Getting Hardened

immutability Mar 11, 2021

Protecting your backups from ransomware using Veeam 11

The much-awaited Veeam 11 Suite has dropped with an impressive array of some 200 new features and enhancements.  Nice.  One of the key features which I’m sure we’ll be taking a very close look at, is the ransomware protection features, namely immutable backups.

Backups are your last line of defense, and cyber criminals, leaving no stone unturned, are targeting these also, which is just wonderful.  So, its immutability to the rescue! So... what is immutability and how have Veeam implemented this in Veeam 11?

In simple terms, immutability prevents data deletion or modification of your backups where they are stored.  As a backup administrator, you can sleep at night knowing that your backups can’t be tampered with.  You can also have confidence in your ability to recover from a DR scenario, such as data corruption/deletion/malicious activity, be it external, or coming from within your organisation.

Moving onto Veeam... with their previous release, Veeam 10, they introduced object storage with immutability, allowing you to store your backups in an S3 compliant repository such as AWS.  Veeam 11 takes it a step further, allowing your actual initial backups to be immutable also.  They are doing this using hardened Linux repositories.  So, Windows users like me are probably going to have to harden up (see what I did there?) and get comfortable with joys of the Linux command line interface.  As they say, resistance is futile.

Your requirements for immutable backups?  Obviously, Veeam 11, you’ll need a physical Linux server with direct attached or SAN attached storage.  The Linux distro you use is recommended to support the XFS file system and Veeam Fast Cloning.  As for the backup method, your backup chains must be compatible with immutable files. Because your backup files must NOT be changed, the backup chain only can only create NEW backup files without changing any of the existing files.  With Veeam, only a forward incremental with periodic synthetic or active full backups will meet this requirement.

The hardened repository gets added to your Veeam Backup & Replication management server in the same way you add all other repository types.  You can see two new relevant fields below, tick the fast cloning, and make your backups immutable, set some retention, create a job, add some servers and away you go!

Your backup job has completed then, lets go and check the results...

Now that I have become an expert in using the Linux shell while writing this blog and by copying someone else’s screen shot, if you list the file attributes, you can see your backup files flagged with the i (immutable) attribute.  This is good.  No one is going to delete or modify these suckers.  Even you can’t do it because Veeam is using non-root credentials.  Even if your Veeam infrastructure is compromised there is no way these files can change until the duration of the immutability is over and the i flag has been removed.

Just to clarify, as one may ask, how is this flag set in Linux?  Because... when the specified Linux user gets privileged access to add or remove the flag, could this not be obtained by a miscreant to get access and modify or delete these files?  Well, as Veeam have focused on access control, they have reduced the possible attack surface by not allowing Veeam or the backup administrator to have unfettered access to an elevated user account that was used initially to deploy Veeam services. These one-time use for deployment credentials are not stored by Veeam.

In summary, we'll be upgrading to V11 shortly, and hopefully we'll get a chance to play with this, it looks like a really good feature, and I think it'll get some traction.


Deano is part of vBridge's amazing infrastructure team, who are responsible for keeping the lights on, and making sure your IaaS experience is a happy and productive one.