Great question. This will probably be a controversial answer but I don’t use AV on my servers. Mostly because I follow very strict rules. So for example:
Root
I always disabled “root” SSH/FTP/MySQL user access in place of a “superuser”. Every machine in the world comes with a “root” user, so it’s one less thing for an attacker to guess. Once you remove “root” it makes brute forcing exponentially harder.
Firewall
I use strict firewall access. Despite making it more difficult for attackers to brute force there way into accounts, locking down the firewall makes it impossible for anyone to connect via SSH/MySQL to begin with in order to try. This means someone would physically have to be in a building that has an IP whitelisted in order to connect/brute force. So, let’s say you’ve whitelisted your home IP address then someone would be required to break into your home to plug their laptop in or sit outside your home and also brute force your WiFi to get on the network.
Permissions/Ownerships
All SSH/FTP/MySQL users have restricted accounts so they can’t wander places they aren’t allowed to go or make changes to Application code when they shouldn’t.
File integrity monitoring (FIM)
When I worked for a FTSE 100 company years ago, it wasn’t mandatory to use any sort of AV. However, it was mandatory to use “File integrity monitoring (FIM)”. It was a 3rd party service that monitored key areas of the web server. Whenever a file was Added/Edited/Removed you would get an Email Alert.
3rd Party Modules
In my opinion, the biggest vulnerability for a Magento 2 site are:
- Not updating software (see below)
- 3rd Party Modules.
As a non-coder, you don’t know that what you’re installing is vulnerable to an attack or a trojan horse. Therefore, you have to trust what you install. Personally, I only install modules that have been produced by Magento Partners. These developers tend to have to much to lose to be sloppy.
Optimisation
One of the biggest differences between your Home PC and a Web Server is optimisation. Web Servers are designed to run the minimum amount of software required so that it can use all of the system resources required to run the Web Application. Installing “Bloatware” is frowned upon because it simple eats into valuable resources. This is one of the reasons that most servers don’t have a GUI Interface. AVs tend to have a heavy footprint.
Updates
Essentially, if you’re keeping your LAMP stack and Web Applications up-to-date then you’re also deploying security updates for those applications. Magento has a programme where people try to break/hack the software all the time. Vulnerabilities are then reported back to Magento who put the apply the fixes in their updates. I guess you could look at it as an Open Source Pen Test.
Penetration Testing
The company that I work for right now, recent took steps towards Penetration Testing (Pen Testing). This uses a CREST-Approved agency to try and break into your business 1-4 times a year. They don’t use software, they use people with real-world skills to look for vulnerabilities in:
- Your Web Server
- Your Web Application
- Your Business Network (online and on-site)
- Social Engineering
At the end they produce a report on your vulnerabilities (they don’t fix anything). It’s not cheap but does tick some legal boxes somewhere along the line. I’d suspect you might be at least a 6-figure business before turning to this.
Final Thoughts
Would an AV help you sleep better at night? Maybe. Would it help support any areas you may have missed? Possibly. As I mentioned at the start, my opinion is probably controversial - But is best on the way I work. If you ask the same question on https://unix.stackexchange.com/ then you’ll probably 1/2 in agreement of me and the other 1/2 calling me an idiot
Note: I’ve not had my coffee yet, so I’ve probably missed something. I’ll come back if something else pops into my head.