First, follow the instructions in this post to build a firewall and reverse-proxy host for symfony.
Next, follow the instructions in this post to build a MySQL database (Percona) host for symfony.
In AWS EC2, launch the Ubuntu 16.04 LTS symfony instance.
Attach 1 interface eth0 to the symfony instance.
Subnet | Interface | Address |
---|---|---|
DMZ | eth0 | 10.20.1.11 |
The symfony instance will use 10.20.1.1 for its default gateway.
From the firewall instance, you should be able to login to the symfony instance using your ssh key.
ssh -i key.pem ubuntu@10.20.1.11
Modify the following files
vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "symfony-host.domain"; supersede domain-name "domain"; supersede routers 10.20.1.1; ------------------------------ cut here ------------------------------ vi /etc/hostname ------------------------------ cut here ------------------------------ symfony-host ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ 10.20.1.10 firewall-host.domain firewall-host 10.20.1.11 symfony-host.domain symfony-host 10.20.1.12 percona-host.domain percona-host ------------------------------ cut here ------------------------------ vi /etc/sysctl.conf ------------------------------ cut here ------------------------------ fs.suid_dumpable=0 kernel.randomize_va_space = 2 vm.swappiness=10 vm.vfs_cache_pressure=50 ------------------------------ cut here ------------------------------
Add swap file
fallocate -l 1G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile vi /etc/fstab ------------------------------ cut here ------------------------------ /swapfile none swap sw 0 0 ------------------------------ cut here ------------------------------
Install some utilities
apt-get install rpl apt-get install xtail
Update Ubuntu
apt-get update apt-get dist-upgrade rpl '//Unattended-Upgrade::Remove-Unused-Dependencies "false";' 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' /etc/apt/apt.conf.d/50unattended-upgrades
Enable NTP
apt-get install ntp vi /etc/ntp.conf ------------------------------ cut here ------------------------------ driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable pool 0.ubuntu.pool.ntp.org iburst pool 1.ubuntu.pool.ntp.org iburst pool 2.ubuntu.pool.ntp.org iburst pool 3.ubuntu.pool.ntp.org iburst pool ntp.ubuntu.com restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited restrict 127.0.0.1 restrict ::1 restrict source notrap nomodify noquery ------------------------------ cut here ------------------------------ service ntp restart
Install nginx and disable apache
systemctl disable apache2.service apt-get install nginx vi /etc/nginx/sites-available/symfony ------------------------------ cut here ------------------------------ log_format real_combined '$http_x_real_ip - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; server { listen 10.20.1.11:80; root /var/www/symfony/html; server_name symfony symfony.domain; error_log /var/log/nginx/symfony-error.log; access_log /var/log/nginx/symfony-access.log real_combined; location / { try_files $uri /app.php$is_args$args; } location ~ ^/(app_dev|config)\.php(/|$) { fastcgi_pass unix:/var/run/php/php7.0-fpm-symfony.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_param HTTPS off; } location ~ ^/app\.php(/|$) { fastcgi_pass unix:/var/run/php/php7.0-fpm-symfony.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_param HTTPS off; internal; } } ------------------------------ cut here ------------------------------ ln -s /etc/nginx/sites-available/symfony /etc/nginx/sites-enabled/symfony vipw ------------------------------ cut here ------------------------------ symfony:x:2222:2222:SYMFONY,,,:/var/www/symfony:/bin/bash ------------------------------ cut here ------------------------------ vipw -s ------------------------------ cut here ------------------------------ symfony:xxx:16664:0:99999:7::: ------------------------------ cut here ------------------------------ vi /etc/group ------------------------------ cut here ------------------------------ symfony:x:2222: ------------------------------ cut here ------------------------------ vi /etc/gshadow ------------------------------ cut here ------------------------------ symfony:!:: ------------------------------ cut here ------------------------------ mkdir /var/www/symfony mkdir /var/www/symfony/html vi /var/www/symfony/html/app/config/parameters.yml ------------------------------ cut here ------------------------------ database_driver: pdo_mysql database_host: 10.20.1.12 database_port: 3306 database_name: symfony_database database_user: symfony_database_user database_password: xxx ------------------------------ cut here ------------------------------ chown -R symfony:symfony /var/www/symfony service nginx restart
Install postfix
apt-get install postfix service postfix restart
Install php 7.0
add-apt-repository ppa:ondrej/php apt-get update apt-get install php7.0 apt-get install php7.0-mysql apt-get install php7.0-fpm rpl 'short_open_tag = Off' 'short_open_tag = On' /etc/php/7.0/fpm/php.ini rpl 'session.hash_function = 0' 'session.hash_function = "sha512"' /etc/php/7.0/*/php.ini rpl 'session.cookie_lifetime = 0' 'session.cookie_lifetime = 900' /etc/php/7.0/*/php.ini rpl 'session.gc_maxlifetime = 1440' 'session.gc_maxlifetime = 900' /etc/php/7.0/*/php.ini cp /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/symfony.conf rpl '[www]' '[symfony]' /etc/php/7.0/fpm/pool.d/symfony.conf rpl /run/php/php7.0-fpm.sock /run/php/php7.0-fpm-symfony.sock /etc/php/7.0/fpm/pool.d/symfony.conf rpl 'exec,passthru,shell_exec,system' 'passthru,system' /etc/php/7.0/fpm/pool.d/symfony.conf vi /etc/php/7.0/fpm/pool.d/symfony.conf ------------------------------ cut here ------------------------------ user = symfony group = symfony php_flag[display_errors] = on php_admin_flag[allow_url_fopen] = off ------------------------------ cut here ------------------------------ vi /etc/php/7.0/fpm/php.ini ------------------------------ cut here ------------------------------ sendmail_path = "/usr/sbin/sendmail -t -i" ------------------------------ cut here ------------------------------ apt-get install php7.0-curl apt-get install php7.0-common apt-get install php7.0-gettext apt-get install php7.0-opcache apt-get install php7.0-memcached apt-get install php7.0-iconv apt-get install php7.0-intl apt-get install php7.0-mbstring apt-get install php7.0-zip apt-get install php7.0-bcmath apt-get install php7.0-gd apt-get install memcached apt-get install php7.0-cli rm /etc/alternatives/php.1.gz ln -s /usr/share/man/man1/php7.0.1.gz /etc/alternatives/php.1.gz rm /etc/alternatives/php ln -s /usr/bin/php7.0 /etc/alternatives/php service php7.0-fpm restart service nginx restart
Install redis
apt-get install redis-server apt-get install php7.0-dev apt-get install unzip wget https://github.com/phpredis/phpredis/archive/php7.zip -O phpredis.zip unzip -o phpredis.zip cd phpredis-php7 phpize ./configure make make install touch /etc/php/7.0/mods-available/redis.ini echo extension=redis.so > /etc/php/7.0/mods-available/redis.ini ln -s /etc/php/7.0/mods-available/redis.ini /etc/php/7.0/fpm/conf.d/redis.ini
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ service sshd restart
Optionally install Wazuh agent (if you have a Wazuh manager)
apt-get install curl apt-transport-https lsb-release curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - CODENAME=$(lsb_release -cs) echo "deb https://packages.wazuh.com/apt $CODENAME main" \ | tee /etc/apt/sources.list.d/wazuh.list apt-get update apt-get install wazuh-agent /var/ossec/bin/agent-auth -m wazuh_manager_ip_address rpl MANAGER_IP wazuh_manager_ip_addres /var/ossec/etc/ossec.conf apt-get install libopenscap8 xsltproc vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <wodle name="open-scap"> <disabled>no</disabled> ------------------------------ cut here ------------------------------ sysctl -w fs.suid_dumpable=0 chmod 640 /var/log/cloud-init.log apt-get install auditd sysctl -w kernel.randomize_va_space=2 systemctl disable apport.service service wazuh-agent restart
Optionally install ClamAV and Linux Malware Detect (if you want to scan uploaded files)
mkdir /var/www/symfony/uploads chown -R symfony:symfony /var/www/symfony/uploads apt-get install inotify-tools apt-get install clamav apt-get install clamav-daemon service clamav-freshclam start service clamav-daemon start wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar zxf maldetect-current.tar.gz cd maldetect-1.6.2 ./install.sh maldet -d ------------------------------ cut here ------------------------------ Linux Malware Detect v1.6.2 (C) 2002-2017, R-fx Networks <proj@rfxn.com> (C) 2017, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(2002): {update} checking for available updates... maldet(2002): {update} hashing install files and checking against server... maldet(2002): {update} latest version already installed. ------------------------------ cut here ------------------------------ maldet -u ------------------------------ cut here ------------------------------ Linux Malware Detect v1.6.2 (C) 2002-2017, R-fx Networks <proj@rfxn.com> (C) 2017, Ryan MacDonald <ryan@rfxn.com> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(2221): {sigup} performing signature update check... maldet(2221): {sigup} local signature set is version 201708255569 maldet(2221): {sigup} latest signature set already installed ------------------------------ cut here ------------------------------ /bin/rm /etc/cron.d/maldet_pub rpl 'quarantine_hits="0"' 'quarantine_hits="1"' /usr/local/maldetect/conf.maldet vi /usr/local/maldetect/monitor_paths ------------------------------ cut here ------------------------------ /var/www/symfony/uploads ------------------------------ cut here ------------------------------ vi /etc/init.d/maldet ------------------------------ cut here ------------------------------ #!/bin/sh # # maldet Maldet inotify monitoring # # chkconfig: 345 70 30 # description: Maldet inotify monitoring # processname: maldet # config: /usr/local/maldetect/conf.maldet # pidfile: /var/run/maldet.pid ### BEGIN INIT INFO # Provides: maldet # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Maldet inotify monitoring # Description: Maldet inotify monitoring ### END INIT INFO # Author: Achim J. Latz <achim.latz+maldet@fortiko.com> # Source function library. . /etc/init.d/functions NAME=maldet DAEMON=/usr/local/maldetect/maldet TARGET="/usr/local/maldetect/monitor_paths" #TARGET="users" DAEMON_ARGS="--monitor $TARGET" PIDFILE=/var/run/maldet.pid SCRIPTNAME=/etc/init.d/maldet LOCKDIR=/var/lock/subsys LOCKFILE=${LOCKDIR}/maldet start() { if [ -d "${LOCKDIR}" -a -w "${LOCKDIR}" ] then local pid __pids_var_run $NAME || rm -f "${LOCKFILE}" if ( set -o noclobber; echo "$$" > "${LOCKFILE}") 2> /dev/null; then trap 'rm -f "${LOCKFILE}"; exit $?' INT TERM EXIT echo -n $"Starting $NAME: " daemon --pidfile $PIDFILE $DAEMON $DAEMON_ARGS retval=$? if [ $retval -eq 0 ]; then pid=`pgrep $NAME` if [ -n "$pid" ]; then echo $pid > "$PIDFILE" fi echo_success echo else echo_failure echo fi return $retval rm -f "${LOCKFILE}" trap - INT TERM EXIT else echo "Failed to acquire ${LOCKFILE}. Held by $(cat ${LOCKFILE})" echo_failure return 1 fi fi } stop() { echo -n $"Stopping $NAME: " $DAEMON --kill-monitor && success || failure retval=$? sleep 20 killproc -p $PIDFILE $NAME if [ $retval -ne 0 ]; then killall -q $NAME fi if [ -e "${LOCKFILE}" ] then rm -f "${LOCKFILE}" fi echo return $retval } restart() { stop start } status() { echo -n "Checking $NAME monitoring status: " if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then echo "Running" else echo "Not running" fi } case "$1" in start) start ;; stop) stop ;; status) status ;; restart) restart ;; condrestart) if [ -f $LOCKFILE ]; then restart fi ;; *) echo "Usage: $0 {start|stop|status|restart|condrestart}" exit 2 ;; esac exit $? ------------------------------ cut here ------------------------------ chmod 755 /etc/init.d/maldet update-rc.d maldet defaults systemctl enable maldet.service systemctl start maldet.service vi /etc/logrotate.d/maldet ------------------------------ cut here ------------------------------ /usr/local/maldetect/logs/event_log /usr/local/maldetect/logs/clamscan_log { missingok weekly compress notifempty size 1M rotate 4 create 0644 root root } /usr/local/maldetect/logs/inotify_log { missingok weekly compress create 0644 root root notifempty size 1M rotate 4 postrotate /etc/init.d/maldet condrestart > /dev/null 2>/dev/null || true endscript } ------------------------------ cut here ------------------------------