In this article we go over the steps to install Ubuntu with a bonded NIC, create the LVM on the boot drive, and then initialise an XFS formatted volume on the bulk storage provided by the server
Then we add this to Veeam as a Hardened Linux Repository with Immutable backups and then secure the Ubuntu server down so it cant be remotely accessed easily to protect your backups
Important – By continuing you are agreeing to the disclaimer here
Ubuntu Install
To start, you’ll need an Ubuntu Server ISO, the latest LTS version is ideal
Boot into the iso on the server you want to have as your repository
Navigate through the installer selecting your keyboard language
When the installer loads for networking we need to create a bond for the NICs we want to use
For this server there is only 2 connected NICs
Click create bond with the mode balance-alb, this is a simple load balanced setting that doesnt need any particular switch config
If your systems use LACP you can select 802.3ad
Once thats created we need to edit the bond and set a static IP on it, this works similarly to a VIP in VMware systems
How you set the static IP on the bond will depend on your networking, but you this is the same as setting a static IP on any NIC on Ubuntu
Then fill in the proxy server if you have one, if not skip over it, then continue with the mirror check
Then setup the main disk for use, this wants to be the main boot drive, like a BOSS card for Dell servers, this will be 512GB max, do not use the main large disk pool as this is needed for the repository and cant have the OS installed to it
Then confirm and continue
And configure the LVM to use the full disk, as this is just the boot volume, making sure the 80TB disk is not in a Logical Volume, if it is, delete it
Now we need to setup an the default account, this has sudo privileges
Skip over Ubuntu Pro
Install SSH – this will be disabled later
We need nothing from here, so skip over it and wait for the OS to install
Initialising Disks
This will wipe the disks you are initialising
Now those OS is installed lets get the disks initialised, run the following to check you have the right disks
sudo fdisk -l
This will then show everything
This shows the root partition and the system files are on sdb, perfect
We want to initialize the 80TB disk for use in the Veeam backup repository
sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/sda3
You may need to add -f to force this, but the system will tell you
You then get this
Now lets create a mount point
sudo mkdir /mnt/veeam-repo
Now we need an fstab entry to mount this on book, note the UUID of the drive, sda3 in our example, with
sudo blkid
Then run
echo ‘UUID=”Disk UUID” /mnt/veeam-repo xfs nosuid,nodev,nofail,x-gvfs-show 0 0’ | sudo tee -a /etc/fstab
And run the following to check its in there
sudo cat /etc/fstab
Then run the following to mount drives under fstab
sudo mount -a
And we can confirm its mounted with
sudo mount
At the bottom we have
Device Or Resource Busy Error
Check if there was an old Logical Volume
sudo lsblk
You may see something like this
If you have something like this showing an LV on sda, our 80TB drive, then we need to blank it with
sudo parted /dev/sda -s -a opt mklabel gpt
You may see this
Then reboot the system
Add Veeamsvc Accout
Now we need the veeamsvc service account adding
sudo useradd -d /home/veeamsvc -m veeamsvc -s /bin/bash
Then set the password with
sudo passwd veeamsvc
Then add the veeamsvc account to the sudoers group
sudo usermod -a -G sudo veeamsvc
Take ownership of the repository with this account
sudo chown -R veeamsvc:veeamsvc /mnt/veeam-repo
And run
sudo chmod 700 /mnt/veeam-repo
Further hardening tasks can be done post Veeam install
Adding The Hardened Repository
Add a new server from the Infrastructure tab
Add a Linux server
Add the host name and description
Add a new single use credential for the veeamsvc account
Click apply
Now lets add a repository
Add direct storage
Then a Linux Hardened storage
Then add a name and description
Click populate to find the paths on the server we added
Select our mount point on /mnt/veeam-repo
You can then see the capacity, dont forget to set immutability for however long you want it
Once set, immutable backups cannot be removed until they have expired
Keep these as defaults
Then apply
Post Deployment Hardening Tasks
Enable the UFW on Ubuntu
sudo ufw enable
Run the following commands to add the Veeam BR rules
sudo ufw allow openssh
sudo ufw allow proto tcp from <veeammgmt>to any port 6162,2500:3300
sudo ufw allow proto tcp from <proxy>to any port 2500:3300
Disable root logon by editing
sudo nano /etc/passwd
Then change the line
root:x:0:0:root:/root:/bin/bash
To
root:x:0:0:root:/root:/usr/sbin/nologin
Then once thtas all done, disable ssh
Ubuntu 2204 And Earlier
sudo systemctl stop ssh
sudo systemctl disable sshÂ
Ubuntu 2404 And Newer
Disable the SSH socket
sudo systemctl disable –now ssh.socket
sudo systemctl stop ssh
sudo systemctl disable ssh
Since the repo is in Veeam, remove the veeamsvc account from the sudoers group
sudo deluser veeamsvc sudo
Lastly, disable ping in the UFW by editing the before rules with
sudo nano /etc/ufw/before.rules
And then commenting out the following lines
