Tag: Backup

Pubblicato il

Ransomware defense – part 1: Advanced product features are an mandatory requirement

A lot of new challenges came to people who work in IT-Departments these last months.

The number of ransomware attacks has been growing day by day and their attack strategies are becoming more and more evil and dangerous.

The common questions the Managers ask the IT guys are:

a) Are the company protected against these risks?

A good answer is that a successful approach is when the percentage of certainty is more than the percentage of risk.

b) Which are the best practices to be safer?

The key is defining the right process of protection.

The scope of these articles is showing the correct behavior to keep your architecture as safer as possible or, in case of attack, gain as much time as possible to fend off the assault.

The articles will cover the storage point of view and do not deal with perimetral defenses, antimalware, antiviruses, networking strategies, and so on.

Which are the main strategies to adopt?

  1. Having more copies of your data
  2. Hardening the infrastructure
  3. Monitoring behaviors

Are you ready? Let’s start with the first topic !!!

    1. Having more copies of  your data:

Backup software is the right tool to score the goals of this first part.

It has to be able to:

a) Create application consistency backup.

b) Copy backup data to different locations.

Almost all backup software can do that but some additional features can address better the biggest challenges:

Flexible: Backup software should write backup data to different types of repositories and be able to restore it without any required dependency. To be clearer, the backup data have to be self-consistent. The advantage is being able to fit different architecture scenarios (Let’s call it “Data mobility”).

Data-Offline:  back up data should be put into a “quarantine” area where they cannot be either re-written or read. The classic deployment is a Tape Devices architecture or any scripts that automatically detach the repository devices.

Immutability: The backup data cannot be changed until the immutability period is over. This has a double advantage in comparison to data-offline strategy: It changes the repository status as written & online just for the new backup file. It is offline (as Tape technologies) for re-writing to already present backup data. The speed restore option has to remain unchanged.

Immutability can be reached in two ways:

By WORM  (Write Once, Read Many) devices, where the backup files can be used just to restore once they have been added to repositories. For example, technology can be the optical disk, a technology I have been working on in the past.

At Veeam Software this common customer and partner request has been addressed using the immutability propriety of the Object Storage. The good news is that VBR v. 11 implements this great feature directly in Linux Repositories.

Is this enough? I’m still thinking that the backup solution should at least be able to:

  • Check the backup file and the backup content. The only way to check if a backup file is really reusable is restoring it in a separate area where communication with the production environment is forbidden. At Veeam it is called Sure-Backup.
  • Check with your anti-virus/anti-malware that the backup files have not been already attacked somewhere and sometime. At Veeam the technology used is the Data integration API.
  • Before restoring files or VMs in production, check with your anti-virus/anti-malware if your data has been already attacked. At Veeam it is called Secure Restore
  • Perform Replica Jobs. It helps to create a Disaster Recovery Site useful in performing a quick restart of the service.  At Veeam this feature is included from the beginning and the Sure-Backup can be applied with replica too (it is called Sure-Replica). V.11 has a very powerful feature: CDP.
  • Restore backup data to the public cloud when the primary and replication site is totally out of order. I call it Cold Disaster Recovery and it needs at least one restore point available.

The next article topic is how to hardening your backup architecture

See you soon and take care!

Pubblicato il

VBR – Proxy linux server UUID

When a Linux VM is added to Veeam console as a Proxy Server,  you can fall out in the error shown in picture 1

Picture 1

The reason for this behavior is that the default VM config does not allow another software to see the UUID of the VM.

What is UUID?

It’s the unique identifier used to uniquely identify partitions in Linux operating systems.

Why is it important to use it?

A backup where the proxy is a Linux VM only works with virtual appliance transport mode. It uses the VMware hot add capability.

Easier: when a job starts, the proxy Linux mounts the disks of the VM that have to be processed and then send a copy of data to the Veeam Repository.

If the backup server knows which are the proxy disks it can process the others easily and without errors.

The result is that it’s mandatory to set it up correctly as shown in the user guide and in Veeam forum

Note 1: the Linux command to show UUID is blkid

To address the issue just switch off the VM and, from vCENTER Console, follow the procedure showed in the next 4 pictures highlighted in yellow.

Picture 2

Picture 3

Picture 4

Picture 5

That’s all folks

Pubblicato il

Veeam NAS Backup – Scripts for Demo live

BR v.10 introduced a great new feature. 

NAS Backup allows managing the protection of the environment where files and folders are a focus point for a company.

This article does not cover how a Nas Backup job works or how to set it up. Please refer to the official documentation to have all details.

What is the scope of the next lines?

It will show how easy it is to realize a script to create dummy files
before launching an incremental backup.
Why? Because the scope of this article is showing how fast a backup job can be.

1. The script is composed of four parts (in every box line 1 describes the actions that will be performed after).

#working path
$mypath=”C:\Users\VBR\Documents\NAS-Folder”
Set-Location -Path $mypath
#creating folder to copy to share
$folders_new = New-Item “$((get-date).toString(‘yyyyMMddhhmmss’))” -ItemType directory
Set-Location -Path $folders_new
# Creating 100 files
$baseFile = $rootDir + “base.txt”
$desiredFileSize = 2*10KB
$fileCount = 100
“start” | Out-File -Filepath $baseFile
While ($(Get-ChildItem -path $baseFile).Length -lt $desiredFileSize)
{
$(Get-ChildItem -path $baseFile).Length | Out-File $baseFile -APPEND
}
for($i=1;$i -lt $fileCount;$i++)
{
Copy-Item $baseFile “File-NAS$i.txt”
}
#copy to network share
Set-Location -Path $mypath
$pathtocopy= $folders_new.Name
copy-item -path $pathtocopy -Destination \\ip-address\cifs-destination -Recurse

2. Let’s see how to integrate the script in VBR.

The next pictures will show the Nas Backup job wizard pointing out the main point (picture 3, 4 and 5)

Pictures 1 and 2 show one of my favorite advance options: the possibility to select the file topology to save. For example, protecting the pdf files only. It supports wild-cat character so it’s very flexible and useful.

Picture 1

Picture 2

From picture 3 to 5, highlighted in yellow the step to set-up the script:

Picture 3

Picture 4

Picture 5

Pictures 6 and 7 show the result of the job modified in this way.
Please put your attention to the last yellow line where 195 MB of the source data is processed in 20 seconds. (In my small lab it’s a great result !!!)

Picture 6

Picture 7

Note: If you need to change the script time execution from default 15 mins (900 secs), just add a REG-DWORD named “PreJobScriptTimeoutSec”(Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication). The amount has to be in seconds (Picture 8)

Picture 8

That’s all folks 

Pubblicato il

Veeam Backup & Replication – Agent Licensing

Today I’m covering how to enable VBR to use VUL licensing to backup Physical Machines (they could be server or workstation both)

If you need more details to understand better the implementation scenarios please refer to the three articles I already wrote

Veeam Agent  Part 1     Veeam Agent Part 2     Veeam Agent Part 3

As many of you already know it is possible to work with the free Veeam Agent version and a paid VBR version.

The only thing that this architecture allows is using the VBR repositories as a global backup container.

What customers forget is that you can’t have a mixed infrastructure composed of free and paid agents.

Let’s see an example:

An end-user with already 10 VBR sockets license has a new project to protect 30 workstations and he wants to use Veeam agent Free.

The end-user just has to install and set up on every single workstation the free agent to write backup data to VBR repository.

From VBR version 9.5.u4, Veeam is gifting 1 VUL license for every socket customer bought (up to 6 sockets). In our example it means the end-user can protect up to 6 Physical Server or 18 Workstation (1 Vul x 3 Workstation) for free or a mixed architecture.

What happens if you enable VBR to assign the gifted license from your VBR server?

First thing how to enable it? The next three pictures (Picture 1, 2 and 3) explain how to perform it

Picture 1

Picture 2

        Picture 3

From now on VBR will use the agent license up to consuming them.

In our example, the end-user will protect 18 Workstations but the last 12 will be out from the backup procedure.

Which is the solution?

Easy one, just Buying a new license pack.

Why you should have to buy new licenses?

There are at least three good reasons:

a) It is possible to manage your workstation architecture directly from VBR console.
b) There are more restore options.
c) Veeam support.

Gems:

1) One of the good news about the licensing of VBR v.10 is that from now on the license bought will be added to the gifted one. It means that you buy just a VUL packet (10 Vul) and have a total of 16 licenses.

2) If you have two license files (the first for VBR, the second for Veeam Agent) you have to merge them in just one license file.

The License rule and the procedure are available reading the following links https://www.veeam.com/kb3085  (rule)                         https://www.veeam.com/kb3116    (procedure)

3) Is there a turnback procedure?

Yes, please refer to the following KB https://www.veeam.com/kb2235 and contact Veeam’s support.

To Remember:

4) It’s not possible to protect VM with sockets and VUL license. It means that sockets license has the priority to protect VM with respect to VUL.

https://www.veeam.com/it/availability-suite-faq.html

5) Product comparison edition

https://www.veeam.com/it/products-edition-comparison.html

Take care

Pubblicato il

How to add an XFS Repository to Veeam

This is the second article talking about how to set up a Linux Veeam Repository for using the XFS technology.

In my last article, I wrote about how to create an XFS disk and now we are going to cover how to integrate it.

There are just two steps: 

1. Adding the new Linux Server to the managed VBR server.

2. Creating the Repository Server enabling the XFS add-on.

1. Before working with the VBR console it’s necessary to check the firewall status and more precisely if the ports needed are open to allow the system to work properly.

In this lab the way to set up the firewall is working with ufw command:

sudo ufw status (to check the status) 

If the firewall is disabled, please change its status with the command:

sudo ufw enable  (corrected on 8th May 2021)

Opening the ports with the following command:

sudo ufw allow #port/protocol

In my example I launched the following two commands:

sudo ufw allow 22/tcp

sudo ufw allow 2500:3300/tcp

as shown in the  Veeam user guide (picture 1)

Picture 1

The last command to check the firewall status is on port 22:

sudo lsof -i:22

the output is:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 915 root 3u IPv4 27288 0t0 TCP *:ssh (LISTEN)
sshd 915 root 4u IPv6 27290 0t0 TCP *:ssh (LISTEN)

2. Now we are ready to create the new XFS repository:

  • 1. From VBR console add a new Linux Server (Picture 2)

Picture 2

  • Click on the Advanced button and check the right match between the ports  (Picture 3 and 4)

Picture 3

Picture 4

  • Add a new Repository, by choosing the just added server (in my case his name is cento01).

In the repository option, browse the server folders selecting the XFS one,  selecting the option Use fast Cloning (Picture 5 and 6)

Picture 5

Picture 6

Complete the task with some more clicks.

Note1: If you need more details about how to set up the firewall please have a look at the following site:

Linux Firewall

The next article will talk about performances,  see you soon and take care.

Pubblicato il

XFS & Veeam Repository

Today I’m going to talk about how to create a new Veeam repository using the XFS file system.

As much as you already know, v. 10 of Backup & Replication loves Linux. There are 3 top features that attest to it and they are:

  • XFS integration
  • Proxy Linux
  • Direct NFS Repository

The first article wants to talk about the XFS Integration and  which steps you should follow to use this smart technology integrated with Veeam Repositories

We will have 3 majors steps:

  1. Adding New Disk and formatting it as XFS
  2. Adding a Backup Repository
  3. Working and testing with XFS integration

So, let’s start with Point 1, remembering how to add a new disk to a Linux Server (we consider you have already added a disk to your physical or virtual Server)

First command is lsblk  that shows which disks have been recognized by the Operating System (in my case the new disk has been seen as sdc)

 sda           8:0    0   16G  0 disk

 ├─sda1        8:1    0  600M  0 part /boot/efi

 ├─sda2        8:2    0    1G  0 part /boot

 └─sda3        8:3    0 14.4G  0 part

   ├─cl-root 253:0    0 12.8G  0 lvm  /

   └─cl-swap 253:1    0  1.6G  0 lvm  [SWAP]

 sdb           8:16   0  200G  0 disk

 └─sdb1        8:17   0  200G  0 part /media/RepoXFS1

 sdc           8:32   0   16G  0 disk

 sr0          11:0    1    7G  0 from

Running the command fdisk -l  /dev/sdc it’s possible to catch the correct size of the disk.

 Disk /dev/sdc: 16 GiB, 17179869184 bytes, 33554432 sectors

 Units: sectors of 1 * 512 = 512 bytes

 Sector size (logical/physical): 512 bytes / 512 bytes

 I/O size (minimum/optimal): 512 bytes / 512 bytes

 fdisk /dev/sdc to create new   partition

Now it’s time to create a new disk (this procedure deletes all previous file systems present) with the command fdisk /dev/sdc.

Just follow the steps below to create the new disk: 

 n (to create a new partition)

 p (to create a primary partition)

 1 (default)

 First sector (default)

 Last sector (default) (if you want to use all the disk capacity)

 w write 

Relaunching the lsblk command it’s possible to see if the sdc1 disk appeared.

lsblk /dev/sdc

 NAME MAJ:MIN RM SIZE RO TYPE MOUNT POINT
 sdc 8:32 0 16G 0 disk
 └─sdc1 8:33 0 16G 0 part /media/RepoXFS2

Three more steps to complete the first phase: 

1. Creating an XFS file system with Data-Block Sharing enables (reflink=1) 

mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sdc1

2. Creating the mount point on your server with the command:

mkdir  /backup/xfs-01

3. Mounting file system addicting the following line in /etc/fstab file

 /dev/sdc1           /backups/xfs-01             xfs          defaults     0   0

If you know the UUID of the disk (blkid /dev/sdbc1) you can also use the following digit instead of the previous one.

 UUID=UUID  /backup/xfs-01   xfs defaults 0 0

Reboot the server and everything should work.

See you soon with the second phase.

See you soon and take care.