First, follow the instructions in this post to build a firewall and reverse-proxy host for symfony.

Next, follow the instructions in this post to build a MySQL database (Percona) host for symfony.

In AWS EC2, launch the Ubuntu 16.04 LTS symfony instance.

Attach 1 interface eth0 to the symfony instance.

Subnet Interface Address
DMZ eth0 10.20.1.11

The symfony instance will use 10.20.1.1 for its default gateway.

From the firewall instance, you should be able to login to the symfony instance using your ssh key.

ssh -i key.pem ubuntu@10.20.1.11

Modify the following files

vi /etc/dhclient.conf
------------------------------ cut here ------------------------------
supersede host-name "symfony-host.domain";
supersede domain-name "domain";
supersede routers 10.20.1.1;
------------------------------ cut here ------------------------------

vi /etc/hostname
------------------------------ cut here ------------------------------
symfony-host
------------------------------ cut here ------------------------------

vi /etc/hosts
------------------------------ cut here ------------------------------
10.20.1.10   firewall-host.domain firewall-host
10.20.1.11   symfony-host.domain symfony-host
10.20.1.12   percona-host.domain percona-host
------------------------------ cut here ------------------------------

vi /etc/sysctl.conf
------------------------------ cut here ------------------------------
fs.suid_dumpable=0
kernel.randomize_va_space = 2
vm.swappiness=10
vm.vfs_cache_pressure=50
------------------------------ cut here ------------------------------

Add swap file

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

vi /etc/fstab
------------------------------ cut here ------------------------------
/swapfile none swap sw 0 0
------------------------------ cut here ------------------------------

Install some utilities

apt-get install rpl
apt-get install xtail

Update Ubuntu

apt-get update
apt-get dist-upgrade

rpl '//Unattended-Upgrade::Remove-Unused-Dependencies "false";' 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' /etc/apt/apt.conf.d/50unattended-upgrades

Enable NTP

apt-get install ntp

vi /etc/ntp.conf
------------------------------ cut here ------------------------------
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst
pool ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
------------------------------ cut here ------------------------------

service ntp restart

Install nginx and disable apache

systemctl disable apache2.service

apt-get install nginx

vi /etc/nginx/sites-available/symfony
------------------------------ cut here ------------------------------
log_format real_combined '$http_x_real_ip - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

server {
    listen 10.20.1.11:80;
    root /var/www/symfony/html;
    server_name symfony symfony.domain;
    error_log /var/log/nginx/symfony-error.log;
    access_log /var/log/nginx/symfony-access.log real_combined;
    location / {
        try_files $uri /app.php$is_args$args;
    }
    location ~ ^/(app_dev|config)\.php(/|$) {
        fastcgi_pass unix:/var/run/php/php7.0-fpm-symfony.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        fastcgi_param HTTPS off;
    }
    location ~ ^/app\.php(/|$) {
        fastcgi_pass unix:/var/run/php/php7.0-fpm-symfony.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        fastcgi_param HTTPS off;
        internal;
    }
}
------------------------------ cut here ------------------------------

ln -s /etc/nginx/sites-available/symfony /etc/nginx/sites-enabled/symfony

vipw
------------------------------ cut here ------------------------------
symfony:x:2222:2222:SYMFONY,,,:/var/www/symfony:/bin/bash
------------------------------ cut here ------------------------------

vipw -s
------------------------------ cut here ------------------------------
symfony:xxx:16664:0:99999:7:::
------------------------------ cut here ------------------------------

vi /etc/group
------------------------------ cut here ------------------------------
symfony:x:2222:
------------------------------ cut here ------------------------------

vi /etc/gshadow
------------------------------ cut here ------------------------------
symfony:!::
------------------------------ cut here ------------------------------

mkdir /var/www/symfony
mkdir /var/www/symfony/html

vi /var/www/symfony/html/app/config/parameters.yml
------------------------------ cut here ------------------------------
    database_driver: pdo_mysql
    database_host: 10.20.1.12
    database_port: 3306
    database_name: symfony_database
    database_user: symfony_database_user
    database_password: xxx
------------------------------ cut here ------------------------------

chown -R symfony:symfony /var/www/symfony

service nginx restart

Install postfix

apt-get install postfix

service postfix restart

Install php 7.0

add-apt-repository ppa:ondrej/php

apt-get update

apt-get install php7.0

apt-get install php7.0-mysql

apt-get install php7.0-fpm

rpl 'short_open_tag = Off' 'short_open_tag = On' /etc/php/7.0/fpm/php.ini
rpl 'session.hash_function = 0' 'session.hash_function = "sha512"' /etc/php/7.0/*/php.ini
rpl 'session.cookie_lifetime = 0' 'session.cookie_lifetime = 900' /etc/php/7.0/*/php.ini
rpl 'session.gc_maxlifetime = 1440' 'session.gc_maxlifetime = 900' /etc/php/7.0/*/php.ini

cp /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/symfony.conf

rpl '[www]' '[symfony]' /etc/php/7.0/fpm/pool.d/symfony.conf
rpl /run/php/php7.0-fpm.sock /run/php/php7.0-fpm-symfony.sock /etc/php/7.0/fpm/pool.d/symfony.conf
rpl 'exec,passthru,shell_exec,system' 'passthru,system' /etc/php/7.0/fpm/pool.d/symfony.conf

vi /etc/php/7.0/fpm/pool.d/symfony.conf
------------------------------ cut here ------------------------------
user = symfony
group = symfony
php_flag[display_errors] = on
php_admin_flag[allow_url_fopen] = off
------------------------------ cut here ------------------------------

vi /etc/php/7.0/fpm/php.ini
------------------------------ cut here ------------------------------
sendmail_path = "/usr/sbin/sendmail -t -i"
------------------------------ cut here ------------------------------

apt-get install php7.0-curl
apt-get install php7.0-common
apt-get install php7.0-gettext
apt-get install php7.0-opcache
apt-get install php7.0-memcached
apt-get install php7.0-iconv
apt-get install php7.0-intl
apt-get install php7.0-mbstring
apt-get install php7.0-zip
apt-get install php7.0-bcmath
apt-get install php7.0-gd

apt-get install memcached

apt-get install php7.0-cli

rm /etc/alternatives/php.1.gz
ln -s /usr/share/man/man1/php7.0.1.gz /etc/alternatives/php.1.gz

rm /etc/alternatives/php
ln -s /usr/bin/php7.0 /etc/alternatives/php

service php7.0-fpm restart
service nginx restart

Install redis

apt-get install redis-server

apt-get install php7.0-dev

apt-get install unzip

wget https://github.com/phpredis/phpredis/archive/php7.zip -O phpredis.zip
unzip -o phpredis.zip
cd phpredis-php7
phpize
./configure
make
make install

touch /etc/php/7.0/mods-available/redis.ini
echo extension=redis.so > /etc/php/7.0/mods-available/redis.ini

ln -s /etc/php/7.0/mods-available/redis.ini /etc/php/7.0/fpm/conf.d/redis.ini

Adjust sshd

vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
ClientAliveInterval 900
IgnoreRhosts yes
LoginGraceTime 30
MaxAuthTries 3
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
------------------------------ cut here ------------------------------

service sshd restart

Optionally install Wazuh agent (if you have a Wazuh manager)

apt-get install curl apt-transport-https lsb-release
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

CODENAME=$(lsb_release -cs)
echo "deb https://packages.wazuh.com/apt $CODENAME main" \
| tee /etc/apt/sources.list.d/wazuh.list

apt-get update

apt-get install wazuh-agent

/var/ossec/bin/agent-auth -m wazuh_manager_ip_address

rpl MANAGER_IP wazuh_manager_ip_addres /var/ossec/etc/ossec.conf

apt-get install libopenscap8 xsltproc

vi /var/ossec/etc/ossec.conf
------------------------------ cut here ------------------------------
  <wodle name="open-scap">
    <disabled>no</disabled>
------------------------------ cut here ------------------------------

sysctl -w fs.suid_dumpable=0

chmod 640 /var/log/cloud-init.log

apt-get install auditd

sysctl -w kernel.randomize_va_space=2

systemctl disable apport.service

service wazuh-agent restart

Optionally install ClamAV and Linux Malware Detect (if you want to scan uploaded files)

mkdir /var/www/symfony/uploads
chown -R symfony:symfony /var/www/symfony/uploads

apt-get install inotify-tools
apt-get install clamav
apt-get install clamav-daemon

service clamav-freshclam start
service clamav-daemon start

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar zxf maldetect-current.tar.gz
cd maldetect-1.6.2
./install.sh

maldet -d
------------------------------ cut here ------------------------------
Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <proj@rfxn.com>
            (C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2002): {update} checking for available updates...
maldet(2002): {update} hashing install files and checking against server...
maldet(2002): {update} latest version already installed.
------------------------------ cut here ------------------------------

maldet -u
------------------------------ cut here ------------------------------
Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <proj@rfxn.com>
            (C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2221): {sigup} performing signature update check...
maldet(2221): {sigup} local signature set is version 201708255569
maldet(2221): {sigup} latest signature set already installed
------------------------------ cut here ------------------------------

/bin/rm /etc/cron.d/maldet_pub

rpl 'quarantine_hits="0"' 'quarantine_hits="1"' /usr/local/maldetect/conf.maldet

vi /usr/local/maldetect/monitor_paths
------------------------------ cut here ------------------------------
/var/www/symfony/uploads
------------------------------ cut here ------------------------------

vi /etc/init.d/maldet
------------------------------ cut here ------------------------------
#!/bin/sh
#
# maldet    Maldet inotify monitoring
#
# chkconfig: 345 70 30
# description: Maldet inotify monitoring
# processname: maldet
# config: /usr/local/maldetect/conf.maldet
# pidfile: /var/run/maldet.pid
### BEGIN INIT INFO
# Provides:          maldet
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     3 4 5
# Default-Stop:      0 1 6
# Short-Description: Maldet inotify monitoring
# Description:       Maldet inotify monitoring
### END INIT INFO

# Author: Achim J. Latz <achim.latz+maldet@fortiko.com>

# Source function library.
. /etc/init.d/functions

NAME=maldet
DAEMON=/usr/local/maldetect/maldet
TARGET="/usr/local/maldetect/monitor_paths"
#TARGET="users"
DAEMON_ARGS="--monitor $TARGET"
PIDFILE=/var/run/maldet.pid
SCRIPTNAME=/etc/init.d/maldet
LOCKDIR=/var/lock/subsys
LOCKFILE=${LOCKDIR}/maldet

start() {
  if [ -d "${LOCKDIR}" -a -w "${LOCKDIR}" ]
  then
    local pid
    __pids_var_run $NAME || rm -f "${LOCKFILE}"
    if ( set -o noclobber; echo "$$" > "${LOCKFILE}") 2> /dev/null; then
        trap 'rm -f "${LOCKFILE}"; exit $?' INT TERM EXIT

          echo -n $"Starting $NAME: "
          daemon --pidfile $PIDFILE $DAEMON $DAEMON_ARGS
          retval=$?
          if [ $retval -eq 0 ]; then

            pid=`pgrep $NAME`
            if [ -n "$pid" ]; then
                echo $pid > "$PIDFILE"
            fi

            echo_success
            echo
          else
            echo_failure
            echo
          fi
          return $retval

        rm -f "${LOCKFILE}"
        trap - INT TERM EXIT
    else
      echo "Failed to acquire ${LOCKFILE}. Held by $(cat ${LOCKFILE})"
      echo_failure
      return 1
    fi
  fi
}

stop() {
  echo -n $"Stopping $NAME: "
  $DAEMON --kill-monitor && success || failure
  retval=$?
  sleep 20
  killproc -p $PIDFILE $NAME
  if [ $retval -ne 0 ];
  then
    killall -q $NAME
  fi
  if [ -e "${LOCKFILE}" ]
  then
    rm -f "${LOCKFILE}"
  fi
  echo
  return $retval
}

restart() {
  stop
  start
}

status() {
        echo -n "Checking $NAME monitoring status: "
        if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
            echo "Running"
        else
            echo "Not running"
        fi
}

case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  status)
    status
    ;;
  restart)
    restart
    ;;
  condrestart)
    if [ -f $LOCKFILE ]; then
        restart
    fi
    ;;
  *)
    echo "Usage: $0 {start|stop|status|restart|condrestart}"
    exit 2
    ;;
esac

exit $?
------------------------------ cut here ------------------------------

chmod 755 /etc/init.d/maldet

update-rc.d maldet defaults

systemctl enable maldet.service
systemctl start maldet.service

vi /etc/logrotate.d/maldet
------------------------------ cut here ------------------------------
/usr/local/maldetect/logs/event_log
/usr/local/maldetect/logs/clamscan_log {
    missingok
    weekly
    compress
    notifempty
    size 1M
    rotate 4
    create 0644 root root
}
/usr/local/maldetect/logs/inotify_log {
    missingok
    weekly
    compress
    create 0644 root root
    notifempty
    size 1M
    rotate 4
    postrotate
        /etc/init.d/maldet condrestart > /dev/null 2>/dev/null || true
    endscript
}
------------------------------ cut here ------------------------------