First, follow the instructions in this post to build a firewall and reverse-proxy host for symfony.
In AWS EC2, launch the Ubuntu 16.04 LTS percona instance.
Attach 1 interface eth0 to the synfony instance.
Subnet | Interface | Address |
---|---|---|
DMZ | eth0 | 10.20.1.12 |
The percona instance will use 10.20.1.1 for its default gateway.
From the firewall instance, you should be able to login to the percona instance using your ssh key.
ssh -i key.pem ubuntu@10.20.1.12
Modify the following files
vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "percona-host.domain"; supersede domain-name "domain"; supersede routers 10.20.1.1; ------------------------------ cut here ------------------------------ vi /etc/hostname ------------------------------ cut here ------------------------------ percona-host ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ 10.20.1.10 firewall-host.domain firewall-host 10.20.1.11 symfony-host.domain symfony-host 10.20.1.12 percona-host.domain percona-host ------------------------------ cut here ------------------------------ vi /etc/sysctl.conf ------------------------------ cut here ------------------------------ fs.suid_dumpable=0 kernel.randomize_va_space = 2 vm.swappiness=10 vm.vfs_cache_pressure=50 ------------------------------ cut here ------------------------------
Add swap file
fallocate -l 1G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile vi /etc/fstab ------------------------------ cut here ------------------------------ /swapfile none swap sw 0 0 ------------------------------ cut here ------------------------------
Install some utilities
apt-get install rpl apt-get install xtail
Update Ubuntu
apt-get update apt-get dist-upgrade rpl '//Unattended-Upgrade::Remove-Unused-Dependencies "false";' 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' /etc/apt/apt.conf.d/50unattended-upgrades
Enable NTP
apt-get install ntp vi /etc/ntp.conf ------------------------------ cut here ------------------------------ driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable pool 0.ubuntu.pool.ntp.org iburst pool 1.ubuntu.pool.ntp.org iburst pool 2.ubuntu.pool.ntp.org iburst pool 3.ubuntu.pool.ntp.org iburst pool ntp.ubuntu.com restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited restrict 127.0.0.1 restrict ::1 restrict source notrap nomodify noquery ------------------------------ cut here ------------------------------ service ntp restart
Install percona
wget https://repo.percona.com/apt/percona-release_0.1-4.$(lsb_release -sc)_all.deb dpkg -i percona-release_0.1-4.$(lsb_release -sc)_all.deb apt-get update apt-get install percona-server-client-5.7 apt-get install percona-server-server-5.7 rpl 127.0.0.1 0.0.0.0 /etc/mysql/percona-server.conf.d/mysqld.cnf mysql_secure_installation vi /etc/mysql/percona-server.conf.d/mysqld.cnf ------------------------------ cut here ------------------------------ #sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES sql_mode=NO_ENGINE_SUBSTITUTION,ALLOW_INVALID_DATES ------------------------------ cut here ------------------------------ systemctl restart mysql mysqladmin -p create symfony_database
Install phpMyAdmin and apache
apt-get install python-software-properties add-apt-repository ppa:ondrej/php apt-get update apt-get install php7.0 apt-get install php7.0-cli apt-get install php7.0-curl apt-get install php7.0-cgi apt-get install php7.0-zip rpl 'short_open_tag = Off' 'short_open_tag = On' /etc/php/7.0/*/php.ini phpenmod mcrypt phpenmod mbstring apt-get install unzip add-apt-repository ppa:nijel/phpmyadmin apt-get update apt-get install phpmyadmin add-apt-repository ppa:ondrej/apache2 apt-get update apt-get install apache2 rpl 'Listen 80' 'Listen 8080' /etc/apache2/ports.conf rpl 'VirtualHost *:80' 'VirtualHost *:8080' /etc/apache2/sites-available/000-default.conf ln -s ../conf-available/phpmyadmin.conf /etc/apache2/conf-enabled/phpmyadmin.conf rpl localhost:80/ localhost:8080/ /usr/sbin/apache2ctl rpl =80 =8080 /etc/ufw/applications.d/apache2-utils.ufw.profile apt-get install libapache2-mod-php7.0 php7.0-mysql php7.0-curl php7.0-json systemctl restart apache2
Install postfix
apt-get install postfix service postfix restart
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ service sshd restart
Optionally install Wazuh agent (if you have a Wazuh manager)
apt-get install curl apt-transport-https lsb-release curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - CODENAME=$(lsb_release -cs) echo "deb https://packages.wazuh.com/apt $CODENAME main" \ | tee /etc/apt/sources.list.d/wazuh.list apt-get update apt-get install wazuh-agent /var/ossec/bin/agent-auth -m wazuh_manager_ip_address rpl MANAGER_IP wazuh_manager_ip_addres /var/ossec/etc/ossec.conf apt-get install libopenscap8 xsltproc vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <wodle name="open-scap"> <disabled>no</disabled> ------------------------------ cut here ------------------------------ sysctl -w fs.suid_dumpable=0 chmod 640 /var/log/cloud-init.log apt-get install auditd sysctl -w kernel.randomize_va_space=2 systemctl disable apport.service service wazuh-agent restart