Would you guys recommend scanning a Grav site for malware on a regular basis? If so, is there a service you’d recommend? I’m thinking something like Sucuri
What operating system is your Grav site hosted on?
Ideas for Linux
When I worked as a Linux administrstor, we utilized MalDet and ClamAV as general options, a proprietary software developed by the company, and custom command line tools/scripts/commands. Most of our custom stuff looked for simple things but usually was directed towards a PHP compromise.
MalDet utilizes Clam but more efficiently. They are open source tools.
Due to the way a POST request works and with malicious users trying to deliver their payload in a single request (and then propagating it afterwards with subsequent POST/GET requests), a common procedure we used was to measure the first line’s or first (or last) several lines’ number of characters for something in excess of a specified value.
To give a general idea of another option, the proprietary software was a maintained database of signatures that also ran checks on md5sums of WordPress files. It likely wouldn’t be too hard to make a simple Bash script which checked md5sums of Grav files and listed “suspected” files which differed.
On a more proactive side, you might consider something like ModSecurity for your webserver. It has recently received Nginx support but has been available for Apache. The default OWASP rules do cause issues for Grav and would need some of their rules whitelisted or would need to be given exceptions. ModSec stops a malicious looking request from completing on a server given the rules it is supplied. (I’m working on converting Apache rules to Nginx but haven’t found the right way to do so yet.) You could then use a log watching utility, such as CSF/LFD, to create automatic iptables blocks for IP addresses which make foul requests.
Thanks for all the info thwright. I appreciate the detail but that sounds like something I won’t be able to get into at this point. I was looking for a pre-packaged solution, and more importantly if it’s a bad idea to not do anything about malware. Would a Grav site be a sitting duck without any additional protection?
A more frightening way to think about it would be anything the internet can see is vulnerable. Grav may have some benefits by being flat file in nature, but there is still the security of the web server and PHP to be considered (and FTP, SSH, cPanel/Plesk/another control panel, another website on the server, etc.).
A sitting duck? Possibly; it isn’t as popular as say, WordPress, meaning the majority of compromises being tested may not be an issue, but that doesn’t make it immune. I saw compromises on WordPress, Magento, Drupal, Joomla, etc. All of them were targeted. I wouldn’t try and use Grav to simply bypass those, for instance.
Sucuri and CloudFlare are nice because someone else does the work for you (just like a proactive/reactive server IT guy) and they have powerful features (ex. anti-DDOS), but you do give that control to those companies. An issue with them for instance is that due to the way they proxy requests, a server’s firewall may not function properly as the port 80/443 requests would bypass the firewall by “piggybacking” on the proxied IP. There are some ways around this, but it isn’t a straightforward thing. You have to basically post-process a request to both the service and the firewall. You have to maintain your IPTables and Htaccess rules, for instance, as large numbers of options can slow down performance. (That’s why a pure IPTables solution isn’t good for blocking DDOS’s featuring in excess of 1000 IPs)
I can’t say I have one to recommend as the clear winner. Industry standard response is to use what fits your project/budget/needs best. I use CloudFlare because of its DNS and free option, but granted, I have never tried Sucuri, I’ve only worked with it when someone came to an issue who had been utilizing it.
Perhaps a better question would be: what features do you need for your site/server security that you don’t currently have and/or are concerned about? We could go over numerous security options for a pile of different issues, but some can be overkill.
I see, thanks for the explanation. My needs are pretty basic at this point. The sites I’m building are small and simple. I was only asking because I was using a Privacy Policy generator and one of the questions was about running Malware scans. That had never occured to me.
I’ll check out CloudFlare, sounds like that might be a good option for me. Thanks again.
No problem!
If all you’re looking for is bumping things up a notch in terms of security without the extra requirements necessary for administration, I think Cloudflare would be a good bit of oomph to add.