Deploying Amazon Machine Image in Amazon EC2

You can deploy NAKIVO Backup & Replication as a pre-configured Amazon Machine Image (AMI) in Amazon EC2. After you complete the download form, you get a link to the AWS marketplace page where you can download the AMI.

Configuring AMI Parameters

Configure the following AMI parameters:

  1. Instance Type: More powerful instances can process tasks faster and run more tasks simultaneously. The minimum requirement for NAKIVO Backup & Replication is the t2.micro instance type; the t2 medium instance type is recommended. 

  2. Instance Details: Assign a public IP to the instance if you wish to access the instance over the internet.

  3. Security Group: Use the "All Traffic" rule or create a set of rules listed below:

    Type

    Port Range

    Source

    Description

    SSH

    2221

    0.0.0.0/0

    Enables remote SSH access to the instance

    Custom TCP

    80

    0.0.0.0/0

    Enables access to the web interface

    Custom TCP

    443

    0.0.0.0/0

    Required for local Transporter import

    Custom TCP

    902

    0.0.0.0/0

    Required for local Transporter import

    Custom TCP

    4443

    0.0.0.0/0

    Enables access to the web interface

    Custom TCP

    9446

    0.0.0.0/0

    Enables access to a remote Transporter

    Custom TCP

    9448-10000

    0.0.0.0/0

    Enables access to a remote Transporter

    All ICMP 

    0-65535

    0.0.0.0/0

    Enables access to a remote Transporter


    Note
    Older AMIs may still use SSH Port 22 instead of 2221.

  1. Key pair: Select an existing key pair or create a new key pair for your instance. If you select an existing key pair, make sure you have access to the private key file.
    Refer to Getting Started to better understand how to continue working with NAKIVO Backup & Replication.

Security

The security of your backups can be significantly improved with Backup Immutability. For this feature to be available, the backups must be stored in an Amazon S3 or Local folder type of Backup Repository deployed via AWS AMI on your EC2 instance.

Note
The AMI deliverable uses Ubuntu 20.04 OS and a standalone EC2 transporter.

To enable Backup Immutability for a Local folder type of Backup Repository deployed via an AMI, NAKIVO Backup & Replication does the following:

  • Creates a new user for all administrative needs and adds it to the sudo group

  • Disables root user

  • Changes default SSH port to 2221

  • Configures the following kernel parameters via sysctl.conf:

    • Limits network-transmitted configuration for IPv4/IPv6

    • Prevents the common 'syn flood attack'

    • Turns on source IP address verification

    • Prevents a cracker from using a spoofing attack against the IP address of the server

    • Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects

    • Configures swap. Sets vm.swappiness to 15

    • Sets kernel.unprivileged_bpf_disabled to 1

    • Sets kernel.core_pattern to /tmp/%e.%p.core

    • Sets kernel.core_uses_pid to 1

    • Sets kernel.dmesg_restrict to 1

    • Sets kernel.kptr_restrict to 2

    • Sets kernel.sysrq to 0

  • Secures /tmp and /var/tmp

  • Secures Shared Memory

  • Installs and configures fail2ban

  • Uninstalls multipath

  • Disables snapd

  • Installs the following packets:

    • nfs-common

    • encryptfs-utils

    • cryptsetup


Notes

  • After fail2ban is installed on the hardened AMI, the user IP may be banned for 10 minutes if mistakes have been made during the login procedure.

  • Any additional packages installed manually on the system may cause a security breach.

  • It is possible to ping a hardened AMI.