Best way to keep sites loading fast while keeping them secure?

Discussion in 'Hosting Talk & Reviews' started by vpsmagic, Apr 27, 2013.

  1. vpsmagic

    vpsmagic New Member

    2
    0
    Apr 27, 2013
    Im kinda new to vps stuff but not super new. Ive had some for a while, I can install things and stuff but want to learn more. I dont want to use a control panel. What things should I install to keep things fast and secure for a website that needs php and MySQL?

    I was thinking of using nginx, mysql, php, and installing CSF. I know to change the ssh port and ssh user too. What other things could I do to keep things fast and secure? I have a 2GB VPS so I have plenty of RAM to run things.

    Thanks.
     
  2. D. Strout

    D. Strout Resident IPv6 Proponent

    1,180
    365
    Apr 17, 2013
    In terms of speed, with a 2GB VPS you shouldn't need to worry too much about how fast your server processes things before sending them to the client. Unless you have a really slow processor or the host is very oversold, that should be no concern. To keep your websites fast, you have to make sure they're not loading too many images, use scripts effectively, cache efficiently, etc. There's a good article about all that here.

    Security is a whole other question, not very much related to speed. Like you say, SSH on a different port is good, make it a high one. Here's some more SSH security methods:

    • Don't SSH as root - create a user that can sudo and SSH in to that, disabling root SSH
    • Use key-based authentication, and disable password authentication
    • Set up fail2ban so if someone tries too many times to get in to SSH, they'll be blocked from the system
    • Another little thing that some might not think of: if you have two or more IP addresses on the system, set up SSH to only listen on one of them. Reduce your surface area, so to speak. If an attacker is just picking IPs at random, they're less likely to pick one that will allow them in to SSH.
    As to other vulnerabilities, keep your packages up to date, be careful with client input (e.g. SQL injection), and research stuff before installing it to make sure it's doesn't have any major security loopholes.
     
  3. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    5,036
    2,634
    Mar 8, 2013
    MannDude
    That's some good advice. Personally, I've never played around with fail2ban too much, as I've used and grown accustomed to CSF. Do you think someone should use both, or just one or the other?
     
  4. D. Strout

    D. Strout Resident IPv6 Proponent

    1,180
    365
    Apr 17, 2013
    Sorry, I don't have any experience with CSF.
     
  5. Nick

    Nick Moderator Moderator

    183
    81
    Apr 3, 2013
    You should also take a look at the other resources you have such as the network.  Unfortunately VPS Hosting brings in a lot of "unwanted" neighbours who can "hog" certain resources such as the CPU and bandwidth. It's up to the provider to ensure everyone has a fair share of these shared resources.

    More often than not, the root cause for a slow website will be the script itself. This can be minimized by optimizing your code and compressing your images (which will slightly affect the quality depending on the compression ratio).

    Hope this can help =)
     
  6. Mitchell

    Mitchell New Member

    12
    0
    May 3, 2013
    Also give Varnish a try if you are high on unused RAM anyway. It will cache pages so that when you get a pulse of visits it won't generate the same page 10 times per second.
     
  7. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    5,036
    2,634
    Mar 8, 2013
    MannDude
    Good advice. I played around with Varnish Cache a couple years ago, and the results were really great, even on a cPanel Shared server. Had a few minor issues with cache purging and dynamic sites not showing updates immediately, but a few tweaks corrected those and it was running smooth.

    Now I kind of want to play with Varnish again.
     
  8. mojeda

    mojeda New Member

    347
    183
    May 14, 2013
    If you use user accounts per website I would make the username not the domain example username is "domain" when the domain is "domain.tld" I have found that bots will try ssh/ftp/etc connect using the name of the domain.
     
  9. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Varnish came up in the conversation.  It's really excellent software, but it's far from sane just to simply install it and think it is going to do tons for you.

    Bigger picture is caching.  Cache downstairs in the database layer.  Cache via your app layer (commonly PHP).   Be sure you are setting cache expiration on your static elements (gif, jpg, png, etc.)

    After you get all that working check out fronting things with Nginx.   Finally, I doubt you'll need it, Varnish :)

    Varnish is great for large servers that are huge RAM + SSD cache storage nodes.  2GB of RAM and Varnish, it works, but you probably won't benefit much from it and PITA to get configured and working optimally.
     
  10. Awmusic12635

    Awmusic12635 Active Member Verified Provider

    327
    92
    May 3, 2013
    Then more recently there is the opensource version of litespeed.
     
  11. mikho

    mikho Not to be taken seriously, ever!

    963
    253
    May 15, 2013
    Like I tell my customers when they ask what is the best way to go... it depends, what you need to focus on is the goal, everthing else are only tools to get to your destination.

    Depending on what you will run on your VPS, perhaps Apache is the best option? but if you are only going to run one or two Wordpress sites, use Minstall to get everything in place and then optimize from that point.
     
  12. Shados

    Shados Professional Snake Miner

    213
    47
    May 15, 2013
    I wouldn't recommend fail2ban (at least not for SSH) due to the issues with spoofing IPs. Plus, it only really helps prevent brute force attacks anyway, and they're not going to succeed against key-based authentication (an alternative option to key-based auth is two-factor authentication - barada isn't bad for that).

    If you really want further SSH protection, consider using a modern port knocking/single packet authentication daemon, like fwknop.