Configuring a Newly Created Amazon Lightsail Instance That Runs Amazon Linux
Last updated: October 5, 2019
Amazon Lightsail offers a simple way to host Virtual Private Servers (VPS) for a low, predictable price. In a few mouse clicks, you can create a Lightsail instance with pre-installed software, for example, with WordPress Content Management System (CMS), Nginx web server or Microsoft SQL Server Express database.
If you do not want to run images (blueprints) with pre-installed software, you can create instances with OS only (Unix or Windows).
This blog post describes the OS level configuration tasks that you may want to do on a newly created Lightsail instance that runs the Amazon Machine Image (AMI) Amazon Linux 2018.03.0
. Each configuration task is presented as a separate procedure (how-to). The procedures are also applicable to Amazon EC2 instances that run the Amazon Linux AMI.
How to Update RPM Packages
When you create a Lightsail instance running the Amazon Linux 2018.03.0 AMI
, cloud-init
initializes this instance and installs security updates with severity important and critical (excluding kernel).
After the initialization of the instance is completed, you may want to update all packages or install only security updates, including kernel. To do it, follow these steps:
- Update RPM packages.
- To update all packages, execute the following command:
yum update -y
- To install only security updates (including kernel):
yum update -y --security
- To update all packages, execute the following command:
- Check if a system reboot is required.
Then, if a system reboot is required, reboot the instance.needs-restarting -r
reboot
How to Disable IPv6
Internet Protocol version 6 (IPv6) is enabled by default on the OS level on newly initialized Lightsail instances running the Amazon Linux 2018.03.0 AMI
. At the time of the last update of this post, the Amazon Lightsail service itself had no IPv6 support. Thus, you may want to disable IPv6 support on the OS level as well by following the steps in this procedure. The changes that you make in this procedure are persistent across system reboots.
- Set the kernel parameters.
sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1
- Make the new kernel parameters active at runtime.
sysctl -p
- Stop and disable the IPv6 packet filter.
service ip6tables stop chkconfig ip6tables off
How to Enable SELinux
Security Enhanced Linux (SELinux) is by default disabled on Amazon Lightsail instances running the Amazon Linux 2018.03.0 AMI
(you can check it using the sestatus
command).
SELinux provides an additional layer of system security, so you may want to enable it by following these steps:
- Install the required RPM packages.
yum install -y policycoreutils selinux-policy-targeted policycoreutils-python
- In GRUB configuration, activate SELinux in kernel boot parameters.
sed --in-place=_bak --follow-symlinks \ 's/selinux=0/security=selinux selinux=1 enforcing=1/g' /etc/grub.conf
- Force the system to label the entire filesystem with SELinux contexts at the next boot.
touch /.autorelabel
- Reboot the instance.
reboot
- SELinux relabeling can take a long time. But in most cases, the instance should be up again in no more than 5 minutes.
How to Configure the IP Packet Filter
A Lightsail instance running the Amazon Linux 2018.03.0 AMI
has by default the network ports TCP 22
and 80
open to the public. You can change these settings in the Amazon Lightsail console in the Networking tab of your instance.
You may want to implement an additional layer of security by configuring Internet Protocol version 4 (IPv4) packet filter rules on the OS level. At the time of the last update of this post, Amazon Lightsail service had no Internet Protocol version 6 (IPv6) support, so you would not need to configure IPv6 packet filter rules.
For example, to allow SSH access to your Lightsail instance only from the peered Virtual Private Cloud (VPC) and your home IP, perform the following steps:
- Add the IPv4 packet filter rules for SSH access.
DEFAULT_VPC_CIDR='172.31.0.0/16' HOME_IP='1.2.3.4' iptables -A INPUT -i eth0 -p tcp -s $DEFAULT_VPC_CIDR,$HOME_IP/32 --dport 22 \ -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP iptables -A OUTPUT -o eth0 -p tcp -d $DEFAULT_VPC_CIDR,$HOME_IP/32 --sport 22 \ -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j DROP
- On newly created Lightsail instances that run Amazon Linux the default policy for built-in chains is
ACCEPT
. So, with these rules you only drop SSH traffic that is not originated from the peered VPC or your home IP, while all the rest traffic is still accepted.
- On newly created Lightsail instances that run Amazon Linux the default policy for built-in chains is
- Save the configuration.
service iptables save
How to Add Swap Space
Lightsail servers have SSD-based block storage. From many sources, you still can learn that it is not recommended to place swap partitions or swap files on SSD drives because it would shorten the lifespan of these drives.
If your Lightsail instance does not have enough system memory, you should upgrade your instance plan. But you still may want to enable swap space on your Lightsail instance as a safety measure to prevent data loss in cases when your applications unpredictably consume all available memory. This procedure describes how to do it on a Linux-based Lightsail instance.
- Create a new swap file of size 2048Mb.
dd if=/dev/zero of=/swapfile bs=1M count=2048
- Set up and enable swap space on the system.
mkswap /swapfile chmod 600 /swapfile swapon /swapfile
- Verify swap availability and usage.
swapon -s
- Make swap space persistent across system reboots.
cp -p /etc/fstab /etc/fstab_bak echo '/swapfile none swap defaults 0 0' >> /etc/fstab
How to Disable Unused System Services
You may want to stop and disable system services that you do not plan to use on your Lightsail instance running the Amazon Linux 2018.03.0 AMI
.
- You may want to stop and disable the
sendmail
daemon.service sendmail stop chkconfig sendmail off
- You may want to stop and disable the system services related to the Network File System (NFS) and Remote Procedure Call (RPC).
service nfslock stop chkconfig nfslock off service rpcbind stop chkconfig rpcbind off
How to Configure SSM Agent
AWS Systems Manager Agent (SSM Agent) is pre-installed, by default, on Amazon Linux AMIs dated 2017.09
and later. If you want to manage your Lightsail instance remotely using the Systems Manager service, you have to perform additional configuration steps. For further details, see Configuring SSM Agent on an Amazon Lightsail Instance.
How to Limit the Network Bandwidth
To avoid unpredictable charges that can happen if you exceed the monthly data transfer allowance, you may want to limit the outbound network bandwidth of your Linux-based Lightsail instance. For further details, see Limiting the Network Bandwidth of a Linux-Based Amazon Lightsail or EC2 Instance.