HD Doctor Logo

Veeam Hardened Repository: Complete Setup

By the HD Doctor Technical Team

Direct answer

Veeam Hardened Repository (introduced in v11) is the cheapest and most robust on-premise way to implement immutable backup. Dedicated Linux server with chattr +i flag on backup files prevents deletion even by root. Full setup in ~2 hours with this guide.

How the Hardened Repository works

Hardened Repository is a Linux server (Ubuntu, RHEL, SLES) where Veeam B&R writes backups via SSH with a non-root user. Veeam applies chattr +i (immutable attribute) on each backup file for X days. Even if an attacker steals root credentials and runs rm -rf, the OS returns 'Operation not permitted'. Immutability is removed only automatically after the configured retention period. Practical solution for 80% of SMBs without budget for S3 Object Lock.

Common implementation mistakes

  1. 1.
    Hardened Repository in the same AD domain. If AD falls, attacker uses domain credential for SSH/sudo on Hardened. Use local auth ALWAYS.
  2. 2.
    Veeam user with generic sudo NOPASSWD. Allow ONLY chattr in sudoers, nothing else. Exact line: 'veeamrepo ALL=(ALL) NOPASSWD: /usr/bin/chattr +i /backup/*, /usr/bin/chattr -i /backup/*'.
  3. 3.
    Skipping the immutability test. Wrong config is silent: looks like it works. Test with real rm attempt as root on day one.
  4. 4.
    Hardened on VM in the same encrypted ESXi cluster. Catastrophic defect: if cluster falls, Hardened falls together. Use physical server OR VM on separate cluster/cloud.

Setup in 6 steps (~2 hours)

  1. 1

    Provision dedicated Linux server

    Ubuntu 22.04 LTS minimal install or RHEL 9. Physical server or VM with 8GB RAM, 4 vCPU and dedicated storage (ext4 or XFS). Do not place other workloads.

  2. 2

    Do NOT join Active Directory

    Linux with local authentication only. If AD falls, the Hardened Repository must survive.

  3. 3

    Create non-root local user for Veeam

    adduser veeamrepo. Set strong password (20+ chars). Configure SSH with public key (not password) and disable SSH root login.

  4. 4

    Grant chattr permission to user

    Add to sudoers allowing only /usr/bin/chattr +i and -i. Document exactly in /etc/sudoers.d/veeam.

  5. 5

    Add in Veeam Console

    Backup Infrastructure → Backup Repositories → Add Repository → Linux. Point to server + created user. Check 'This repository is hardened'. Set minimum retention (30-90 days recommended).

  6. 6

    Test immutability

    After first backup, SSH as root and try rm on a backup file: must return 'Operation not permitted'. Try chattr -i: must fail by sudoers. Document the test.

FAQ

Does it work with Veeam Community Edition?

Yes — Veeam Backup & Replication v11+ Community Edition (free up to 10 instances) supports Hardened Repository.

What server size is needed?

Rule of thumb: 1.2× backup volume + 30% for growth. For 10TB of backups, size ~15TB useful disk.

Can I use SAN storage?

Yes, with care. SAN shared with production is risky. Ideally JBOD or dedicated DAS. ZFS dataset works well with additional snapshots.

Does it work with Linux distro X?

Officially: Ubuntu 20.04/22.04, RHEL 8/9, SLES 15. Others work technically but without Veeam support.

How to recover when the Hardened server falls?

Backup of the Hardened itself (configuration) must be exported regularly. On failure, Veeam Console adds the existing Hardened disk as new repository, keeping immutable files intact.

Want help implementing Hardened Repository?

Consulting + setup + validation. Typical implementation in 1 business day.

Next reads