Skip to content

Build a Linux Immutable Backup Repository

## Why Immutable Backup Repositories Matter

Ransomware operators no longer stop at encrypting production file shares. Modern attacks commonly target backups first: deleting restore points, disabling backup jobs, stealing cloud console credentials, or encrypting repository volumes before detonating malware across the environment. For many small and midsize businesses, nonprofits, and distributed organizations, the backup repository has become the most important security boundary they did not know they had.

An immutable backup repository is designed so that backup data cannot be modified or deleted for a defined retention period, even if an administrator account or backup application account is compromised. It is not a replacement for endpoint protection, identity security, or network segmentation. It is the last line of defense when those controls fail.

This guide walks through a practical Linux-based immutable backup repository design for organizations that need stronger ransomware resilience without buying an entirely new storage platform. The examples are written with common backup products in mind, especially platforms that support Linux hardened repositories, but the engineering principles apply broadly: isolate the repository, minimize credentials, restrict SSH, separate administration from backup operations, monitor changes, and regularly prove that restores work.

## The Real Problem: Backup Admin Rights Are Often Too Powerful

In many environments, the backup server has broad privileges by design. It can read virtual machine data, access file servers, enumerate cloud resources, and write to a central repository. That is useful for operations but dangerous during an intrusion.

Common weaknesses include:

– Backup repositories joined to Active Directory with domain admin access used for maintenance.
– SMB shares used as backup targets with reusable service account credentials.
– Repository servers reachable from every VLAN.
– Backup administrators able to delete old restore points at any time.
– SSH open to broad management networks with password authentication enabled.
– No independent alerting when backup retention changes or large deletion events occur.

The goal is not merely to store backups on Linux. The goal is to make the repository boring, isolated, and difficult to tamper with.

## Recommended Architecture

A hardened Linux backup repository should be treated as a security appliance, not as a general-purpose file server.

At a minimum, design around these principles:

1. **Dedicated server or VM**: Do not mix backup repository storage with unrelated application workloads.
2. **No domain membership**: Avoid joining the repository to Active Directory or Entra Domain Services unless there is a compelling reason.
3. **Single-purpose local accounts**: Use one account for backup software transport operations and a separate administrative account for human maintenance.
4. **Key-based SSH only**: Disable password login and restrict which users can connect.
5. **Limited network exposure**: Permit repository access only from backup infrastructure and trusted management hosts.
6. **Immutable retention**: Configure the backup platform and Linux repository so restore points cannot be deleted until the retention lock expires.
7. **Separate monitoring**: Send logs to a SIEM, syslog server, or monitoring platform outside the repository.
8. **Tested recovery workflow**: Document how to restore if the backup server itself is compromised.

A simple logical layout might look like this:

“`text
Production VLANs —> Backup Server —> Hardened Linux Repository
| |
| +– Syslog/Monitoring
|
+– Optional offsite/object storage copy
“`

The repository should not initiate connections to production systems. Production workstations should not be able to reach it. If an attacker compromises a workstation, the repository should not appear as an easy next hop.

## Choosing the Linux Platform and Storage Layout

Use a stable, supported distribution that your team can patch and operate confidently. Ubuntu LTS, Debian stable, Rocky Linux, AlmaLinux, and Red Hat Enterprise Linux are all reasonable options. The specific distribution matters less than consistent maintenance and a minimal attack surface.

For storage, many backup platforms recommend XFS with reflink support because it can improve synthetic full backup performance and space efficiency. If your backup software has a documented preferred filesystem, follow that guidance. Avoid exotic configurations your team cannot troubleshoot at 2:00 AM.

Example disk layout:

“`text
/dev/sda OS disk, 100 GB
/dev/sdb Backup repository data disk or RAID/LUN
/backup Mounted repository path
“`

For production, use redundant storage underneath the filesystem. That may be hardware RAID, a storage array LUN, direct-attached disks with a supported RAID controller, or resilient cloud block storage. Immutability protects against deletion; it does not protect against disk failure.

## Base Linux Installation and Patch Preparation

Start with a minimal server installation. Do not install desktop environments, file sharing services, print services, web panels, or unnecessary agents.

After installation, update the system:

“`bash
sudo apt update
sudo apt -y upgrade
sudo apt -y install openssh-server fail2ban auditd chrony ufw
“`

For RHEL-family systems, the equivalent is:

“`bash
sudo dnf -y update
sudo dnf -y install openssh-server fail2ban audit audit-libs chrony firewalld
“`

Enable time synchronization. Accurate time is essential for logs, certificate validation, retention timing, and incident response.

“`bash
sudo systemctl enable –now chrony
chronyc tracking
“`

## Create Dedicated Accounts

Use at least two local accounts:

– `repoadmin`: for interactive administration by IT staff.
– `backupsvc`: for the backup application to connect and write backup data.

Create the accounts:

“`bash
sudo adduser repoadmin
sudo adduser backupsvc
“`

Grant administrative access only to the admin account:

“`bash
sudo usermod -aG sudo repoadmin
“`

Do not add the backup service account to `sudo`. The backup account should be able to write to the repository path only as required by the backup platform.

Create the repository directory:

“`bash
sudo mkdir -p /backup/repository01
sudo chown backupsvc:backupsvc /backup/repository01
sudo chmod 700 /backup/repository01
“`

This prevents casual browsing by other local users. If your backup product requires specific permissions or ownership, use its documented settings.

## Format and Mount the Repository Volume

The following example assumes `/dev/sdb` is the repository disk. Verify device names carefully before formatting.

“`bash
lsblk
sudo mkfs.xfs -m reflink=1,crc=1 /dev/sdb
sudo mkdir -p /backup
“`

Find the UUID:

“`bash
sudo blkid /dev/sdb
“`

Add it to `/etc/fstab` using the UUID:

“`text
UUID=YOUR-DISK-UUID-HERE /backup xfs defaults,noatime,nodiratime 0 0
“`

Mount and verify:

“`bash
sudo mount -a
df -h /backup
xfs_info /backup | grep reflink
“`

The `noatime` and `nodiratime` options reduce unnecessary metadata writes. They are not security controls, but they are commonly useful for backup workloads.

## Harden SSH Access

SSH is usually required for backup software integration and administrative maintenance. It is also a high-value attack path. Harden it early.

Create SSH key pairs from a secure admin workstation or password manager-backed key management process. Then install public keys for each account.

For example:

“`bash
sudo mkdir -p /home/repoadmin/.ssh /home/backupsvc/.ssh
sudo nano /home/repoadmin/.ssh/authorized_keys
sudo nano /home/backupsvc/.ssh/authorized_keys
sudo chown -R repoadmin:repoadmin /home/repoadmin/.ssh
sudo chown -R backupsvc:backupsvc /home/backupsvc/.ssh
sudo chmod 700 /home/repoadmin/.ssh /home/backupsvc/.ssh
sudo chmod 600 /home/repoadmin/.ssh/authorized_keys /home/backupsvc/.ssh/authorized_keys
“`

Edit `/etc/ssh/sshd_config`:

“`text
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers repoadmin backupsvc
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
“`

Restart SSH after opening a second session so you do not lock yourself out:

“`bash
sudo sshd -t
sudo systemctl restart ssh
“`

For backup software that requires SSH, check whether it needs shell access, temporary privilege elevation, or a specific transport service. Follow the vendor’s hardened repository guidance carefully. Do not grant broad sudo rights unless the product explicitly requires them, and even then restrict the allowed commands where supported.

## Restrict the Firewall

Only the backup server and approved management hosts should reach SSH or repository-related services. Example using UFW on Ubuntu:

“`bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 10.20.30.10 to any port 22 proto tcp comment ‘Backup server SSH’
sudo ufw allow from 10.20.40.0/24 to any port 22 proto tcp comment ‘IT management subnet’
sudo ufw enable
sudo ufw status verbose
“`

If using firewalld:

“`bash
sudo firewall-cmd –permanent –set-default-zone=drop
sudo firewall-cmd –permanent –new-zone=backup
sudo firewall-cmd –permanent –zone=backup –add-source=10.20.30.10/32
sudo firewall-cmd –permanent –zone=backup –add-port=22/tcp
sudo firewall-cmd –reload
sudo firewall-cmd –list-all –zone=backup
“`

Network firewalls should enforce the same restriction. Host firewalls are important, but they should not be the only control.

## Configure Immutability in the Backup Platform

Linux alone does not magically make every backup immutable. Some backup products use Linux filesystem capabilities and controlled repository services to prevent deletion during a defined period. Others support object lock in S3-compatible storage. Some use snapshots or WORM storage appliances.

When configuring the repository in your backup platform, look for settings such as:

– Make recent backups immutable.
– Prevent deletion for X days.
– Single-use credentials for repository deployment.
– Hardened Linux repository mode.
– Object Lock governance or compliance mode for object storage.

Choose an immutability window based on your threat model and recovery requirements. Many organizations start with 14 to 30 days. High-risk environments may use longer periods, but remember that immutability consumes storage. If malware encrypts production data and those encrypted files are backed up, you need enough clean restore points to go back before the compromise.

A practical SMB policy might be:

“`text
Daily backups: immutable for 21 days
Weekly backups: copied offsite and retained for 8-12 weeks
Monthly backups: retained for 12 months, preferably in separate storage
Critical systems: application-aware restore tests quarterly
“`

Avoid setting immutability so short that weekend compromises erase your recovery options before anyone notices.

## Separate Backup Console Security from Repository Security

A common mistake is assuming repository immutability solves backup console compromise. It helps, but the backup console still needs strong protection.

Recommended controls include:

– Multi-factor authentication for backup console access where supported.
– Separate backup admin accounts, not daily-use domain admin accounts.
– Role-based access control so help desk users cannot delete restore points.
– No interactive browsing from the backup server to the Internet.
– Backup configuration exports stored securely outside the backup server.
– Alerts for disabled jobs, failed jobs, repository changes, and retention policy changes.

If an attacker compromises the backup server, immutable restore points may survive, but you still need a way to rebuild the backup server and reconnect to the repository. Document that process before an incident.

## Monitor for Tampering and Early Warning Signals

The repository should send logs to a system the attacker is less likely to control. At minimum, forward authentication and sudo activity to a central syslog or SIEM platform.

On Ubuntu with rsyslog, create a forwarding configuration:

“`bash
sudo nano /etc/rsyslog.d/60-forward.conf
“`

Example:

“`text
*.* @@10.50.10.25:514
“`

Restart rsyslog:

“`bash
sudo systemctl restart rsyslog
“`

Enable audit rules for key files:

“`bash
sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config_change
sudo auditctl -w /etc/sudoers -p wa -k sudoers_change
sudo auditctl -w /etc/fstab -p wa -k fstab_change
sudo auditctl -w /backup -p wa -k backup_path_change
“`

To make audit rules persistent, place them in a file such as `/etc/audit/rules.d/hardened-repo.rules`:

“`text
-w /etc/ssh/sshd_config -p wa -k ssh_config_change
-w /etc/sudoers -p wa -k sudoers_change
-w /etc/fstab -p wa -k fstab_change
-w /backup -p wa -k backup_path_change
“`

Then load them:

“`bash
sudo augenrules –load
sudo systemctl restart auditd
“`

Alert on events such as:

– SSH login failures against `backupsvc` or `repoadmin`.
– Successful login from an unexpected IP address.
– Changes to `/etc/ssh/sshd_config`.
– Firewall rule changes.
– Repository volume unmounts.
– Sudden increase in repository free space.
– Backup job disablement or retention reduction.

The point is not to collect logs for compliance alone. It is to detect backup tampering before the recovery window closes.

## Add Network Segmentation

Place the repository in a dedicated backup or infrastructure VLAN. Then write explicit firewall rules:

“`text
Allow backup server -> repository TCP/22
Allow management jump host -> repository TCP/22
Allow repository -> syslog/SIEM TCP/514 or agent port
Allow repository -> OS update repositories via controlled egress
Deny workstations -> repository any
Deny production servers -> repository any, unless specifically required
Deny repository -> production networks by default
“`

For higher-security environments, require administrators to connect through a privileged access workstation or jump host. This reduces the risk of stolen workstation credentials being used directly against the repository.

## Plan for Offsite and Cloud Copies

A local immutable repository is valuable because restores are fast. It is not sufficient by itself. Fire, flood, theft, storage controller failure, and site-wide compromise can still take it out.

Follow a modern version of the 3-2-1-1-0 rule:

– **3** copies of important data.
– **2** different media or storage types.
– **1** offsite copy.
– **1** immutable or offline copy.
– **0** backup errors verified by testing.

For the offsite copy, options include:

– S3-compatible object storage with Object Lock.
– A second hardened Linux repository at another site.
– Backup provider cloud storage with immutability support.
– Periodic offline removable media for smaller environments.

If using object storage, understand the difference between governance mode and compliance mode. Governance mode can often be bypassed by highly privileged users. Compliance mode is stricter but can also lock you into retention costs if misconfigured. Test with non-production data first.

## Recovery Testing: The Control Everyone Skips

An immutable repository is only useful if you can restore from it. Recovery testing should include more than opening the backup console and seeing green check marks.

A practical quarterly test might include:

1. Restore a domain controller into an isolated network.
2. Restore a business-critical application server.
3. Restore a sample file share with permissions.
4. Verify application login and data consistency.
5. Record actual recovery time.
6. Confirm the restore point used was inside the immutable window.
7. Document any missing credentials, drivers, network settings, or application dependencies.

For Microsoft 365 or Google Workspace backups, test mailbox, OneDrive or Drive, and shared data restores. SaaS data is still business data, and many organizations underestimate how disruptive a tenant-level incident can be.

Create a simple recovery test record:

“`text
System tested: Accounting VM
Restore point: 2026-07-10 22:00
Repository: linux-repo-01
Immutable at test time: Yes
Restore target: isolated VMware port group
RTO observed: 47 minutes
RPO observed: 14 hours
Application owner validation: Passed
Issues found: DNS dependency not documented
Remediation owner: Infrastructure team
“`

This kind of evidence is useful for executives, cyber insurance renewals, auditors, and, most importantly, your future incident response team.

## Operational Maintenance Without Weakening Security

Hardening often fails over time because maintenance becomes inconvenient. Build a process that keeps the server patched without turning it into a general-purpose admin box.

Recommended maintenance tasks:

– Patch monthly or according to risk.
– Reboot after kernel updates during a scheduled window.
– Review SSH authorized keys quarterly.
– Validate firewall rules after network changes.
– Check repository capacity weekly.
– Review immutability settings after backup policy changes.
– Rotate backup console administrative credentials.
– Export backup configuration after major changes.

Example capacity check:

“`bash
df -h /backup
sudo xfs_quota -x -c ‘report -h’ /backup 2>/dev/null || true
“`

Example list of recent SSH logins:

“`bash
last -a | head -20
sudo journalctl -u ssh –since ‘7 days ago’
“`

Example check for failed logins:

“`bash
sudo grep ‘Failed password\|Invalid user’ /var/log/auth.log | tail -50
“`

Do not allow emergency shortcuts to become permanent. If you temporarily open SSH to a wider network or enable password authentication for troubleshooting, document it and reverse it immediately.

## Common Design Mistakes to Avoid

### Using SMB Shares as the Primary Ransomware Defense

SMB repositories are simple, but they often rely on credentials that can be reused or stolen. They can be appropriate in some designs, but they are usually not the strongest choice for ransomware-resistant backups unless paired with storage-level immutability and strict access control.

### Joining the Repository to the Domain

Domain membership may simplify login management, but it also increases blast radius. If Active Directory is compromised, a domain-joined repository becomes easier to attack. For a hardened repository, local accounts and key-based SSH are usually safer.

### Making Immutability Too Short

A seven-day immutable window may not be enough if attackers dwell in the network for weeks or if the organization discovers encryption after a long weekend. Balance cost and risk, but do not choose a window that only protects against the easiest incidents.

### Forgetting the Backup Server

The repository is only part of the system. Protect the backup server with MFA, patching, restricted admin access, endpoint protection, and configuration backups. Practice rebuilding it.

### Never Testing Full Application Recovery

A file-level restore proves very little about whether payroll, case management, ERP, or electronic health record systems can actually return to service. Test the applications that matter to the business.

## Practical Summary and Key Takeaways

A Linux immutable backup repository can materially improve ransomware resilience, but only when it is engineered as a hardened recovery component rather than treated like ordinary storage.

Key takeaways:

– Keep the repository dedicated, minimal, and off the domain.
– Use separate local accounts for administration and backup operations.
– Require key-based SSH and restrict access by user and source network.
– Enable immutable retention in the backup platform and size storage accordingly.
– Forward logs to monitoring systems outside the repository.
– Segment the repository so workstations and production servers cannot casually reach it.
– Maintain an offsite or cloud copy with its own immutability controls.
– Test real restores on a schedule and record the results.

For SMBs and nonprofits, the difference between a painful outage and a business-ending incident often comes down to backup recoverability. A hardened immutable repository is not glamorous infrastructure, but it is one of the most valuable investments an IT team can make before an attack happens.

Posted in

author

Leave a Comment





Scroll To Top