Tag Archives: Veeam Software Appliance

How to open a root shell on the Veeam Software or Infrastructure Appliance

Posted on by
Reply

Introduction

Veeam’s Software Appliance (VSA) and Infrastructure Appliance are hardened by design out of the box. They’re secured, protected, consistent, and predictable, but they’re also unapologetically locked down. There is no SSH, no shell, no root, no sudo. Everything is protected via requests and explicit approvals.

That’s good for security. But it also means you need to understand the actual workflow for getting shell access, especially root access, when you might need it.

This post walks through the real‑world process, the UI flow, the approval logic, and the operational pitfalls. We’ll even cover the “I disabled the web console and need to fix that” scenario.

There are two ways to get SSH access. First, there is the Veeam Host Management console locally on the machine, the one that is available at first boot. After configuration, you will also have access via the web host management console over port 10443.

How to get root access?

Root access can be obtained through 3 pathways that are essentially the same. The first two are again the Veeam Host Management console, locally on the machine, and the web host management console on port 10443. Once you have SSH access, you can request root access via the Veeam Host management console over SSH as well. You can also restrict access via these interfaces.

Note

I also enable the security officer option in the lab. That can indeed be annoying during testing, but I like to train with the tools I will use when it’s for real. You learn and operate under the same restrictions as in production and, yes, suffer the same frustrations at times. That is the price of security.

The local Veeam Host Management console

At your appliance console, select Sign In.

Enter your username and password and hit ENTER.

When prompted, enter your OTP to login.

From that point on, everything you need lives under the Remote Access configuration.

To request shell access, you choose Enter shell.

As mentioned, we have a security officer, so approval must be granted by that person.

The security officer can now approve or decline your request.

FYI: the security officer sign-in is only available via the web console!

Note that the entry for the approved request does not disappear. The security officer can decline it at any moment. For example, when you notify the security officer that you have completed your work. If not, it will expire after 8 hours.

Anyway, the console message changed to “Press <Enter> to access shell” and “Press <F1> to disable shell access.”

Hit ENTER, and you have shell access with root privileges.

Note that this root shell access is:

  • Time‑limited / non‑persistent
  • Audited
  • The only supported escalation path

Enabling root shell access via the web host management UI

Navigate to the IP address or the FQDN of your appliance over port 10443 and log in.

Under Overview, you can request root access. Again, this triggers the security officer approval workflow.

Once approved, a warning is displayed indicating that access privileges have been elevated to root. Note that you can revoke these yourself at any time.

Once approved, the TUI will allow you to open a temporary, audited root shell.

Once shell access is approved, you can:

  • Choose Enter shell in the TUI on the physical or virtual console
  • or enable SSH and log in remotely

Note that you always authenticate as the Host Administrator, not root. Dropping into the shell is always as root. When logged in via SSH, you do not use sudo or su to become root. You have to launch the TUI manually. Just run:

/opt/veeam/hostmanager/veeamhostmanagertui

That is useful when you want to activate an already-approved root shell without returning to the physical or virtual console.

As you can see, you have the same interface and have to sign in again. You can then enter the shell only if approval has already been granted; otherwise, you’ll have to wait for your security officer to approve your request. For people without access to the physical or virtual console, requesting SSH access in combination with root shell access is the only option. SSH alone will never get you to root. Remember that. Because:

  • root login is disabled
  • SSH root login is disabled
  • sudo is restricted
  • No direct escalation paths exist outside the TUI, making it the only supported privilege‑escalation mechanism.

Turning off the host management web UI

The appliance also lets you turn off the host management web UI. Sure, it might sound great for even further hardening, but it comes with an ⚠️ Important catch: turning off the host management web UI can Lock You Out (unless you have physical or virtual console access).

If you disable the web console and you do not have shell access or SSH enabled, the only way back in is through the hypervisor VM console. The physical or virtual console is your last‑resort access path. If you lose that, you have basically lost the appliance if all other options are disabled.

Some operational tips

Use root access with care and only when needed

I hope this is self-explanatory.

Use the web host management console & enable SSH on demand

We handle normal operations via the web consoles and the full console. When SSH is needed, request it.

Never turn off the web console unless you have guaranteed VM console access

If your hypervisor is managed by someone else, for example, think twice. Silos and multiple layers of communication and responsibilities are productivity, efficiency, and support-killing factors in way too many “enterprise”- grade environments. For real people, “enterprise IT” is not the badge of quality and efficiency many think it is; quite the contrary.

The Security Officer must be on call

When you tie actions to a security officer, ensure they are on call and kept informed. Make sure these are people with a clue, not just someone who approves anything without knowing what or why. Also, make sure they are very well aware of what normal backup and recovery operations require and what constitutes an exceptional but valid request. Otherwise, you can’t approve shell or root requests when you need them, or everything gets approved. The technology is only as good as the people and the processes.

Conclusion

While root shell access may be needed in a real-world environment, it should be used only when necessary and with great care. That is why I advise you to enable the security officer in production. And if you are like me, use the security officer feature in labs to make sure you learn and know the processes where this approval is required. How to Open a Root Shell on the Veeam Software or Infrastructure Appliance is also documented on Veeam Backup Enterprise Manager Guide

Configure custom settings on the Veeam Software Appliance like you used to do in the Windows Registry

Posted on by
Reply

Introduction

In previous versions of the Veeam Backup & Replication server (before version 13), we did not have a Rocky Linux-based Veeam Software appliance. We can configure a multitude of settings in the Windows Registry to fine-tune and perfect the VBR server to our needs and environment. But as we all know, there is no such thing as a registry on Linux. However, as the saying goes, everything on Linux is a file, and that applies to the Veeam Appliance as well.

In this article, I will demonstrate with a simple example how to edit these configuration files to achieve the same functionality. As some settings are Windows-specific and are not needed on the appliance, nor would they do anything useful.

How to apply custom settings to Veeam Software Appliance

On the Veeam Software Appliance, you will find configuration files that allow you to configure custom settings, just as you can in the registry of a Windows host running in Veeam Backup & Replication.

You manage these configuration files via the Veeam Host Management Console. Also see https://helpcenter.veeam.com/docs/vbr/userguide/hmc_perform_maintenance_tasks.html?ver=13#managing-configuration-files for more inf0

  1. Access the Veeam Host Management Console Web UI (username/password + MFA)
  2. Select Logs and Services in the left-side Navigation panel.
  3. Select Host Configuration within the Logs and Services view.
  4. From here, you can search for a specific configuration file.

The config files can be exported and imported via the Web GUI. Import required Veeam security officer approval if that is configured.

Below, you will find a selection of registry paths and their corresponding configuration files on the Veeam Software Appliance.

Registry KeyVSA Config File
HKLM\SOFTWARE\Veeam\Veeam Mount Service/etc/veeam/veeam_mount_service.conf
HKLM\SOFTWARE\Veeam\Veeam Backup Catalog/etc/veeam/veeam_backup_catalog.conf
HKLM\SOFTWARE\Veeam\Veeam Backup and Replication/etc/veeam/veeam_backup_and_replication.conf
HKLM\SOFTWARE\Veeam\Veeam Threat Hunter/etc/veeam/veeam_threat_hunter.conf

The names of the settings remain the same as before, making it easy for those already familiar with the customization settings from previous deployments. If anything, it is a bit more forgiving, as you cannot select an incorrect value type for the value, unlike in the registry.

Configuration File Sections

The configuration files consist of different sections in square brackets (e.g., [root]). Where [root] is the equivalent of the root of the listed key. Below, I list some examples that you will find in the /etc/veeam/veeam_backup_and_replication.conf file.

  • [root] = HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
  • [API] = HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\API\
  • [API\DbProvider] = HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\API\DbProvider\
  • [DatabaseConfigurations\PostgreSql] = HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\DatabaseConfigurations\PostgreSql\

As you can see, these represent the registry key paths that can be found on a Windows-based Veeam Backup & Replication installation.

Step-by-step walkthrough

Export and import the files via the Web GUI. There is no need to start SSH and access the appliance. The web GUI has everything you need.

Existing files can be exported for editing and then saved and uploaded to the Veeam Software Appliance.

You can also create new files if needed and upload those. For these to be functional, they must adhere to the conventions of the config files in terms of headers and values.

Be careful editing or creating a configuration file on Windows. Some text editors can mess up the file’s line endings and other settings. Windows has typically CRLF line endings, while Unix/Linux/macOS uses LF. Just make sure whatever text editor you use doesn’t change the line ending type, or things will break. Notepad++ will serve you well.

When the Security Officer role is enabled, importing an updated or new configuration file requires approval from a Security Officer.

I will demonstrate this with a handy but benign setting (in case you make a mistake). We will display a banner in the console GUI. Veeam introduced this years ago, but it makes for a nice, GUI-visible lab demonstration.

In the Windows registry, you configure this as follows:

Registry PathHKLM\SOFTWARE\Veeam\Veeam Backup and Replication
UIClassifiedModeDWORD = 1 to enable the banner
UIClassifiedStripeTextREG_SZ = Your custom message
UIClassifiedStripeColor (optional)REG_SZ = Hex color code (e.g., #FF0000 for red)

We will configure the same on the Veeam Software Appliance.

Select the correct file and click “Export”

Open the downloaded file in Notepad++ and add these three lines under [root, which is the correct path/location for these settings.

UIClassifiedMode=1

UIClassifiedStripeText=This is WorkingHardInIT’s VBR 13 Lab Server

UIClassifiedStripeColor=FF0000

Save your changes. Now, import the edited file into the Veeam Software Appliance.

As I have set up the Veeam security officer, I will need approval for this. For lab setups, you can choose not to leverage the security officer capability, but I prefer my labs to mimic real-life scenarios. It helps to evaluate the product more honestly.

Now the Veeam security officer has to log on to the appliance web console and approve my request

Some settings will require a restart of the Veeam services; others do not. However, if needed, you can perform this action from the web GUI.

When the Veeam Backup & Replication services have restarted and you log on to the console again, you will see the banner displayed just like on Windows.

Armed with this knowledge, you can now fine-tune your configuration settings to perfection for your Veeam Backup fabric environment when leveraging the Veeam Software Appliance.

References

See https://www.veeam.com/kb4779

Conclusion

There you have it. I have shown you how to configure custom settings on the Veeam Software Appliance, just as you would in the Windows Registry. I was wondering about this myself, as I knew Veeam would not leave us with a lesser product or, at the very least, fewer configuration options than on a self-hosted server installation.

The one thing that hits home is that zero trust impacts the comfort and speed of the honest, hardworking IT professional, who, apart from dealing with all the external threats, also has to guard against insider threats, i.e., himself. If you think about it, the level of security small and medium-sized businesses now have to deal with is mind-blowing compared to what it was in the past.

Happy testing, and may your production deployments and operations go smoothly!

Configuring an Interface Bond for Veeam Software Appliance and Veeam JeOS Installations on Hyper-V

Posted on by
Reply

Introduction

If you are anything like me, you want your labs and testing to mimic production as much as possible. Hence, when testing the Veeam Software Appliance and Veeam JeOS ISO installations in my Hyper-V lab, I want to use bonding for my LAN NICs and, potentially, for my dedicated backup network NICs. I say potentially, as that depends on the backup source and the available backup target networks, as well as the required configuration and the workloads they serve. Such design discussions have numerous permutations, which would lead us astray from the goal of this blog post.

Once we have decided we want bonding, the question at hand quickly becomes How does one get a bond to work in Linux VMs on Hyper-V? I will demonstrate how to do it for this specific use case. My primary concern was that the hardening of the ISO image might have blocked this from working, but it does not! Which is excellent news.

Yes, I know that bonding inside VMs is not the best approach, but we are doing this to emulate physical production configurations. In real-life production workloads, you should NOT even use virtual machines for hardened (immutable) repositories!

We need multiple NICs

First of all, we need a VM with multiple NICs. Two NICs for the LAN bond and then two or four NICs, depending on your network setup and goals. As stated above, we will not discuss this here.

I will direct you to a PowerShell script that allows you to easily deploy one or more scaffolding virtual machines on Hyper-V for testing the Veeam JeOS (Hardened Repository) ISO. Adapt the variables to your needs and run the script with elevated permissions. Locally, remotely, whatever suits you best.

You can set up the Hyper-V part of the NIC configuration for teaming via a script or in the GUI. I will use the GUI to showcase this, but will also provide the PowerShell commands in the script.

Note

You might remember my earlier guide on NIC bonding for Ubuntu guests in Hyper-V. There, I relied on full access to tooling on my Ubuntu servers. When working with the Veeam Hardened Repository ISO, things are more locked down. Thankfully, the installer provides a basic yet effective GUI. You can use it to configure NIC bonding during the installation process. Not only that, but we also have a basic menu-driven GUI after installation to configure and change the essentials. There should not be a need to SSH into the repository servers.

Bonding

This post guides you through setting up interface bonding during the initial installation phase using the built-in GUI, and I will show you where to configure or change it post-installation.

Installing the Veeam appliance & configuring bonding

They designed VeeamJeOS and other appliances with security in mind. That’s great for production, but it means you don’t get the same level of access to system internals as you do with a full-blown Ubuntu install. Specifically:

  • You can’t easily view or manipulate MAC addresses.
  • The repository is a stripped-down OS, so tools like ip, ifconfig, or even netplan might not be available.
  • You’re working with a locked-down shell and a minimal set of packages.
  • SSH access is available with one-time use passwords, and you need to enable it explicitly.

So how do we configure NIC bonding under these constraints? Let me walk you through this.

Step-by-Step: Bonding Interfaces in the Hardened ISO

1. Prepare Your Hyper-V Environment

Before booting the ISO, ensure your Hyper-V setup is ready. We will create a VM with an OS disk of at least 100 GB and add one or more larger data disks to emulate volumes backed by one or more RAID controllers. Don’t worry too much about the size, the disks are dynamically expanding ones and thin-provisioned. Naturally, you’ll need some vCPUs and vMemory. Additionally, create a Generation 2 VM and ensure that you set the secure boot template to “Microsoft EUFI Certificate Authority”. Last but not least, set the boot order to boot from the DVD drive first.

Next is the most important for this blog post: creating the vNICs.

  • Create two LAN vNICs for your VM and two or more BACKUP vNICs.
  • Enable MAC spoofing on the vNICs that you will bond inside the guest OS. It is crucial, as without it, the bond does not work correctly.
  • You must check “Enable this network adapter to be part of a team in the guest OS.”

Lucky you, I have a scaffolding script to create such VMs for you, and you can find it here: https://github.com/WorkingHardInIT/CreateVeeamHardenedRepoScafoldingVMs

Change the variables to values that make sense in your lab and run it in an elevated PowerShell session.

Enjoy. The only thing you need to do after running that script is mount the ISO in the DVD drive. You can play along with the VeeamHardenedRepository_2.0.0.8_20250117.iso or the VeeamJEOS_13.0.0.12109.BETA2.iso. In this article, I am using the VeeamHardenedRepository_2.0.0.8_20250117, as it is the current version suitable for production use. But if you follow the instructions below, you will be able to complete the process on both. For the V13 Beta 2, you need to contact Veeam as it requires an access code to download. You can watch a video of me installing VeeamSoftwareAppliance_13.0.0.12109.BETA2.iso with bonding here: https://vimeo.com/1108152527; the process is the same for the VeeamJEOS.

2. Boot the ISO and Access the Shell

Start the virtual machine.

Once the virtual machine is running, you should see the installer splash screen. Select “Install Hardened Repository (deletes all data).” Hit ENTER to continue

Next, you will see the Installation Summary Screen. It is more limited than you might be used to with a standard Rocky Linux deployment.

  • Make sure the Keyboard is correct.
  • Select your time zone (region and city)
  • The installation (storage layout) is not configurable.
  • The Network and hostname section is where we will do the most work!

3. Identify Your Network Interfaces

You should see all your NICs listed, and when you select one, you can also see the MAC address. That helps verify which Hyper-V vNIC this corresponds to. Usually, they are listed on both Hyper-V and in the OS (e.g., eth0, eth1, …) in the order in which the script created them.

As you can see, one NIC got an IP address via DHCP, which is a good sign.

4. Create the Bond

Now, let’s set up bonding. Click the “+” button located to the left of the NIC listing.

Ensure the type is “Bond” and click “Add”. Now configure the bond:

Please give it a distinguishable name, such as LANBOND

Give the interface a name: lanbond0

Add the interfaces. These are of type “Ethernet”

Click Create and add the devices. In this example, we will add both LAN NICs. Round-Robin is best here. LACP is not suitable for Hyper-V guest deployments. However, you can certainly use it in a physical production setup.

Save this and take a peek at the bond interface now. It has received a DHCP address. Good, now let’s configure our static IP settings. All this is pretty straightforward. Enter the correct data, including the NIC IP, subnet mask (in CIDR or Dotted Decimal Notation), gateway IP, and DNS servers.

5. Check your bond status and turn your bond off and on

Now pay attention to the bond. It will display the original IP address until you disconnect and reconnect. Use the toggle button for this. But there is more. Look at the MAC address. Yes, it has a spoofed MAC address of one of the member interfaces.

That is why you need MAC spoofing enabled on those bond member NICs in the Hyper-V setting of your virtual machine.

Finally, enter the host name and click Apply.

Click Done! You can already ping test the address; it should work.

Click “Begin Installation” in the lower-right corner of the splash screen. You will get a warning that this will wipe all disks. That is not a concern here. Click Yes. Let the installation process run. You can follow the progress.

Reboot the system when asked.

Log in using the following credentials:

  • User: vhradmin
    • Password: vhradmin

You must change the password to one that meets the minimal complexity requirements.

Accept the license terms.

You will have a menu to work with.

One of the things to do is configure the proxy setting, manage the network configuration, update your system, and start SSH with a single-use password.

SSH gives you (controlled/protected) SSH access to take a peek under the hood or see if you can customize anything (lab only).

However, mainly, you need to temporarily enable SSH to add this repository to the Veeam fabric.

7. Troubleshooting tips

Look at your ping -t 192.168.2.101 replies. They should be returning an answer reliably! If not, here are some tips:

  • First, ensure that you ping from only one test machine, as you can only send five pings per second. If you test from multiple machines and consoles, you will easily exceed this limit and experience drops.
  • MAC Spoofing is non-negotiable. Without it, it won’t work
  • Make sure “Enable the network adapter to be a part of a team in the guest operating system” is enabled.
  • If you’re unsure which NIC is which, Hyper-V’s VM settings display the order in which you added them. But you can also use the MAC address to identify them via SSH if needed.

8. Bond failover testing

Once you have a reliable ping reply, do some further failover testing:

  • Unplug one vNIC in Hyper-V and verify connectivity.
  • Deactivate the members of the bond in Rocky Linux.

Note that you should not lose connectivity.

Conclusion

You are now ready to add that Veeam hardened repository to your Veeam Backup & Replication environment. Congrats.

Configuring bonding during installation with the GUI is surprisingly efficient. Suppose you forgot or want to change the configuration that is possible in the GUI provided by Veeam when you log on to the console. If you enable SSH, you can also use it to access the system; however, it is not necessary to configure bonding in this manner.

The Veeam Hardened Repository ISO is pretty slick! I like it a lot. I would like to see some flexibility in the backup storage configuration to allow for customization. I would also like to have MFA for console, SSH, and sudo actions, similar to what I have with Duo, which I use for my hardened repository builds. And guess what? Veeam is adding MFA to the JeOS ISO image with Veeam Backup & Replication 13. That, and mandatory Security Officer approval for privileged actions, under the ‘two pairs of eyes’ principle. Below is a sneak peek of that!

In lab environments running on Hyper-V, this blog post and my PowerShell script can help you get up and running quickly with redundant connectivity to reproduce production configurations. Please share your questions, experiences, or tweaks in the comments below.