Deploying Amazon Machine Image in Amazon EC2

You can deploy NAKIVO Backup & Replication as a pre-configured Amazon Machine Image (AMI) in Amazon EC2. After you complete the download form, you get a link to the AWS marketplace page where you can download the AMI.

Configuring AMI Parameters

Configure the following AMI parameters:

  1. Instance Type: More powerful instances can process tasks faster and run more tasks simultaneously. The minimum requirement for NAKIVO Backup & Replication is the t2.micro instance type; the t2 medium instance type is recommended. 

  2. Instance Details: Assign a public IP to the instance if you wish to access the instance over the Internet.

    • Security Group: Use the "All Traffic" rule or create a set of rules listed below:

      Type

      Port Range

      Source

      Description

      SSH

      2221

      0.0.0.0/0

      Enables remote SSH access to the instance

      Custom TCP

      80

      0.0.0.0/0

      Enables access to the web interface

      Custom TCP

      443

      0.0.0.0/0

      Required for local Transporter import

      Custom TCP

      902

      0.0.0.0/0

      Required for local Transporter import

      Custom TCP

      4443

      0.0.0.0/0

      Enables access to the web interface

      Custom TCP

      9446

      0.0.0.0/0

      Enables access to a remote Transporter

      Custom TCP

      9448-10000

      0.0.0.0/0

      Enables access to a remote Transporter

      All ICMP 

      0-65535

      0.0.0.0/0

      Enables access to a remote Transporter

      Note
      Older AMIs may still use SSH Port 22 instead of 2221.

  1. Key pair: Select an existing key pair or create a new key pair for your instance. If you select an existing key pair, make sure you have access to the private key file.

Note
The AMI deliverable uses Ubuntu 22.04 OS and a standalone EC2 instance with a Director and Transporter. Instead of the default system user ubuntu, the AMI uses the username nkvuser.

Refer to Getting Started to better understand how to continue working with NAKIVO Backup & Replication.

Security

The security of your backups can be significantly improved with Backup Immutability. For this feature to be available, the backups must be stored in the Amazon S3, Wasabi, Azure Blob Storage, Backblaze B2 Cloud Storage,or Local Folder types of Backup Repository deployed via AWS AMI on your EC2 instance.

To enable Backup Immutability for a Local folder type of Backup Repository deployed via an AMI, NAKIVO Backup & Replication does the following:

  • Creates a new user for all administrative needs and adds it to the sudo group

  • Disables root user

  • Changes default SSH port to 2221

  • Configures the following kernel parameters via sysctl.conf:

    • Limits network-transmitted configuration for IPv4/IPv6

    • Prevents the common 'syn flood attack'

    • Turns on source IP address verification

    • Prevents a cracker from using a spoofing attack against the IP address of the server

    • Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects

    • Configures swap. Sets vm.swappiness to 15

    • Sets kernel.unprivileged_bpf_disabled to 1

    • Sets kernel.core_pattern to /tmp/%e.%p.core

    • Sets kernel.core_uses_pid to 1

    • Sets kernel.dmesg_restrict to 1

    • Sets kernel.kptr_restrict to 2

    • Sets kernel.sysrq to 0

  • Secures /tmp and /var/tmp

  • Secures Shared Memory

  • Installs and configures fail2ban

  • Uninstalls multipath

  • Disables snapd

  • Installs the following packets:

    • nfs-common

    • ecryptfs-utils

    • cryptsetup

Notes

  • After fail2ban is installed on the hardened AMI, the user IP may be banned for 10 minutes if mistakes have been made during the login procedure.

  • Any additional packages installed manually on the system may cause a security breach.

  • It is possible to ping a hardened AMI.