Buying VPS is recommended For high traffic website. BUT, we need to customize server to gain high performance even low of RAM.

Generally, there are two steps we can do
– protect with firewall and other security issues
– set clear page cache within minute


Protect VPS

1. Using APF

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

Requirements:
– Root SSH access to your server

Install

Login to your server through SSH and su to the root user. follow these command

cd /etc

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvzf apf-current.tar.gz

cd apf-0.9.5-1/ 

or whatever the latest version is.

Run the install file:

chmod 0700 install.sh
./install.sh

You will receive a message saying it has been installed
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

Configure the firewall

nano /etc/apf/conf.apf

Configuring Firewall Ports depends on what Host mnager we use:

For Cpanel Servers
recommended settings for Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

For Ensim Servers
recommended settings for Ensim Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

For Plesk Servers
recommended settings for Plesk Servers

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,4643,5224,8443,8447,10000,
35000_35999"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,10000,35000_35999"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,123,1040"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

Save your changes!
Ctrl + X then y (nano editor)

Starting the firewall

apf -s

After everything is fine, change the DEV option

nano /etc/apf/conf.apf
# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"

It is recommended changing this back to “0” after you’ve had a chance to ensure everything is working well and tested the server out.

Save your changes!
Ctrl + X then y

Restart the firewall:

apf -r

Now, time to make APF Start automatically at boot time

To autostart apf on reboot, run this:

chkconfig --level 2345 apf on

To remove it from autostart, run this:

chkconfig --del apf

(D)DOS-Deflate

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

Install

Login to your server as root using SSH

Download the install script

wget http://www.inetbase.com/scripts/ddos/install.sh

Run the installer


chmod 0700 install.sh
./install.sh

now hit
ESC + : + q + Enter

DOS-Deflate should now be installed. like this

Ddos deflate installed succesfully

Ddos deflate installed succesfully

Customizing DOS-Deflate
Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor

e.g.

nano /usr/local/ddos/ddos.conf

Every setting is explained in the configuration file.

e.g.

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600

(You can experiment with the above settings. e.g. At a time period of frequent DOS attacks you can change no_of_connections to 50 and/or increase the ban_period)

Save your changes!
Ctrl + X then y

How To Edit Configuration File:-

vi /usr/local/ddos/ddos.conf


How To Check The Number Of Connected Ips:-

sh /usr/local/ddos/ddos.sh


How To Restart DDos Deflate:-

sh /usr/local/ddos/ddos.sh -c

NEXT TIP: Set clear page cache within minute