- Hardened Repository概述
- Hardened Repository操作
- 创建文件系统
- 创建备份专用账号
- 创建Hardened Repository
- 检查验证配置
- Hardened Repository强化
- 备份空间扩容
Veeam Hardened Repository 是一种 WORM 存储解决方案,可防止对备份文件进行(不需要的)更改。它从版本 11 开始可用。Veeam Hardened Repository 通过了 WORM 存储的外部审核,并符合最高合规标准。
Veeam v11 Hardened Repository功能成功通过了全球金融行业最严格的数据防篡改认证SEC 17a-4(f), FINRA 4511© 和 CFTC 1.31©-(d) (合规性评估是由第三方机构Cohasset Associates完成) 。
目前,加固的Linux备份存储库的OS目前支持如下的OS版本:
CentOS 8.2 and 8.3, Debian 10.x, RHEL 8.2 or later, SLES 15 SP2, Ubuntu 18.04 LTS and 20.04 LTS
https://helpcenter.veeam.com/docs/backup/vsphere/overview.html?ver=110
加固的Linux备份存储库目前支持以下备份作业类型:
- VMware, Hyper-V VM backup jobs and backup copy jobs created by Veeam Backup & Replication
- Backup copy jobs created by Veeam Backup for Azure, Veeam Backup for AWS and Veeam Backup for Google Cloud Platform
- Physical machines backup jobs created by Veeam Agents (Windows, Linux, MAC, AIX, Solaris)
- vCD VM backup jobs
- VeeamZIP backup jobs
- Nutanix AHV VM backup jobs created by Veeam Backup for Nutanix AHV
https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110#jobs
Hardened Repository操作创建文件系统如下操作将会以CentOS操作系统为例子,其它环境请自行变更。
# 检查磁盘
lsblk
---
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 16G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 15G 0 part
├─rl_veeamrepository01-root 253:0 0 13.4G 0 lvm /
└─rl_veeamrepository01-swap 253:1 0 1.6G 0 lvm [SWAP]
sdb 8:16 0 50G 0 disk
sdc 8:32 0 50G 0 disk
sr0 11:0 1 1024M 0 rom
---
# 格式化磁盘为GPT格式
parted /dev/sdb mklabel gpt
---
Information: You may need to update /etc/fstab.
---
# 创建主分区1并分区所有空间
parted /dev/sdb mkpart primary 1 100%
---
Information: You may need to update /etc/fstab.
---
# 创建Physical Volume物理卷
pvcreate /dev/sdb1
---
Physical volume "/dev/sdb1" successfully created.
---
# 创建Volume Group卷组
vgcreate vg_veeam /dev/sdb1
---
Volume group "vg_veeam" successfully created
---
# 创建Logical Volume逻辑卷
lvcreate -l +100%free -n lv_repo01 /dev/vg_veeam
---
Logical volume "lv_repo01" created.
---
# 格式化分区为xfs文件格式
mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/mapper/vg_veeam-lv_repo01
---
meta-data=/dev/mapper/vg_veeam-lv_repo01 isize=512 agcount=4, agsize=3276544 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1
data = bsize=4096 blocks=13106176, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=6399, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
Discarding blocks...Done.
---
# 创建挂载目录
mkdir /mnt/veeamrepo01
# 获得UUID信息
blkid | grep /dev/mapper/vg_veeam-lv_repo01
---
/dev/mapper/vg_veeam-lv_repo01: UUID="9fb80510-5881-4791-a221-1bb723667ae8" BLOCK_SIZE="512" TYPE="xfs"
---
# 持久化自动挂载
echo 'UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0' | sudo tee -a /etc/fstab
---
UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0
---
# 检查fstab信息
cat /etc/fstab
---
#
# /etc/fstab
# Created by anaconda on Thu Apr 21 06:55:35 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rl_veeamrepository01-root / xfs defaults 0 0
UUID=07f424dd-1613-4213-8f5c-6504a9d49296 /boot xfs defaults 0 0
/dev/mapper/rl_veeamrepository01-swap none swap defaults 0 0
UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0
---
# 自动挂载目录
mount -a
# 检查挂载与空间
df -Th | grep /mnt/veeamrepo01
---
/dev/mapper/vg_veeam-lv_repo01 xfs 50G 390M 50G 1% /mnt/veeamrepo01
---
创建备份专用账号
# 用户创建 useradd -m veeamrepo && echo "veeamrepo" | passwd --stdin veeamrepo --- Changing password for user veeamrepo. passwd: all authentication tokens updated successfully. --- # 赋予sudo权限 sed -i '$a veeamrepo ALL=(ALL:ALL) ALL' /etc/sudoers # 备份目录赋予权限 chown -R veeamrepo:veeamrepo /mnt/veeamrepo01 chmod 700 /mnt/veeamrepo01创建Hardened Repository
-
选择[Backup Infrastructure] - [Backup Repositories]
-
创建[Backup Repository],选择[Direct Attached Storage] - [Linux]
- 新资料库向导配置
– 资料库名称设置
– 资料库服务器设置,点击[Add New]
– Linux Server 地址配置
– 添加[Single-use credentials for hardened repository]认证
– 认证配置
– 配置检查
– 应用配置
– 汇总检查
– 点击[Populate]并选择[/mnt/veeamrepo01]挂载点
– 资料库基础参数设置
[Use fast cloning on XFS volumes] => 启用Fast Cloning优化磁盘性能
[Make recent backups immutable for 7 days] => 加固备份链的保留周期,最小值为7天(关键设定)
– 资料库高级参数配置
– 挂载服务器配置
– 配置检查
– 应用配置
– 汇总检查
– 资料库确认
- 备份文件是否被赋予i属性
lsattr /mnt/veeamrepo01/backups/Backup Job 1/
- 测试手工删除测试任务是否被阻止
- 回收sudoder权限
sed -i 's/veeamrepo ALL=(ALL:ALL) ALL/#veeamrepo ALL=(ALL:ALL) ALL/' /etc/sudoers
- 锁定备份专用账号
锁定账号 passwd -l veeamrepo 解锁账号 passwd -u veeamrepo
账号锁定不会对正常备份有影响
- 不响应Ping ICMP请求
停止响应 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 恢复响应 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
可以有效防止勒索病毒在横向扫描的风险
- SSH端口变更
# SSH端口变更 sed -i '$a Port 22nPort 60022' /etc/ssh/sshd_config systemctl restart sshd # SELINUX强化 semanage port -a -t ssh_port_t -p tcp 60022 semanage port -l | grep ssh # 防火墙强化 firewall-cmd --zone=public --add-port=60022/tcp --permanent firewall-cmd --reload systemctl restart firewalld.service firewall-cmd --list-ports
备份空间扩容必要时关闭SSH也是非常好的防护手段,只通过控制台来对该服务器进行管理。
# 检查磁盘
lsblk
---
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 16G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 15G 0 part
├─rl_veeamrepository01-root 253:0 0 13.4G 0 lvm /
└─rl_veeamrepository01-swap 253:1 0 1.6G 0 lvm [SWAP]
sdb 8:16 0 50G 0 disk
sdc 8:32 0 50G 0 disk
sr0 11:0 1 1024M 0 rom
---
# 磁盘空间
df -Th | grep /mnt/veeamrepo01
---
/dev/mapper/vg_veeam-lv_repo01 xfs 50G 390M 50G 1% /mnt/veeamrepo01
---
# 格式化磁盘为GPT格式
parted /dev/sdc mklabel gpt
---
Information: You may need to update /etc/fstab.
---
# 创建主分区1并分区所有空间
parted /dev/sdc mkpart primary 1 100%
---
Information: You may need to update /etc/fstab.
---
# 创建Physical Volume物理卷
pvcreate /dev/sdc1
---
Physical volume "/dev/sdc1" successfully created.
---
# 扩容Volume Group卷组
vgextend vg_veeam /dev/sdc1
---
Volume group "vg_veeam" successfully extended
---
# 扩容Logical Volume逻辑卷
lvextend -l +100%free /dev/mapper/vg_veeam-lv_repo01
---
Size of logical volume vg_veeam/lv_repo01 changed from <50.00 GiB (12799 extents) to 99.99 GiB (25598 extents).
Logical volume vg_veeam/lv_repo01 successfully resized.
---
# 扩容xfs文件系统
xfs_growfs /dev/mapper/vg_veeam-lv_repo01
---
meta-data=/dev/mapper/vg_veeam-lv_repo01 isize=512 agcount=4, agsize=3276544 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1
data = bsize=4096 blocks=13106176, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=6399, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 13106176 to 26212352
---
# 磁盘空间
df -Th | grep /mnt/veeamrepo01
---
/dev/mapper/vg_veeam-lv_repo01 xfs 100G 747M 100G 1% /mnt/veeamrepo01
---
