tmow's questions

Recently (but it is also a recurrent question) we saw 3 interesting threads about hacking and security:

How do I deal with a compromised server?.
Finding how a hacked server was hacked
File permissions question

The last one isn't directly related, but it highlights how easy it is to mess up with a web server administration.

As there are several things, that can be done, before something bad happens, I'd like to have your suggestions in terms of good practices to limit backside effects of an attack and how to react in the sad case will happen.

It's not just a matter of securing the server and the code but also of auditing, logging and counter measures.

Do you have any good practices list or do you prefer to rely on software or on experts that continuously analyze your web server(s) (or nothing at all)?

If yes, can you share your list and your ideas/opinions?

UPDATE

I received several good and interesting feedback.

I'd like to have a simple list, so that can be handy for the IT Security administrators but also for the web factotum masters.

Even if everybody gave good and correct answers, at the moment I prefer the one of Robert as it's the most simple, clear and concise and the one of sysadmin1138 as it's the most complete and precise.

But nobody consider the user perspective and perception, I think it's the first that have to be considered.

What the user will think when will visit my hacked site, much more if you own sensible data about them. It's not just a matter of where to stock data, but how to calm angry users.

What about data, medias, authorities and competitors?

I'm using logconv.pl (provided by Sun), to measure performance on my server.

These two metrics results, are worrying me a bit:

Binds: 192164
Unbinds: 111569

In fact the difference between the two it's quite big, how can I determine which are the unbound requests?

As stated by Lodovic:

Many applications just close the connections without sending an Unbind request. This simply can explain the difference.

But the logconv.pl doesn't show details about the unbound requests, do you know any other tools or can you suggest some queries or whatever that can help me find out the root cause?

Do you think anyway that the performances may improve fixing the issue?

I'm new to AIX and I miss some tricks that work well on other *nix flavors.

I need a CTRL sequence in a ksh scripts, like ^[ (CTRL-[) and to do that I'm habit to use the ctrl-v [ , but here it doesn't work.

At the moment I'm obliged to use a windows box with putty so I cannot even edit the scripts on my Linux box and transfer the scripts on the AIX server.

Do you know why and how I can fix the issue?

To resume the answers:

@Dennis:

there are a few other ways to use escape in a Korn shell script:

print '\E' escape1='\033'    # contains the literal characters as shown
echo -e "$escape1"  
printf '%b' "$escape1"  
print "$escape1"
escape2=$'\e'     # contains an actual escape  
echo "$escape2"  
printf '%s' "$escape2"  
print "$escape2"  

For the terminal colors

man 5 terminfo

$'' notation allow ANSI-C escaping:

green=$'\e[01;32m'

It may be that ksh88 don't support $''

I use a ksh88, but I can switch to ksh93.

ctrl-v on command line
Version M-11/16/88i 

/usr/dt/bin/dtksh
print ${.sh.version}
Version M-12/28/93d

green=$'\e[01;32m' doesn't give me any error on ksh88,

but it doesn't expand the escape sequence. On ksh93 $'' the same issue

green="$'\e[01;32m'"

Using uppercase E solved the issue (weird!!!):

print $'\E[01;32m hello'

To summarize:

\E  works
\e  NO
\033    works just with echo
^[     ^v^[ do not work at all