fbpx

Installing Ubuntu Linux regarding Veeam Hardened Repository

In this second component (the initial part are available here ) of establishing and hardening a Veeam “hardened repository,” I will cover how to create Ubuntu 20.04 in the secure way. While it’s “only a minimal installation,” I’ve seen many questions with this topic, so let’s very clear some plain points up.

Before we start, let’s recap certain requirements:

 <ul>          <li>     A RAID 1 for the operating-system on SSDs with at the very least 100 GB disk area     </li>     
 <li>     A RAID 6/60 for the backup information     </li>     
 <li>     Static Ip, gateway and DNS configurations     </li>     
 <li>     Suggested: redundant network link     </li>     
 <li>     Switchport: untagged     </li>     
 <li>     UEFI Secure Shoe is enabled     </li>     
 </ul>     

With all environmental preparations done, we are able to download Ubuntu 20 now.04.

 <h2>          <span id="Download">     Download     </span>          </h2>     

Download the most recent Ubuntu 20.04 ISO from the Ubuntu website. During this writing, that has been the ubuntu-20.04.5-live-server-amd64.iso. The most recent ISO means that the Linux kernel is really as new as feasible to aid newer hardware.

Technically you may use Ubuntu 22 also.04, but you can find currently zero DISA STIGs (Safety Technical Implementation guideline) available, which we shall apply in a post later. Additionally, Ubuntu 22.04 is supported beginning with Veeam Backup & Replication v12.

 <h2>          <span id="Installation">     Installation     </span>          </h2>     

The initial step of the installation would be to select the “HWE”-Kernel, that is the “Hardware Enablement” kernel. In the event that you don’t start to see the HWE kernel option, you’re booting in legacy BIOS setting then. UEFI with UEFI Protected Boot enabled is preferred.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-01-HWE-kernel.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-01-HWE-kernel.png" alt class="wp-image-156557 lazyload" width="510" height="356" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-01-HWE-kernel.png" alt class="wp-image-156557" width="510" height="356" data-eio="l" />          </a>          </figure>          </div>     

In the next phase, confirm that you need to install Ubuntu Server.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-02-install-ubuntu-server.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-02-install-ubuntu-server.png" alt class="wp-image-156571 lazyload" width="515" height="359" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-02-install-ubuntu-server.png" alt class="wp-image-156571" width="515" height="359" data-eio="l" />          </a>          </figure>          </div>     

After some time, you shall start to see the language selection. This blog write-up shall keep on in English, but you can use a different language if you want also. For troubleshooting purposes, I would recommend using English os’s in general always.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-03-language-selection.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-03-language-selection.png" alt class="wp-image-156585 lazyload" width="512" height="379" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-03-language-selection.png" alt class="wp-image-156585" width="512" height="379" data-eio="l" />          </a>          </figure>          </div>     

We are able to continue with the existing installer without updating.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-04-installer-update.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-04-installer-update.png" alt class="wp-image-156599 lazyload" width="512" height="378" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-04-installer-update.png" alt class="wp-image-156599" width="512" height="378" data-eio="l" />          </a>          </figure>          </div>     

The keyboard layout definition ought to be clear to see, but it’s very important to the passwords we create afterwards. The recommendation would be to stick to the typical you described in your environment. In the event that you everywhere possess English US layout, it also is practical for the hardened repository then. If you everywhere work with a different layout, then it also is practical to utilize that other design for the hardened repository. I chose German for simplicity in my own specific case.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-05-keyboard.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-05-keyboard.png" alt class="wp-image-156613 lazyload" width="513" height="376" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-05-keyboard.png" alt class="wp-image-156613" width="513" height="376" data-eio="l" />          </a>          </figure>          </div>     

The next thing is a large one: network configuration. For redundancy reasons, it’s suggested to have at the very least two system cards that may fail over between one another. Multiple network cards type a “bond” user interface in Linux.

 <div class="notice-block">       NOTE  In the event that you just have one network user interface, then please miss the bond component and assign the Ip right to the network user interface (the brands of the system interfaces could be different, but that’s good).      </div>     

First up, develop a bond. For relationship mode, there are different alternatives based on your capabilities and needs of the switch. The default choice “balance-rr” demands an EtherChannel (or perhaps a similar term according to the switch vendor) without LCAP. If your system team prefers LACP, choose 802 then.3ad. For circumstances where the switch can’t be configured to EtherChannel with/without LACP, the “active-backup” policy may be used. That guarantees higher availability on the system aspect without load balancing between your network links.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-06-bond0.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="596" height="355" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-06-bond0.png" alt class="wp-image-156627 lazyload" loading="lazy" />          <img width="596" height="355" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-06-bond0.png" alt class="wp-image-156627" data-eio="l" />          </a>          </figure>          </div>     

Once created, the network cards go show and offline “enslaved to bond0.”

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-07-bond-1.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-07-bond-1.png" alt class="wp-image-156641 lazyload" width="650" height="239" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-07-bond-1.png" alt class="wp-image-156641" width="650" height="239" data-eio="l" />          </a>          </figure>          </div>     

Enable the relationship interface for IPv4. Beginning in Veeam Backup & Replication v12, you will be in a position to use IPv6 aswell.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-08-ip-address.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-08-ip-address.png" alt class="wp-image-156655 lazyload" width="629" height="236" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-08-ip-address.png" alt class="wp-image-156655" width="629" height="236" data-eio="l" />          </a>          </figure>          </div>     

In our case, I would like to use static IP addresses because that avoids any “chicken-egg” issues in the event of a crisis. Picture the DHCP server will be down and you’re attempting to restore…

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-09-manual-ip.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="608" height="172" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-09-manual-ip.png" alt class="wp-image-156669 lazyload" loading="lazy" />          <img width="608" height="172" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-09-manual-ip.png" alt class="wp-image-156669" data-eio="l" />          </a>          </figure>          </div>     

Configure the Ip.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-10-enter-IP.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="601" height="384" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-10-enter-IP.png" alt class="wp-image-156683 lazyload" loading="lazy" />          <img width="601" height="384" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-10-enter-IP.png" alt class="wp-image-156683" data-eio="l" />          </a>          </figure>          </div>     

This is how it will look like:

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-11-IP-result.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-11-IP-result.png" alt class="wp-image-156697 lazyload" width="502" height="378" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-11-IP-result.png" alt class="wp-image-156697" width="502" height="378" data-eio="l" />          </a>          </figure>          </div>     

Before continuing, execute a quick ping test.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-12-ping.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-12-ping.png" alt class="wp-image-156711 lazyload" width="490" height="256" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-12-ping.png" alt class="wp-image-156711" width="490" height="256" data-eio="l" />          </a>          </figure>          </div>     

If the Hardened Repository server has outgoing HTTP access to the internet allowed, the proxy settings could be left empty then. From a security viewpoint, it’s recommended to restriction outgoing HTTP traffic to the Ubuntu servers just (cz.archive.ubuntu.com in my own case) or make use of an interior Ubuntu mirror. In case a proxy server ought to be used, fill up out the mandatory data.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-13-proxy.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-13-proxy.png" alt class="wp-image-156725 lazyload" width="511" height="376" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-13-proxy.png" alt class="wp-image-156725" width="511" height="376" data-eio="l" />          </a>          </figure>          </div>     

The next thing is about which Ubuntu mirror server to utilize to get software. The idea differs than on Windows. Home windows administrators download software from the website and then set it up usually. For Linux, the most typical way is by using a bundle manager to set up software (similar just like the Microsoft shop or the Windows Package deal manager). The installer immediately picks an Ubuntu mirror server from the nation what your location is installing. That’s great and we are able to continue.

 <div class="wp-block-image">          <figure class="aligncenter size-large">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-14-mirror.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="700" height="517" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-14-mirror-700x517-1.png" alt class="wp-image-156739 lazyload" loading="lazy" />          <img width="700" height="517" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-14-mirror-700x517-1.png" alt class="wp-image-156739" data-eio="l" />          </a>          </figure>          </div>     

Partitioning may be the most complicated stage of the complete setup probably. While Home windows is installed using one partition plus an EFI program partition simply, there are more choices in Linux. If you wish to go “Windows design,” then you can certainly select “Use a whole disk” and simply choose the RAID for the operating-system.

In order to align with protection guidelines (electronic.g. CIS Benchmarks ), partitioning is really a little more complex then.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-15-storage.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-15-storage.png" alt class="wp-image-156753 lazyload" width="512" height="377" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-15-storage.png" alt class="wp-image-156753" width="512" height="377" data-eio="l" />          </a>          </figure>          </div>     

My server has 2 volumes (disk products) where in fact the small one can be used for the operating-system and the large 1 for the backup information. In Linux, you can find just system paths file. Everything will be “mounted” to “mountpoints” in the “root” (“/”) file program. There are no commute letters as in Home windows (C:, D: etc.). Which means, one cannot work “out of get letters” after 26 drives, but it addittionally means the partitioning scheme looks another than on Windows bit.

The goal may be the following partitioning/mountpoint setup consistent with CIS recommendations

 <figure class="wp-block-table is-style-stripes">     

 <table>          <tbody>          <tr>          <td>     Mountpoint     </td>          <td>     Dimension     </td>          <td>     Comment     </td>          <td>     Specific mount choices     </td>          </tr>          <tr>          <td>     /house     </td>          <td>     1 GB     </td>          <td>     user information (none)     </td>          <td>     nodev     </td>          </tr>          <tr>          <td>     /tmp     </td>          <td>     5 GB     </td>          <td>     for temporary data files     </td>          <td>     nodev, nosuid, noexec     </td>          </tr>          <tr>          <td>     /var     </td>          <td>     20 GB     </td>          <td>          </td>          <td>          </td>          </tr>          <tr>          <td>     /var/log     </td>          <td>     20 GB     </td>          <td>     log documents     </td>          <td>          </td>          </tr>          <tr>          <td>     /var/log/audit     </td>          <td>     5 GB     </td>          <td>     audit auditing log data files     </td>          <td>          </td>          </tr>          <tr>          <td>     /var/tmp     </td>          <td>     5 GB     </td>          <td>     identical to /tmp     </td>          <td>      nodev, nosuid, noexec      </td>          </tr>          </tbody>          </table>     

 </figure>     

 <div class="notice-block">       NOTE 

The “special mount options” will undoubtedly be set later on – not during installation.

Select free of charge space and put in a GPT partition.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-16-add-GPT.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-16-add-GPT.png" alt class="wp-image-156769 lazyload" width="512" height="376" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-16-add-GPT.png" alt class="wp-image-156769" width="512" height="376" data-eio="l" />          </a>          </figure>          </div>     

The /home partition may be the first one. We will not have data onto it, so 1 GB plenty of is. The mountpoint could be selected from the drop-down menu directly. The file program is still left unchanged at ext4. We don’t want XFS block cloning functions for the operating-system partitions.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-17-home.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="594" height="237" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-17-home.png" alt class="wp-image-156783 lazyload" loading="lazy" />          <img width="594" height="237" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-17-home.png" alt class="wp-image-156783" data-eio="l" />          </a>          </figure>          </div>     

For the /tmp partition, the road must manually be specified.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-18-tmp.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="602" height="270" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-18-tmp.png" alt class="wp-image-156797 lazyload" loading="lazy" />          <img width="602" height="270" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-18-tmp.png" alt class="wp-image-156797" data-eio="l" />          </a>          </figure>          </div>     

Exact same for /var, /var/log, /var/tmp and /var/log/audit

Finally, add the main (“/”) file system without specifying the size. It requires all available free room.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-19-root.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="600" height="249" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-19-root.png" alt class="wp-image-156825 lazyload" loading="lazy" />          <img width="600" height="249" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-19-root.png" alt class="wp-image-156825" data-eio="l" />          </a>          </figure>          </div>     

The result appears like this:

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-20-result-1.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-20-result-1.png" alt class="wp-image-156839 lazyload" width="512" height="379" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-20-result-1.png" alt class="wp-image-156839" width="512" height="379" data-eio="l" />          </a>          </figure>          </div>     

The set of “available gadgets” is reduced to the backup information volume now. That one should be installed to /mnt/backup and utilize the XFS file system.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-21-mnt-backup.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="596" height="253" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-21-mnt-backup.png" alt class="wp-image-156867 lazyload" loading="lazy" />          <img width="596" height="253" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-21-mnt-backup.png" alt class="wp-image-156867" data-eio="l" />          </a>          </figure>          </div>     

Before writing the partition table to disk, there exists a final confirmation needed. All information that existed before on the server will be deleted by continuing.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-22-format.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="608" height="231" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-22-format.png" alt class="wp-image-156881 lazyload" loading="lazy" />          <img width="608" height="231" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-22-format.png" alt class="wp-image-156881" data-eio="l" />          </a>          </figure>          </div>     

Hostname and user construction may be the next step. Ubuntu Linux requires to generate a minumum of one normal consumer for the operational program. After installation, there’s the almighty “root” consumer (comparable like administrator or Community SYSTEM in Home windows) plus that new consumer that must definitely be created.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-23-profile.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-23-profile.png" alt class="wp-image-156895 lazyload" width="513" height="377" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-23-profile.png" alt class="wp-image-156895" width="513" height="377" data-eio="l" />          </a>          </figure>          </div>     

The root user doesn’t have a password per default in Ubuntu (some other distributions may need a root password). Which means, root cannot sign in at all on an Ubuntu device. The OpenSSH server must include the server to Veeam Backup & Replication mainly because a hardened repository. Enable that choice and continue.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-24-ssh.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-24-ssh.png" alt class="wp-image-156909 lazyload" width="512" height="376" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-24-ssh.png" alt class="wp-image-156909" width="512" height="376" data-eio="l" />          </a>          </figure>          </div>     

As we want a minor Ubuntu Linux, we keep every thing unchecked in the program selection (default).

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-25-packages.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-25-packages.png" alt class="wp-image-156923 lazyload" width="511" height="382" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-25-packages.png" alt class="wp-image-156923" width="511" height="382" data-eio="l" />          </a>          </figure>          </div>     

Now it will require a while until everything is downloaded and installed. Take away the installation media and end the installation by selecting “Reboot now.”

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-26-reboot.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-26-reboot.png" alt class="wp-image-156937 lazyload" width="515" height="378" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-26-reboot.png" alt class="wp-image-156937" width="515" height="378" data-eio="l" />          </a>          </figure>          </div>     

After the server is rebooted, we are able to switch to remote administration via SSH. If the SSH link is refused, log in to the console directly once again and execute a simple “ping” check (you can quit the “ping” by pushing CTRL+C). The effect should be without DUP packages. In the event that you see something similar to that, it’s most likely the system cards’ bonding policy comes with an issue.

 <div class="wp-block-image">          <figure class="aligncenter size-full">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-27-ping.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img width="646" height="188" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-27-ping.png" alt class="wp-image-156951 lazyload" loading="lazy" />          <img width="646" height="188" src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-27-ping.png" alt class="wp-image-156951" data-eio="l" />          </a>          </figure>          </div>     

Congratulations, you finished setting up the Ubuntu Linux operating-system for the Veeam hardened repository.

 <h2>          <span id="Configuring_automatic_security_updates">     Configuring automatic protection updates     </span>          </h2>     

Very good news: Ubuntu is usually installing security bug fixes automatically per default. Ubuntu gets the “unattended-upgrades” bundle pre-installed because of this use case. You can check the existing settings with:

 <div class="notice-block">       cat /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists “1”;

APT::Periodic::Unattended-Upgrade “1”;

 </div>     

Both of these lines say that the package listing updates automatically and updates are installed automatically.

Bad news: Based on your organization’s needs, you will possibly not desire to install security updates immediately. Some organizations desire to check the updates on a staging program first. Only after assessments with the safety update prove effective will the updates become rolled out to manufacturing. That kind of deployment requires yet another test system and has gone out of scope because of this blog post.

 <h2>          <span id="Configuring_user_accounts">     Configuring consumer accounts     </span>          </h2>     

The “veeamrepo” user account, that was created through the installation process, has full root (administrative) permissions because it’s an associate of the “sudo” group. “sudo” may be the control that allows one to run a order as root (administrator on Linux). Every person in the “sudo” team can operate every control with “sudo” in Ubuntu.

While installing the hardened repository, “sudo” or “su” permissions are needed. After installation, “sudo” or “su” is not needed anymore you start with V12. “su” (substitute consumer) in this context indicates, that a consumer can enter the main password to turn out to be root. As stated earlier, root currently does not have any password. Which means, one cannot make use of “su” to change to the main user.

Comes the quirks here. When eliminating the “veeamrepo” user later on from the “sudo” team, there is absolutely no usable administrative/root consumer available anymore. Not a straightforward “shutdown” or “reboot” order would be feasible. There are different alternatives to cope with that:

 <ol>          <li>     Arranged a password for the main consumer. With the default configurations, root cannot sign in with a password via SSH. This program provides some risk for the neighborhood system if an attacker understands that root includes a password. The attacker still got to know (or brute pressure) the main password. Protection of the main password is required regardless.     </li>     
 <li>     After setting up the hardened repository, you don't have for sudo for the “veeamrepo” user any longer in V12. One can take away the “veeamrepo” consumer from the “sudo” team and go without the root permissions. If root login is necessary for troubleshooting, the other can boot into “solitary user mode” (local gaming console login required) and perform troubleshooting. With just a minimal installation, this kind of troubleshooting shouldn't be required ever. Bigger issues could possibly be solved by re-setting up the complete Ubuntu system just as before again. As the backup data is situated on another RAID-set/quantity, the backup information stays where it really is and just the operating-system RAID-set/quantity gets re-formatted     </li>     
 <li>     Option 2 could be enhanced plus some sudo commands could be allowed (electronic.g. reboot or shutdown)     </li>     
 <li>     Yet another administrative user could possibly be created. In the final end, that user could have exactly the same permissions as root. The only real advantage would be an attacker must imagine the username and the password right here (in comparison to scenario 1). In comparison to option 1, it is a little bit of “     <a href="https://en.wikipedia.org/wiki/Security_through_obscurity" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">     protection through obscurity     </a>     ,” that is considered a negative practice.     </li>     
 <li>     You can configure multi-element authentication for situation 1 or 4. That adds complexity, and can not be protected in this website post.     </li>     
 </ol>     

For an excellent balance of protection and complexity, Veeam recommends choosing option 3. Put in a few “convenience instructions” to the /etc/sudoers file and take away the “veeamrepo” consumer from the sudo team after setting up the “hardened repository” role.

 <div class="notice-block">       “visudo” may be the control to edit the /etc/sudoers document. “visudo” guarantees, that the syntax will be proper. With broken syntax, the sudo command instantly stops working. So be cautious and just edit the /etc/sudoers file with “visudo”. Sign in as the “veeamrepo” consumer and execute the sudo visudo order. After getting into your password, the nano editor opens.      </div>     

Visit the last collection and add the next lines to permit reboot and shutdown.

The result should appear to be this.

 <div class="wp-block-image">          <figure class="aligncenter size-full is-resized">          <a href="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-28-sudoers.png" data-wpel-link="internal" target="_blank" rel="follow noopener">          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-28-sudoers.png" alt class="wp-image-156966 lazyload" width="483" height="281" loading="lazy" />          <img src="https://www.infracom.com.sg/wp-content/uploads/2023/01/figure-28-sudoers.png" alt class="wp-image-156966" width="483" height="281" data-eio="l" />          </a>          </figure>          </div>     

Exit the editor along with CTRL+X, confirm along with “Y” and “ENTER.”

Alternatively, you may also edit the file straight simply by copying and pasting the commands below. The username “veeamrepo” must be adjusted in the event that you chose another username.

 <div class="notice-block">       sudo bash -c “echo ‘veeamrepo ALL = (root) NOEXEC: /usr/sbin/reboot’ &gt;&gt; /etc/sudoers”

sudo bash -c “echo ‘veeamrepo ALL = (root) NOEXEC: /usr/sbin/shutdown’ >> /etc/sudoers”

 </div>     

After the hardened repository part is installed (another blog post will proceed through that), you can lock down the machine by detatching the “veeamrepo” consumer from the “sudo” team. Even if somebody realizes the password of the “veeamrepo” consumer and gets usage of the local system (or SSH, if allowed), they nevertheless cannot perform any harm. They can not elevate to root with a “su” or “sudo” control.

 <h2>          <span id="Conclusion">     Summary     </span>          </h2>     

An Ubuntu installation is simple, but it has a lot more and different steps when compared to a Windows installation. Technically, you can almost utilize this system straight as a hardened repository for Veeam Backup & Replication. “Almost” means, there are extra hardening steps feasible to become aligned with safety standards such as for example DISA STIG or CIS benchmarks. Further hardening actions will undoubtedly be covered in another blog post.