Skip to content

Build a Linux Hardened Backup Repository

## Why a Hardened Backup Repository Matters

Ransomware response plans often fail for a simple reason: the backups were reachable from the same administrative plane as production. If an attacker obtains domain administrator credentials, compromises a backup console, or finds a flat management network, backup deletion may be easier than encryption. A hardened Linux backup repository is designed to survive that scenario.

The goal is not merely to store backup files on Linux. The goal is to create a repository that is difficult to modify, difficult to log into, isolated from routine administration, and predictable during recovery. For small and midsize businesses, nonprofits, and distributed enterprises, this can provide a practical middle ground between consumer-grade NAS storage and a full secondary data center.

A good repository supports the 3-2-1-1-0 model: at least three copies of data, on two different media types, one offsite, one offline or immutable, and zero verified restore errors. The hardened Linux repository usually fills the immutable copy role. It should not be the only backup destination, but it can be the copy that prevents a bad Tuesday from becoming a business-ending event.

This guide focuses on engineering principles and a practical Linux build pattern. The examples assume Ubuntu Server or a RHEL-compatible distribution, but the same concepts apply broadly. You should adapt commands for your backup product, compliance requirements, and storage platform.

## Design Goals Before You Install Linux

Before touching the keyboard, decide what the repository must protect against. Most organizations need protection from three realistic threats:

1. A compromised Windows domain account attempting to delete backups.
2. A compromised backup server attempting to alter repository contents.
3. A remote attacker attempting to log in directly to the storage host.

A hardened repository reduces these risks through segmentation, least privilege, immutability, logging, and operational discipline. It is not a magic appliance. If the attacker has physical access, firmware access, storage controller credentials, or unlimited root access for long enough, all bets are off. The design should make those paths difficult, monitored, and slow.

### Recommended Architecture

A practical SMB design looks like this:

– A dedicated physical server or storage appliance running Linux.
– Local disks or direct-attached storage configured with RAID appropriate to the workload.
– XFS or another supported file system for large backup files.
– A dedicated backup repository network or VLAN.
– Firewall rules allowing only the backup server to connect.
– No Active Directory domain join.
– No routine interactive administration.
– A local repository account with narrowly scoped permissions.
– Immutable retention controlled by the backup platform or storage layer.
– Monitoring forwarded to a separate system.

The most important architectural decision is separation. Do not join the repository to the production Windows domain just because it is convenient. Do not reuse a general administrator password. Do not expose SSH to the whole LAN. Convenience is exactly what ransomware operators exploit.

## Hardware and Storage Planning

Backup repositories are write-heavy during backup windows and read-heavy during restores, synthetic fulls, health checks, and instant recovery operations. Under-sizing storage leads to long backup windows and failed maintenance jobs.

Plan for these variables:

– Daily change rate.
– Retention period.
– Full backup frequency.
– Compression and deduplication ratios.
– Synthetic full or forever-incremental behavior.
– Required restore speed.
– Growth over the next three years.

For many organizations, capacity is the first bottleneck, but restore performance is the one that hurts most during an incident. A repository that can ingest backups overnight but cannot restore a critical VM quickly is only half successful.

Use enterprise disks, redundant power, ECC memory where practical, and a storage controller with monitoring. RAID is not backup, but your backup repository still needs disk fault tolerance. RAID 6 or RAIDZ2-style parity is often appropriate for large capacity tiers, while RAID 10 may be preferred for high-performance workloads. Avoid single large consumer disks for business recovery points.

## Install a Minimal Linux Server

Start with a minimal OS installation. Do not install a desktop environment, file sharing packages, web panels, or unnecessary agents. Every package is another patching obligation and another potential attack surface.

After installation, update the system:

“`bash
sudo apt update
sudo apt -y full-upgrade
sudo reboot
“`

For RHEL-compatible systems:

“`bash
sudo dnf -y update
sudo reboot
“`

Install only the tools required for storage, monitoring, and security:

“`bash
sudo apt install -y xfsprogs smartmontools auditd ufw chrony unattended-upgrades
“`

On RHEL-compatible systems:

“`bash
sudo dnf install -y xfsprogs smartmontools audit audit-libs chrony firewalld
“`

Accurate time matters. Backup logs, immutable retention timestamps, SIEM correlation, and incident timelines all depend on reliable time synchronization.

“`bash
sudo systemctl enable –now chrony
chronyc tracking
“`

## Create the Backup File System

For large backup repositories, XFS is a common choice because it handles large files well and is supported by several enterprise backup platforms. Some platforms can also use XFS reflink capabilities to reduce the storage and time required for synthetic full backups.

Assume the repository volume is presented as `/dev/sdb`. Verify the device before formatting. The following command destroys data.

“`bash
lsblk
sudo mkfs.xfs -m reflink=1,crc=1 /dev/sdb
“`

Create a mount point:

“`bash
sudo mkdir -p /backup/repository
sudo blkid /dev/sdb
“`

Add an `/etc/fstab` entry using the UUID returned by `blkid`:

“`text
UUID=your-volume-uuid /backup/repository xfs defaults,noatime,nodiratime 0 0
“`

Mount and verify:

“`bash
sudo mount -a
df -hT /backup/repository
xfs_info /backup/repository
“`

The `noatime` and `nodiratime` options reduce unnecessary metadata writes. Do not use exotic mount options unless your backup vendor supports them. A hardened repository should be boring, predictable, and supportable.

## Create a Dedicated Repository Account

Create a local Linux account used only by the backup software. This account should not be a general administrator.

“`bash
sudo adduser –disabled-password –gecos ” backuprepo
sudo mkdir -p /backup/repository/jobs
sudo chown -R backuprepo:backuprepo /backup/repository/jobs
sudo chmod 700 /backup/repository/jobs
“`

If your backup application requires temporary elevated permissions during initial repository registration, grant them only for setup and then remove them. Some backup platforms use single-use credentials and deploy a transport component. Follow vendor guidance, but do not leave broad sudo access in place by habit.

Check sudo permissions:

“`bash
sudo -l -U backuprepo
“`

If the account does not require sudo, the command should not show broad administrative rights. The repository user should be able to write backup data, not administer the server.

## Configure SSH for Controlled Access

SSH is often necessary for initial configuration and some backup integrations, but it should not remain broadly accessible.

Create an administrator account separate from the repository service account:

“`bash
sudo adduser cbadmin
sudo usermod -aG sudo cbadmin
“`

Install SSH keys for the admin account and disable password-based SSH logins. Edit `/etc/ssh/sshd_config`:

“`text
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers cbadmin backuprepo
MaxAuthTries 3
“`

Restart SSH carefully, keeping an existing session open while testing a new one:

“`bash
sudo systemctl restart ssh
“`

If your backup platform does not require ongoing SSH access for the repository user after setup, remove `backuprepo` from `AllowUsers` or block SSH for that account using an account shell such as `/usr/sbin/nologin`, only if supported by your backup software.

“`bash
sudo usermod -s /usr/sbin/nologin backuprepo
“`

Do not apply this blindly. Some products need a valid shell for transport operations. The principle is simple: if a login path is not required, close it.

## Restrict Network Access with a Host Firewall

Network segmentation should happen at the switch, firewall, or hypervisor layer, but the Linux host firewall provides a useful second layer. Allow only the backup server and management jump host to reach SSH or backup transport ports.

With UFW on Ubuntu:

“`bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 10.20.30.10 to any port 22 proto tcp
sudo ufw allow from 10.20.30.20 to any port 22 proto tcp
sudo ufw enable
sudo ufw status verbose
“`

In this example, `10.20.30.10` is the backup server and `10.20.30.20` is the management jump host. Replace them with your real addresses. If your backup product uses additional ports, permit only those ports from the backup server. Do not allow an entire user VLAN to connect.

For firewalld:

“`bash
sudo firewall-cmd –permanent –new-zone=backup
sudo firewall-cmd –permanent –zone=backup –add-source=10.20.30.10/32
sudo firewall-cmd –permanent –zone=backup –add-source=10.20.30.20/32
sudo firewall-cmd –permanent –zone=backup –add-service=ssh
sudo firewall-cmd –reload
sudo firewall-cmd –list-all –zone=backup
“`

A repository should not browse the internet except for updates and monitoring endpoints. In stricter environments, use an internal package mirror or controlled proxy.

## Add Immutability the Right Way

Immutability means backup data cannot be modified or deleted until a defined retention period expires. This is the core control that helps when an attacker reaches the backup application or repository credentials.

There are several ways to provide immutability:

– Backup software-managed Linux immutability.
– Object storage with S3 Object Lock in compliance or governance mode.
– Storage array snapshots with locked retention.
– Append-only backup protocols.
– Offline or rotated media.

For a Linux hardened repository, the best approach is usually to use a backup platform that explicitly supports immutable Linux repositories. The software sets retention and applies file-level controls in a supported way. Avoid building unsupported scripts that randomly run `chattr +i` on backup files unless your backup vendor approves it. Manual immutability can break merges, pruning, synthetic fulls, health checks, and restores.

If you are validating file immutability on a lab system, Linux extended attributes can be inspected like this:

“`bash
lsattr /backup/repository/jobs
“`

But production retention should be managed by the backup application or a storage platform designed for immutability. Your operational question should be: can an administrator with backup console access delete restore points before the immutable date? If yes, the repository is not providing the control you think it is.

### Choosing an Immutable Retention Period

The retention period should exceed the likely detection window. If ransomware often goes unnoticed for days, a two-day immutable period is too short. Many organizations start with 14 to 30 days of immutable operational restore points, plus longer offsite or archive retention.

Balance security and capacity. If you set 60 days of immutability but only bought 21 days of storage, failed backup jobs will create a different risk. Model capacity before enabling retention.

## Keep the Repository Out of Active Directory

One of the most common mistakes is joining the backup repository to Active Directory for convenience. This creates a dependency on the very identity system that may be compromised during an attack.

Use local Linux accounts with unique credentials. Store emergency credentials in a secure password vault with access logging and break-glass procedures. Require phishing-resistant MFA for the vault. Do not store the repository root password in a shared spreadsheet, ticket note, or browser password manager.

If central authentication is mandatory for compliance reasons, use a dedicated administrative tier with strict conditional access and no shared trust with normal workstation administrators. For most SMB environments, local accounts plus strong vaulting are simpler and safer.

## Patch Without Turning the Server Into a Pet Project

A hardened repository must be patched, but patching should not introduce uncontrolled change. Enable security updates and schedule maintenance windows that do not collide with backup jobs.

On Ubuntu, unattended security updates can be enabled with:

“`bash
sudo dpkg-reconfigure unattended-upgrades
“`

Check the configuration in:

“`text
/etc/apt/apt.conf.d/50unattended-upgrades
“`

For RHEL-compatible systems, use `dnf-automatic` if appropriate:

“`bash
sudo dnf install -y dnf-automatic
sudo systemctl enable –now dnf-automatic.timer
“`

Firmware, RAID controller, disk shelf, and BIOS updates should be planned separately. Many repository failures are not caused by Linux; they are caused by ignored disk alerts, outdated controller firmware, or undocumented storage changes.

## Monitor for Tampering and Capacity Problems

A repository that silently fills up or loses disks is not hardened; it is neglected. At minimum, monitor:

– Free capacity and inode usage.
– Disk health and SMART status.
– RAID or storage pool state.
– SSH login attempts.
– Sudo usage.
– Backup job success and warning rates.
– Immutability status.
– Time synchronization.
– Package update failures.

Enable auditd and watch sensitive files:

“`bash
sudo systemctl enable –now auditd
sudo auditctl -w /etc/passwd -p wa -k identity_changes
sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes
sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config_changes
“`

For persistent audit rules, add equivalent entries under `/etc/audit/rules.d/hardened-repo.rules`:

“`text
-w /etc/passwd -p wa -k identity_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_changes
-w /backup/repository -p wa -k repository_changes
“`

Then reload:

“`bash
sudo augenrules –load
sudo systemctl restart auditd
“`

Forward logs to a SIEM, syslog server, or managed detection platform. Local logs are helpful for troubleshooting, but they may not survive a serious compromise.

## Validate Recovery, Not Just Backup Success

Backup dashboards can be dangerously comforting. A green checkmark means a job completed; it does not prove the application can be restored within business requirements.

Create a restore validation schedule:

– Weekly file-level restore test.
– Monthly full VM restore or instant recovery test.
– Quarterly application restore test for systems such as SQL Server, Microsoft 365 exports, or line-of-business databases.
– Annual disaster recovery exercise with leadership participation.

Record the recovery time, data loss point, issues found, and corrective actions. This turns backup from an IT task into a measurable business continuity control.

A simple Linux read test can confirm repository throughput, although it is not a substitute for application recovery testing:

“`bash
sudo dd if=/backup/repository/testfile.bin of=/dev/null bs=1M status=progress
“`

For write testing, avoid running arbitrary benchmarks during backup windows. Use maintenance windows and test paths that do not interfere with production backup chains.

## Common Mistakes to Avoid

### Using a NAS Share as the Only Backup Target

NAS appliances are useful, but a standard SMB share with domain permissions is often easy to delete once an attacker controls Windows credentials. If you use NAS storage, enable snapshots, replication, MFA-protected administration, and immutable or locked snapshot features where available.

### Giving the Backup Server Too Much Power

The backup server needs to write backups, coordinate jobs, and restore data. It should not have unrestricted administrative access to every infrastructure component forever. Use dedicated service accounts, limit vCenter or Hyper-V permissions where practical, and protect the backup console with MFA.

### Ignoring the Management Network

If the repository management interface, hypervisor host, backup server, and domain controllers all live on the same flat VLAN, compromise spreads quickly. Even basic segmentation can dramatically reduce risk.

### Forgetting Offsite Copies

A hardened local repository does not protect against building loss, theft, flood, fire, or a storage firmware disaster. Pair it with offsite immutable object storage, a secondary site, or another protected copy.

## Example Build Checklist

Use this checklist as a starting point for implementation:

– Dedicated Linux server or appliance selected.
– Storage sized for retention, growth, and restore performance.
– Minimal Linux installed and patched.
– XFS file system created with appropriate options.
– Repository account created with least privilege.
– Root SSH disabled.
– Password SSH disabled.
– Host firewall restricted to backup and management hosts.
– Server excluded from Active Directory domain membership.
– Immutable retention configured in backup software or storage platform.
– Logs forwarded off-box.
– Disk, RAID, capacity, and backup job monitoring enabled.
– Restore tests scheduled and documented.
– Emergency credentials stored in a secure vault.
– Offsite or secondary immutable copy configured.

## Practical Summary and Key Takeaways

A Linux hardened backup repository is one of the most valuable ransomware resilience projects an organization can complete. It is not expensive compared with the cost of downtime, and it directly addresses a common attacker objective: destroying recovery options.

The engineering details matter. Use a minimal Linux installation, dedicated local accounts, tight firewall rules, storage designed for recovery performance, monitored disk health, and immutability managed by a supported backup or storage platform. Keep the repository out of routine domain administration and prove recovery through scheduled restore testing.

Key takeaways:

– Backups must be protected from the same credentials that manage production.
– Immutability is most effective when implemented through supported backup or storage features.
– Network isolation and SSH hardening are just as important as disk capacity.
– Monitoring should include storage health, login attempts, configuration changes, and backup job status.
– Restore testing is the only reliable way to know whether backups meet business requirements.

For organizations without dedicated infrastructure staff, this is an ideal project for an outsourced IT partner. Computer Butler can help design, implement, monitor, and test backup architectures that match real recovery objectives instead of relying on hope and green checkmarks.

Posted in

author

Leave a Comment





Scroll To Top