Let’s have a quick conversation about a few things you can do — but probably shouldn’t.

• Eat gas station sushi
• Leave important tasks for the last minute
• Believe everything on the internet
• Date a coworker
• Get a tattoo of the name of a significant other – at least early in the relationship – especially it it’s that coworker
• Run security-focused VM’s like a Veeam Hardened Repository on a NAS

Wait, what? Okay, so I’ve always toyed around with the idea of deploying a Veeam Hardened Repository on a Synology NAS as a VM. It started out as the thought of running Minio as local object storage with immutability. Eventually it evolved into a Veeam Hardened Repository, but the old-fashioned (though still current) method of deploying a Linux VM and hardening it. At some point in time, I forgot all about such crazy thoughts as Object First introduced the Ootbi, a purpose-built, security-focused S3 object storage appliance intended for on-premise immutability. But if you don’t have the budget? What about utilizing Veeam’s long-awaited Veeam Hardened Repository ISO…can’t that do it? Perhaps the better question is, should we do it? I say we forget about the second question and focus on the first!

Least Worst Practices

I’m a bit infamous around the Veeam 100 Community for my use of Synology NAS’s – and while some that infamy is due to inherited tech debt, some of it is and should be well-deserved. So with that in mind, I just wanted to state that yes indeed, it is possible. So let’s do it.

Of course, there are risks of running your VHR (or any repository) as a VM. By running as a VM, you’re increasing your attack exposure and relying on the security of the hypervisor, and in this case, the physical NAS that is hosting the VM. If the security of the hypervisor is breached and console access to the VM is granted, attackers can absolutely use external tools to reboot the VM, reset the root credentials, and delete your once immutable data. It would be fairly easy to exfiltrate the data from the repository server, but if all they wanted to do was delete your data to hold you ransom, they don’t even have to reset root credentials and can simply delete the VM. Also, you are relying on the software running the VM to ensure that there’s no corruption of data. This is one of the reason’s that Veeam’s best practices state that your backup repository should not reside within a VM.

“Least Worst Practices” are an a culmination of “Best Practices” and just plain bad practices. Not exactly the worst, but not good either. So, in the spirit of least worst practices, get this VHR on the road.

The Hardware

To start, what are we using for hardware here? Well, Synology was nice enough to supply me with a NAS and a few upgrades to play around with. I’ll a series of posts on the basics of assembling and configuring the NAS for regular use, as well as setting up the Synology VMM functionality to host VM’s, but let’s get the specs of our new VHR host out of the way, and I’ll say it up front, this one is a little bit light-weight. But it works, and that’s really all we’re after here, right?

Model: Synology DiskStation DS723+
Storage – Hard Drives: (2) Plus Series 4TB HAT3300-4T 3.5″ SATA HDD’s
Storage – Solid State Disks: (2) SNV3410-400G M.2 NVMe SSD’s
Additional Memory: D4ES02-4G DDR4 4GB SODIMM
Additional Connectivity: E1-G22-T1-Mini 10 10GbE Network Module

The Deployment

As previously noted, I’m going to go directly into the deployment of the VHR ISO, so I’m assuming you already have the NAS assembled, configured and deployed with the Synology VMM application already deployed and configured. First things first, just like in my previous posts, go out and download the VHR ISO from Veeam. It can be found by going to my.veeam.com and after logging in, browse to Additional Downloads > Extensions and Other > Veeam Hardened Repository ISO. Once downloaded, open the Synology Virtual Machine Manager > Image, ensure that you’re on the ISO File tab and “Add” the ISO to upload the image into your NAS.

Once uploaded, head over to the Virtual Machine menu on the left and then select “Create”. In the “Create Virtual Machine” wizard, select “Linux” and click Next.

On the “Select Storage” window, verify that your storage is displayed and select Next.

Next you’ll be prompted to name your VM and specify some basics. We’re going lightweight with 4 CPU’s and only 2GB of RAM. If your system has the capability, the VHR appliance would love to have more. Note that you will need to change the Video Card from “vmvga” to “vga” – failing to do so will prevent the VM from booting at power-on. If we were deploying an Ubuntu 22.04 Linux VM as a VHR rather than using the VHR ISO, this is a necessary step there as well.

Next we’ll specify our disk space. As usual, we’ll want a 100GB disk for the OS, and a larger disk for the repository. In this case, we’ll create a 3TB volume. Note that volumes larger than 2TB will result in a warning that VM’s larger than 2TB cannot be exported from VMM, and if that’s the case, you can simply click the red Yes to accept this restriction when prompted.

Select your Network and click Next.

Next you’re prompted for some “Other Settings”. Here we’ll select our VHR ISO in the “ISO file for bootup” menu, change Autostart to “Yes” so that the VM is started any time the NAS is started, and change the Firmware from Legacy BIOS to UEFI. Note that failing to change the Firmware to UEFI will result in an error when booting the OS as the VHR ISO checks to ensure that UEFI is enabled to securely harden the server. But don’t worry if you miss this as you can edit the VM and change this setting like I had to.

Select your Users that have permission to assign power management of the VM and select Next.

Review your the VM summary for accuracy, and click Done.

Now you’ll see your VMM build your VM container. Simply select the VM, click Power On and then Connect to the console.

Now just follow the remaining deployment steps outlined in my previous VHR ISO deployment post to complete the VM configuration and then add the Hardened ISO Repository to your Veeam configuration. Do remember that this is by far not a best practice for deploying a VHR. However, I strongly feel that it’s going to be a much better than configuration than using a NAS as a SMB repository because you’re taking advantage of the native immutability and block cloning savings of the XFS filesystem or even worse, mounting an iSCSI volume to your ESXI hosts as a RDM. Let’s at least try to keep this craziness a little bit under control!

Credit and Disclaimer

This post is part of a series sponsored by Synology. Nick Kozup at Synology was gracious enough to supply me with all of the Synology hardware and I have been tasked with finding ways to creatively use it. And since I’m nearly 10 months behind creating this series due my hectic life, and like to again thank Nick and Synology for all of their patience in waiting for this series. If you want to learn more about this NAS, make sure to head on over to the DS723+ product information page!