
The immutable Linux repository: the backup ransomware can't encrypt nor delete — not even with the right credentials.
Modern ransomware hunts the backups BEFORE encrypting production. The Hardened Repository is the answer: a Linux server with filesystem-level immutability (XFS) — for the set period, the backups can't be touched: not by the attacker, not by a compromised administrator, not by Veeam itself. From v13, also a ready appliance.


DISA STIG, minimal services, MFA on the console: the repository hardened for real, not halfway.
Immutability tuned on risk and capacity: long enough to cover the sleeping attack.
A dedicated segment and minimal flows: the safe doesn't chat with the rest of the network.
We try to delete (without succeeding): the verification that the immutability is real.
The Hardened Repository is a Linux server (also the preconfigured Veeam ISO) with XFS and the immutable flag: the backups can't be deleted nor encrypted for the set period, the credentials are single-use (not saved), SSH switches off after the deploy, the single-use-credentials compliance prevents a compromised domain from reaching the copies; with XFS block cloning the synthetic fulls stay instant; it's the '1 offline/immutable' piece of the 3-2-1-1-0.
The last line that holds when everything falls.
The immutable copy required, with evidence.
Not even the unfaithful admin deletes the history.