1500字范文 > Veeam BR 22 Hardened Repository强化资料库

Veeam BR 22 Hardened Repository强化资料库

时间：2019-07-20 18:47:04

文章目录

Hardened Repository概述Hardened Repository操作创建文件系统创建备份专用账号创建Hardened Repository检查验证配置Hardened Repository强化备份空间扩容

Hardened Repository概述

Veeam Hardened Repository 是一种 WORM 存储解决方案，可防止对备份文件进行（不需要的）更改。它从版本 11 开始可用。Veeam Hardened Repository 通过了 WORM 存储的外部审核，并符合最高合规标准。

Veeam v11 Hardened Repository功能成功通过了全球金融行业最严格的数据防篡改认证SEC 17a-4(f), FINRA 4511© 和 CFTC 1.31©-(d) (合规性评估是由第三方机构Cohasset Associates完成) 。

目前，加固的Linux备份存储库的OS目前支持如下的OS版本：

CentOS 8.2 and 8.3, Debian 10.x, RHEL 8.2 or later, SLES 15 SP2, Ubuntu 18.04 LTS and 20.04 LTS

/docs/backup/vsphere/overview.html?ver=110

加固的Linux备份存储库目前支持以下备份作业类型：

VMware, Hyper-V VM backup jobs and backup copy jobs created by Veeam Backup & ReplicationBackup copy jobs created by Veeam Backup for Azure, Veeam Backup for AWS and Veeam Backup for Google Cloud PlatformPhysical machines backup jobs created by Veeam Agents (Windows, Linux, MAC, AIX, Solaris)vCD VM backup jobsVeeamZIP backup jobsNutanix AHV VM backup jobs created by Veeam Backup for Nutanix AHV

/docs/backup/vsphere/hardened_repository.html?ver=110#jobs

Hardened Repository操作

如下操作将会以CentOS操作系统为例子，其它环境请自行变更。

创建文件系统

# 检查磁盘lsblk---NAMEMAJ:MIN RM SIZE RO TYPE MOUNTPOINTsda 8:0 0 16G 0 disk ├─sda18:1 0 1G 0 part /boot└─sda28:2 0 15G 0 part ├─rl_veeamrepository01-root 253:0 0 13.4G 0 lvm /└─rl_veeamrepository01-swap 253:1 0 1.6G 0 lvm [SWAP]sdb 8:16 0 50G 0 disk sdc 8:32 0 50G 0 disk sr0 11:0 1 1024M 0 rom ---# 格式化磁盘为GPT格式parted /dev/sdb mklabel gpt---Information: You may need to update /etc/fstab.---# 创建主分区1并分区所有空间parted /dev/sdb mkpart primary 1 100%---Information: You may need to update /etc/fstab.---# 创建Physical Volume物理卷pvcreate /dev/sdb1---Physical volume "/dev/sdb1" successfully created.---# 创建Volume Group卷组vgcreate vg_veeam /dev/sdb1---Volume group "vg_veeam" successfully created---# 创建Logical Volume逻辑卷lvcreate -l +100%free -n lv_repo01 /dev/vg_veeam---Logical volume "lv_repo01" created.---# 格式化分区为xfs文件格式mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/mapper/vg_veeam-lv_repo01---meta-data=/dev/mapper/vg_veeam-lv_repo01 isize=512 agcount=4, agsize=3276544 blks= sectsz=512 attr=2, projid32bit=1= crc=1 finobt=1, sparse=1, rmapbt=0= reflink=1data= bsize=4096 blocks=13106176, imaxpct=25= sunit=0swidth=0 blksnaming =version 2 bsize=4096 ascii-ci=0, ftype=1log=internal log bsize=4096 blocks=6399, version=2= sectsz=512 sunit=0 blks, lazy-count=1realtime =none extsz=4096 blocks=0, rtextents=0Discarding blocks...Done.---# 创建挂载目录mkdir /mnt/veeamrepo01# 获得UUID信息blkid | grep /dev/mapper/vg_veeam-lv_repo01---/dev/mapper/vg_veeam-lv_repo01: UUID="9fb80510-5881-4791-a221-1bb723667ae8" BLOCK_SIZE="512" TYPE="xfs"---# 持久化自动挂载echo 'UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0' | sudo tee -a /etc/fstab---UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0---# 检查fstab信息cat /etc/fstab---## /etc/fstab# Created by anaconda on Thu Apr 21 06:55:35 ## Accessible filesystems, by reference, are maintained under '/dev/disk/'.# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.## After editing this file, run 'systemctl daemon-reload' to update systemd# units generated from this file.#/dev/mapper/rl_veeamrepository01-root / xfsdefaults 0 0UUID=07f424dd-1613-4213-8f5c-6504a9d49296 /boot xfsdefaults 0 0/dev/mapper/rl_veeamrepository01-swap noneswap defaults 0 0UUID=9fb80510-5881-4791-a221-1bb723667ae8 /mnt/veeamrepo01 xfs defaults 0 0---# 自动挂载目录mount -a# 检查挂载与空间df -Th | grep /mnt/veeamrepo01---/dev/mapper/vg_veeam-lv_repo01 xfs 50G 390M 50G 1% /mnt/veeamrepo01---

创建备份专用账号

# 用户创建useradd -m veeamrepo && echo "veeamrepo" | passwd --stdin veeamrepo---Changing password for user veeamrepo.passwd: all authentication tokens updated successfully.---# 赋予sudo权限sed -i '$a veeamrepo ALL=(ALL:ALL) ALL' /etc/sudoers# 备份目录赋予权限chown -R veeamrepo:veeamrepo /mnt/veeamrepo01chmod 700 /mnt/veeamrepo01

创建Hardened Repository

选择[Backup Infrastructure] - [Backup Repositories]

创建[Backup Repository]，选择[Direct Attached Storage] - [Linux]

新资料库向导配置

– 资料库名称设置

– 资料库服务器设置，点击[Add New]

– Linux Server 地址配置

– 添加[Single-use credentials for hardened repository]认证

– 认证配置

– 配置检查

– 应用配置

– 汇总检查

– 点击[Populate]并选择[/mnt/veeamrepo01]挂载点

– 资料库基础参数设置

[Use fast cloning on XFS volumes] => 启用Fast Cloning优化磁盘性能
[Make recent backups immutable for 7 days] => 加固备份链的保留周期，最小值为7天(关键设定)

– 资料库高级参数配置

– 挂载服务器配置

– 配置检查

– 应用配置

– 汇总检查

– 资料库确认

检查验证配置

备份文件是否被赋予i属性

lsattr /mnt/veeamrepo01/backups/Backup\ Job\ 1/

测试手工删除测试任务是否被阻止

Hardened Repository强化

回收sudoder权限

sed -i 's/veeamrepo ALL=(ALL:ALL) ALL/#veeamrepo ALL=(ALL:ALL) ALL/' /etc/sudoers

锁定备份专用账号

锁定账号passwd -l veeamrepo解锁账号passwd -u veeamrepo

账号锁定不会对正常备份有影响

不响应Ping ICMP请求

停止响应echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all恢复响应echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

可以有效防止勒索病毒在横向扫描的风险

SSH端口变更

# SSH端口变更sed -i '$a Port 22\n\Port 60022' /etc/ssh/sshd_configsystemctl restart sshd# SELINUX强化semanage port -a -t ssh_port_t -p tcp 60022semanage port -l | grep ssh# 防火墙强化firewall-cmd --zone=public --add-port=60022/tcp --permanentfirewall-cmd --reloadsystemctl restart firewalld.servicefirewall-cmd --list-ports