Protect Your Environment from ransomware ,with Immutable Backups

Immutable Veeam Backups with Rocky Linux Hardened Repository

Introduction

The Growing Threat of Ransomware: Protecting Your Data with Veeam and Rocky Linux. Rocky Linux is an open enterprise Operating System designed to be 100% bug-for-bug compatible with Enterprise Linux.

In today’s digital age, data is invaluable, and its loss, particularly through ransomware, poses a significant threat to businesses of all sizes. Ransomware attacks not only disrupt operations but also compromise sensitive information, leading to financial and reputational damage. This article explores how integrating Veeam backup solutions with Rocky Linux’s hardened repositories can fortify your defense against such cyber threats.

Understanding Ransomware and Its Impacts on Businesses

Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money is paid. Despite increasing awareness, many businesses fall victim to these attacks due to inadequate protective measures.
Incorporate statistics to highlight the frequency and severity of ransomware attacks, emphasizing the critical need for robust data protection strategies.

Key impacts of ransomware on businesses include:

Financial losses from ransom payments and operational downtime.
Data breaches leading to loss of customer trust.
Legal repercussions from failing to protect sensitive data.

The Role of Backup Solutions in Ransomware Protection

The Crucial Role of Backup Solutions

Regular, secure backups are your first line of defense against data loss from ransomware. Veeam offers cutting-edge backup and recovery solutions that can restore your data quickly and efficiently, minimizing downtime and mitigating the impact of these attacks.

Why Choose Rocky Linux for Enhanced Security

Rocky Linux stands out for its security-focused design, making it an ideal choice for businesses looking to safeguard their data. Its hardened repositories are specifically tailored to reduce vulnerabilities, offering an additional layer of protection against cyber threats.

Strengthening Your Defense with Veeam and Rocky Linux

Create Rocky Linux Repository

Requirements
Rocky Linux 9 Installer
Preferable a Physical server with RAID 60 and Desirable Disk I/O based on workload needs
Download Rocky Linux 9 from the here Rocky Linux
Create Boot able USB using your preferred tool . I prefer Etcher for this.
Install the Rocky Linux on Server
Select Language

Set Time Zone
Select Software Server with GUI or Minimal
Select the Destination disk where you want to install Rocky Linux.

Disable root account

Create a user to manage the system , add in Administrators Group

Configure Network assign IP and Host name
After ever thing is configured click Begin Installation

Reboot the system

After reboot Login to the Rocky Linux with user create above using ssh .

Create elliptic curve key for user which will be used for ssh as ECC are based on the discrete logarithm problem, which is much harder to solve.
On Linux or MacOS

user@linux1:~ $ssh-keygen -f id_ecdsa_backup -t ecdsa -b 521 -C ''
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ecdsa_backup
Your public key has been saved in id_ecdsa_backup.pub

Copy the public key to newly installed Rocky Linux Server , enter the admin user password when prompted.

user@linux1:~ ssh-copy-id -i id_ecdsa_backup.pub [email protected]

user@linux1:~ ssh -i id_ecdsa_backupadmin [email protected]

Next Step sets up the Backup drive for the repo , in my use case it would be a sdb with 1.8 TB Space available , we will mouth the physical disk / volume to a mount point for backups

[backup@rock-repo ~]$ df -H
Filesystem                      Size  Used Avail Use% Mounted on
devtmpfs                        4.2M     0  4.2M   0% /dev
tmpfs                           4.1G     0  4.1G   0% /dev/shm
tmpfs                           1.7G  9.2M  1.7G   1% /run
/dev/mapper/rl_rock--repo-root   14G  1.9G   12G  14% /
/dev/sda2                       1.1G  264M  744M  27% /boot
/dev/sda1                       628M  7.4M  621M   2% /boot/efi
tmpfs                           805M     0  805M   0% /run/user/1000

[backup@rock-repo ~]$ lsblk
NAME                   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda                      8:0    0   16G  0 disk
├─sda1                   8:1    0  600M  0 part /boot/efi
├─sda2                   8:2    0    1G  0 part /boot
└─sda3                   8:3    0 14.4G  0 part
  ├─rl_rock--repo-root 253:0    0 12.8G  0 lvm  /
  └─rl_rock--repo-swap 253:1    0  1.6G  0 lvm  [SWAP]
sdb                      8:16   0  1.8T  0 disk
└─sdb1                   8:17   0  1.8T  0 part
sr0                     11:0    1 1024M  0 rom

[backup@rock-repo mnt]$ cd /mnt
[backup@rock-repo mnt]$ sudo mkdir backup
[sudo] password for backup:
[backup@rock-repo mnt]$
[backup@rock-repo mnt]$ ls -lt
total 0
drwxr-xr-x. 2 root root 6 Mar 24 13:36 backup

Next we will create dedicated user and security group to manage the backups remotely on this repo.

[backup@rock-repo mnt]$ sudo groupadd backupadmins
[backup@rock-repo mnt]$ useradd backupadmin

[backup@rock-repo mnt]$ id backupadmin
uid=1001(backupadmin) gid=1002(backupadmin) groups=1002(backupadmin)
[backup@rock-repo mnt]$ sudo usermod -aG backupadmins backupadmin
[backup@rock-repo mnt]$ id backupadmin
uid=1001(backupadmin) gid=1002(backupadmin) groups=1002(backupadmin),1001(backupadmins)

Format and Mount Disk

[backup@rock-repo mnt]$ sudo fdisk /dev/sdb
Welcome to fdisk (util-linux 2.37.4).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help):
Command (m for help): p
Disk /dev/sdb: 1.82 TiB, 2000365289472 bytes, 3906963456 sectors
Disk model: My Passport 25E1
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C4C404F3-F316-443E-A2F6-A0F64C5B9704

Device     Start        End    Sectors  Size Type
/dev/sdb1   2048 3906961407 3906959360  1.8T Linux filesystem

Command (m for help): n
Partition number (2-128, default 2):
First sector (34-3906963422, default 3906961408):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (3906961408-3906963422, default 3906963422):

Created a new partition 2 of type 'Linux filesystem' and of size 1007.5 KiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Verify Disk is mounted and then create file systems , we will be using xfs

[backup@rock-repo mnt]$ lsblk
NAME                   MAJ:MIN RM    SIZE RO TYPE MOUNTPOINTS
sda                      8:0    0     16G  0 disk
├─sda1                   8:1    0    600M  0 part /boot/efi
├─sda2                   8:2    0      1G  0 part /boot
└─sda3                   8:3    0   14.4G  0 part
  ├─rl_rock--repo-root 253:0    0   12.8G  0 lvm  /
  └─rl_rock--repo-swap 253:1    0    1.6G  0 lvm  [SWAP]
sdb                      8:16   0    1.8T  0 disk
├─sdb1                   8:17   0    1.8T  0 part
└─sdb2                   8:18   0 1007.5K  0 part
sr0                     11:0    1   1024M  0 rom


[backup@rock-repo mnt]$ mkfs.xfs /dev/sdb1
[backup@rock-repo mnt]$ lsblk -f
NAME                   FSTYPE      FSVER    LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINTS
sda
├─sda1                 vfat        FAT32          4253-1979                               591.8M     1% /boot/efi
├─sda2                 xfs                        072ad0f0-2a5d-4804-a16a-bf9dd1dabc25    708.8M    26% /boot
└─sda3                 LVM2_member LVM2 001       A2TaM8-P7jU-3nxj-3CT3-154Z-4Q00-O90boc
  ├─rl_rock--repo-root xfs                        1e4eaccf-283a-4c2a-83b6-6ebab408aad7       11G    13% /
  └─rl_rock--repo-swap swap        1              a9d4d42d-d6a4-4c3b-bf49-87527eb527eb                  [SWAP]
sdb
├─sdb1                 xfs                        7f300a64-79ef-40ef-a7b0-8c67ab316c4c      1.8T     1% /mnt/backup
└─sdb2
sr0

Copy and note the UUID of the device

Edit fstab and add mount options so the device will be auto mounted on reboots of Rocky Linux

[backup@rock-repo mnt]sudo vi /etc/fstab
# /etc/fstab
# Created by anaconda on Sun Mar 24 09:36:40 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rl_rock--repo-root /                       xfs     defaults        0 0
UUID=072ad0f0-2a5d-4804-a16a-bf9dd1dabc25 /boot                   xfs     defaults        0 0
UUID=4253-1979          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
/dev/mapper/rl_rock--repo-swap none                    swap    defaults        0 0
/dev/7f300a64-79ef-40ef-a7b0-8c67ab316c4c /mnt/backup xfs defaults 0 0

set permission on backup drive

[backup@rock-repo mnt]$ sudo chown backupadmin:backupadmins /mnt/backup
[backup@rock-repo mnt]$ sudo chmod 2775 backup
[backup@rock-repo mnt]$ ls -al
total 4
drwxr-xr-x.  3 root        root          45 Mar 24 13:56 .
dr-xr-xr-x. 18 root        root         235 Mar 24 12:37 ..
drwxrwsr-x.  2 backupadmin backupadmins   6 Mar 24 13:54 backup

Configure Repository in Veeam

Select Backup Infrastructure
Click on Add Repository

Select (Linux Hardened Repository)

Add Name could be any common name you give to this repo

Enter DNS FQDN or IP for the Rocky Linux Server

Enter the credentials for user backupadmin

Trust SSH Key , Click Yes

Click Apply

Click Next

Click Populate and note disk (Disk We Created and Mounted at /mnt/backup)

Select Mount Point (Click Next )

Select Mount Server

Review and Apply , click next and Finish If every thing goes well

New Repo will appear in Backup Infrastructure similar to this

Testing The Immutability

Create a backup job pointing to new repo . After backup is complete try deleting backup . As default it will not let any one delete it as this backup has 7 days retention policy

Veeam Interface did not let us delete the file lets see what would happen if someone tries to delete this from Rocky Linux back end.

ssh to repo server and try to delete the files from disk as super user. belwo snippet shows the backups in directory

[backup@rock-repo mnt]$ sudo usermod -aG wheel backupadmin

backupadmin@rock-repo backup]$ ls -al backups/Backup\ Job\ 1/
total 9567060
drwxr-xr-x. 2 backupadmin backupadmin         106 Mar 24 15:21 .
drwx------. 3 backupadmin backupadmins         26 Mar 24 15:08 ..
-rw-r--r--. 1 root        root                137 Mar 24 15:11 .veeam.1.lock
-rw-r--r--. 1 backupadmin backupadmin       10462 Mar 24 15:21 Windows10_5A14E.vbm
-rw-r--r--. 1 backupadmin backupadmin  9796653056 Mar 24 15:11 Windows10.vm-3021D2024-03-24T150818_3B6B.vbk

Lets try using rm -rf command

Event with highest user privileges files can not be deleted.

[backupadmin@rock-repo backup]$  rm -R backups
rm: cannot remove 'backups/Backup Job 1/Windows10.vm-3021D2024-03-24T150818_3B6B.vbk': Operation not permitted
rm: cannot remove 'backups/Backup Job 1/.veeam.1.lock': Operation not permitted
rm: cannot remove 'backups/Backup Job 1': Directory not empty
[backupadmin@rock-repo backup]$

Conclusion

Heading: Secure Your Data Today

Paragraph: In the fight against ransomware, being proactive about your data security is crucial. By leveraging Veeam’s robust backup solutions and Rocky Linux’s hardened repositories, you can significantly enhance your defense mechanisms. Veeam Community Edition Supports backup up to 10 VMs and can be use full to backup small environments or home labs,Consider this powerful combination to protect your business from the devastating impacts of ransomware.

Rocky Linux can security can also be more enhanced by following CIS Hardening Benchmark . We will discuss some point in future .