2022-05-21
This script provisions a hardened Veeam repository with minimal privileges and a deliberately unpredictable layout. The approach combines a dedicated user account, a resilient RAID-backed filesystem and randomised identifiers to reduce discoverability. The goal is not perfect immutability, but a simple, automated workflow that limits exposure and raises the cost of tampering. Allowing the operator to choose the username avoids hardcoded conventions, while a strong random password preserves unpredictability.
A user-defined account is created with no elevated privileges beyond
initial setup. The script assembles a RAID-10 array via
mdadm, formats it as XFS with reflink and integrity checks,
and mounts it at a randomly generated directory. The filesystem is bound
into /etc/fstab using its UUID. A cryptographically strong
password is produced using /dev/urandom, and ownership of
the mount point is restricted to the new user. After the repository is
added to Veeam, sudo access is removed.
The resulting repository has:
a user-chosen username with a random password,
a random mount point and array name that reduce predictable patterns,
RAID-10 redundancy and XFS metadata protections,
minimal privileges after provisioning.
The configuration cleanly supports Veeam while narrowing the attack surface.
This workflow illustrates a pragmatic combination of randomness, restricted permissions and filesystem resilience. Although not a substitute for strict immutability mechanisms, the reduced predictability and minimal access model create a practical defensive posture. Random identifiers function partly as security by obscurity, but they also prevent accidental reuse of known paths or accounts. The result is a lightweight hardening layer that is easy to automate and replicate.
Veeam. (2021). Immutable backup solutions and Linux hardened
repository.
Retrieved from https://www.veeam.com/blog/immutable-backup-solutions-linux-hardened-repository.html
#!/usr/bin/env bash set -e echo "=== Immutable Repository Generator ===" read -p "Enter username to create: " random_username if [[ -z "$random_username" ]]; then echo "No username entered. Aborting." exit 1 fi echo "Creating user: $random_username" useradd "$random_username" --create-home -s /bin/bash usermod -a -G sudo "$random_username" # Generate secure random password (32 chars) user_password=$(tr -dc 'A-Za-z0-9!@#$%^&*()_+-=' </dev/urandom | head -c 32) echo "$random_username:$user_password" | chpasswd # Random mdadm array name component random_extension=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4) md_device="/dev/md${random_extension}" echo "Creating RAID10 array on ${md_device}..." mdadm --create --verbose "$md_device" \ --level=10 --raid-devices=4 /dev/sd[bcde]1 \ --spare-devices=1 /dev/sdf1 mdadm --detail "$md_device" echo "Formatting ${md_device} as XFS..." mkfs.xfs -b size=4096 -m reflink=1,crc=1 "$md_device" -f # Randomized mount directory random_mount=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4) mount_path="/mnt/veeam${random_mount}" mkdir "$mount_path" uuid=$(blkid -s UUID -o value "$md_device") echo "/dev/disk/by-uuid/${uuid} ${mount_path} xfs defaults 0 0" >> /etc/fstab mount -a chown -R "$random_username:$random_username" "$mount_path" chmod 700 "$mount_path" cat <<EOF ========================================== Repository credentials User: $random_username Password: $user_password Mount: $mount_path Array: $md_device ========================================== EOF read -p "Add repository to Veeam now? (y/n): " resp if [[ "$resp" == "y" ]]; then echo "Running Veeam configuration... (placeholder)" fi echo "Removing sudo privilege from $random_username..." deluser "$random_username" sudo echo "Done."