Graham Cluley gives some advice on the Sophos blog on how to secure your website. Unfortunately he can't resist touting the companies
horn, rather than suggesting a much more effective solution for this scenario: whitelisting.
First of all, files on a webserver need to change very rarely. Executables almost never and it is useful to receive an email every time your HTML / PHP / ASP / etc files changed. A perfect fit for whitelisting, a non-starter for blacklisting.
Stepping away from the whitelisting aspect for a moment, on-access AV will be powerless with content which is not stored directly in the filesystem. This includes the recent wave of SQL injection attack, where the malicious data was in the database. Now we have several possible scenarios:
- AV is not installed on the DB server (because it isn't a webserver :-))
- The installed AV doesn't scan the files of the DB because of its size limitation or doesn't find the malicious code because of the large size of the file
- The installed AV does find the malware, blocks access to the database file, thereby killing the DB server or at least making each client fail.
Either way, it's not good.
Now getting back to the advices, the others are sound. One thing I missed is: apply the principle of least privilege to your network traffic!
- That SSH/RDP port you use to manage your system - it doesn't have to be open to the whole world. Even better, move it to a non-standard port and limit access by IP
- If the server only needs ports 80 and 443, only allow ports 80 and 443.
- The server most probably doesn't need to do any outbound traffic, so block it
Also, read and apply security best practices (this usually means changing the configuration) for the software you have on your server (searching for "[product name] security" is usually a good start).