Credits & References

Credits :
Veeam Leraning Portal & Veeam Labs

References & Reading Material :

On the upcoming sections we will be installling veeam tap server role on the ubuntu server and hardern the server with sudo restrictions.

PreviousBackup & Replication NextVeeam Tape Server hardening on ubuntu

Last updated 23 days ago

Introduction & Pre-requisites

Getting Ubuntu Server ready

Disk Layout: sda (Total: 100 GB)

Disk Layout: sdb (Total: 350 GB)

Hardening Ubuntu server using script

✅ Purpose

🔧 Key Components

🔄 Final Steps

Adding the immutable backup repository

Backup Job Configuration & testing immutable backup

Credits & References

References & Reading Material :

Disk Layout: `sda` (Total: 100 GB)

Disk Layout: `sdb` (Total: 350 GB)