First, follow the instructions in this post to build a firewall and reverse-proxy host for symfony.

In AWS EC2, launch the Ubuntu 16.04 LTS percona instance.

Attach 1 interface eth0 to the synfony instance.

Subnet Interface Address
DMZ eth0 10.20.1.12

The percona instance will use 10.20.1.1 for its default gateway.

From the firewall instance, you should be able to login to the percona instance using your ssh key.

ssh -i key.pem ubuntu@10.20.1.12

Modify the following files

vi /etc/dhclient.conf
------------------------------ cut here ------------------------------
supersede host-name "percona-host.domain";
supersede domain-name "domain";
supersede routers 10.20.1.1;
------------------------------ cut here ------------------------------

vi /etc/hostname
------------------------------ cut here ------------------------------
percona-host
------------------------------ cut here ------------------------------

vi /etc/hosts
------------------------------ cut here ------------------------------
10.20.1.10   firewall-host.domain firewall-host
10.20.1.11   symfony-host.domain symfony-host
10.20.1.12   percona-host.domain percona-host
------------------------------ cut here ------------------------------

vi /etc/sysctl.conf
------------------------------ cut here ------------------------------
fs.suid_dumpable=0
kernel.randomize_va_space = 2
vm.swappiness=10
vm.vfs_cache_pressure=50
------------------------------ cut here ------------------------------

Add swap file

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

vi /etc/fstab
------------------------------ cut here ------------------------------
/swapfile none swap sw 0 0
------------------------------ cut here ------------------------------

Install some utilities

apt-get install rpl
apt-get install xtail

Update Ubuntu

apt-get update
apt-get dist-upgrade

rpl '//Unattended-Upgrade::Remove-Unused-Dependencies "false";' 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' /etc/apt/apt.conf.d/50unattended-upgrades

Enable NTP

apt-get install ntp

vi /etc/ntp.conf
------------------------------ cut here ------------------------------
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst
pool ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
------------------------------ cut here ------------------------------

service ntp restart

Install percona

wget https://repo.percona.com/apt/percona-release_0.1-4.$(lsb_release -sc)_all.deb
dpkg -i percona-release_0.1-4.$(lsb_release -sc)_all.deb

apt-get update

apt-get install percona-server-client-5.7
apt-get install percona-server-server-5.7

rpl 127.0.0.1 0.0.0.0 /etc/mysql/percona-server.conf.d/mysqld.cnf

mysql_secure_installation

vi /etc/mysql/percona-server.conf.d/mysqld.cnf
------------------------------ cut here ------------------------------
#sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
sql_mode=NO_ENGINE_SUBSTITUTION,ALLOW_INVALID_DATES
------------------------------ cut here ------------------------------

systemctl restart mysql

mysqladmin -p create symfony_database

Install phpMyAdmin and apache

apt-get install python-software-properties
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install php7.0
apt-get install php7.0-cli
apt-get install php7.0-curl
apt-get install php7.0-cgi
apt-get install php7.0-zip

rpl 'short_open_tag = Off' 'short_open_tag = On' /etc/php/7.0/*/php.ini

phpenmod mcrypt
phpenmod mbstring

apt-get install unzip

add-apt-repository ppa:nijel/phpmyadmin
apt-get update
apt-get install phpmyadmin

add-apt-repository ppa:ondrej/apache2
apt-get update
apt-get install apache2

rpl 'Listen 80' 'Listen 8080' /etc/apache2/ports.conf
rpl 'VirtualHost *:80' 'VirtualHost *:8080' /etc/apache2/sites-available/000-default.conf
ln -s ../conf-available/phpmyadmin.conf /etc/apache2/conf-enabled/phpmyadmin.conf

rpl localhost:80/ localhost:8080/ /usr/sbin/apache2ctl
rpl =80 =8080 /etc/ufw/applications.d/apache2-utils.ufw.profile

apt-get install libapache2-mod-php7.0 php7.0-mysql php7.0-curl php7.0-json

systemctl restart apache2

Install postfix

apt-get install postfix

service postfix restart

Adjust sshd

vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
ClientAliveInterval 900
IgnoreRhosts yes
LoginGraceTime 30
MaxAuthTries 3
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
------------------------------ cut here ------------------------------

service sshd restart

Optionally install Wazuh agent (if you have a Wazuh manager)

apt-get install curl apt-transport-https lsb-release
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

CODENAME=$(lsb_release -cs)
echo "deb https://packages.wazuh.com/apt $CODENAME main" \
| tee /etc/apt/sources.list.d/wazuh.list

apt-get update

apt-get install wazuh-agent

/var/ossec/bin/agent-auth -m wazuh_manager_ip_address

rpl MANAGER_IP wazuh_manager_ip_addres /var/ossec/etc/ossec.conf

apt-get install libopenscap8 xsltproc

vi /var/ossec/etc/ossec.conf
------------------------------ cut here ------------------------------
  <wodle name="open-scap">
    <disabled>no</disabled>
------------------------------ cut here ------------------------------

sysctl -w fs.suid_dumpable=0

chmod 640 /var/log/cloud-init.log

apt-get install auditd

sysctl -w kernel.randomize_va_space=2

systemctl disable apport.service

service wazuh-agent restart