amuck-landowner

Best way to keep sites loading fast while keeping them secure?

V

vpsmagic

New Member
Im kinda new to vps stuff but not super new. Ive had some for a while, I can install things and stuff but want to learn more. I dont want to use a control panel. What things should I install to keep things fast and secure for a website that needs php and MySQL?

I was thinking of using nginx, mysql, php, and installing CSF. I know to change the ssh port and ssh user too. What other things could I do to keep things fast and secure? I have a 2GB VPS so I have plenty of RAM to run things.

Thanks.
 
D. Strout

D. Strout

Resident IPv6 Proponent
In terms of speed, with a 2GB VPS you shouldn't need to worry too much about how fast your server processes things before sending them to the client. Unless you have a really slow processor or the host is very oversold, that should be no concern. To keep your websites fast, you have to make sure they're not loading too many images, use scripts effectively, cache efficiently, etc. There's a good article about all that here.

Security is a whole other question, not very much related to speed. Like you say, SSH on a different port is good, make it a high one. Here's some more SSH security methods:

  • Don't SSH as root - create a user that can sudo and SSH in to that, disabling root SSH
  • Use key-based authentication, and disable password authentication
  • Set up fail2ban so if someone tries too many times to get in to SSH, they'll be blocked from the system
  • Another little thing that some might not think of: if you have two or more IP addresses on the system, set up SSH to only listen on one of them. Reduce your surface area, so to speak. If an attacker is just picking IPs at random, they're less likely to pick one that will allow them in to SSH.
As to other vulnerabilities, keep your packages up to date, be careful with client input (e.g. SQL injection), and research stuff before installing it to make sure it's doesn't have any major security loopholes.
 
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
D. Strout said:
In terms of speed, with a 2GB VPS you shouldn't need to worry too much about how fast your server processes things before sending them to the client. Unless you have a really slow processor or the host is very oversold, that should be no concern. To keep your websites fast, you have to make sure they're not loading too many images, use scripts effectively, cache efficiently, etc. There's a good article about all that here.

Security is a whole other question, not very much related to speed. Like you say, SSH on a different port is good, make it a high one. Here's some more SSH security methods:

  • Don't SSH as root - create a user that can sudo and SSH in to that, disabling root SSH
  • Use key-based authentication, and disable password authentication
  • Set up fail2ban so if someone tries too many times to get in to SSH, they'll be blocked from the system
  • Another little thing that some might not think of: if you have two or more IP addresses on the system, set up SSH to only listen on one of them. Reduce your surface area, so to speak. If an attacker is just picking IPs at random, they're less likely to pick one that will allow them in to SSH.
As to other vulnerabilities, keep your packages up to date, be careful with client input (e.g. SQL injection), and research stuff before installing it to make sure it's doesn't have any major security loopholes.
Click to expand...
That's some good advice. Personally, I've never played around with fail2ban too much, as I've used and grown accustomed to CSF. Do you think someone should use both, or just one or the other?
 
Nick

Nick

Moderator
Moderator
vpsmagic said:
Im kinda new to vps stuff but not super new. Ive had some for a while, I can install things and stuff but want to learn more. I dont want to use a control panel. What things should I install to keep things fast and secure for a website that needs php and MySQL?

I was thinking of using nginx, mysql, php, and installing CSF. I know to change the ssh port and ssh user too. What other things could I do to keep things fast and secure? I have a 2GB VPS so I have plenty of RAM to run things.

Thanks.
Click to expand...
You should also take a look at the other resources you have such as the network.  Unfortunately VPS Hosting brings in a lot of "unwanted" neighbours who can "hog" certain resources such as the CPU and bandwidth. It's up to the provider to ensure everyone has a fair share of these shared resources.

More often than not, the root cause for a slow website will be the script itself. This can be minimized by optimizing your code and compressing your images (which will slightly affect the quality depending on the compression ratio).

Hope this can help =)
 
M

Mitchell

New Member
Also give Varnish a try if you are high on unused RAM anyway. It will cache pages so that when you get a pulse of visits it won't generate the same page 10 times per second.
 
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
Mitchell said:
Also give Varnish a try if you are high on unused RAM anyway. It will cache pages so that when you get a pulse of visits it won't generate the same page 10 times per second.
Click to expand...
Good advice. I played around with Varnish Cache a couple years ago, and the results were really great, even on a cPanel Shared server. Had a few minor issues with cache purging and dynamic sites not showing updates immediately, but a few tweaks corrected those and it was running smooth.

Now I kind of want to play with Varnish again.
 
mojeda

mojeda

New Member
If you use user accounts per website I would make the username not the domain example username is "domain" when the domain is "domain.tld" I have found that bots will try ssh/ftp/etc connect using the name of the domain.
 
drmike

drmike

100% Tier-1 Gogent
Varnish came up in the conversation.  It's really excellent software, but it's far from sane just to simply install it and think it is going to do tons for you.

Bigger picture is caching.  Cache downstairs in the database layer.  Cache via your app layer (commonly PHP).   Be sure you are setting cache expiration on your static elements (gif, jpg, png, etc.)

After you get all that working check out fronting things with Nginx.   Finally, I doubt you'll need it, Varnish :)

Varnish is great for large servers that are huge RAM + SSD cache storage nodes.  2GB of RAM and Varnish, it works, but you probably won't benefit much from it and PITA to get configured and working optimally.
 
mikho

mikho

Not to be taken seriously, ever!
Like I tell my customers when they ask what is the best way to go... it depends, what you need to focus on is the goal, everthing else are only tools to get to your destination.

Depending on what you will run on your VPS, perhaps Apache is the best option? but if you are only going to run one or two Wordpress sites, use Minstall to get everything in place and then optimize from that point.
 
Shados

Shados

Professional Snake Miner
D. Strout said:
In terms of speed, with a 2GB VPS you shouldn't need to worry too much about how fast your server processes things before sending them to the client. Unless you have a really slow processor or the host is very oversold, that should be no concern. To keep your websites fast, you have to make sure they're not loading too many images, use scripts effectively, cache efficiently, etc. There's a good article about all that here.

Security is a whole other question, not very much related to speed. Like you say, SSH on a different port is good, make it a high one. Here's some more SSH security methods:

  • Don't SSH as root - create a user that can sudo and SSH in to that, disabling root SSH
  • Use key-based authentication, and disable password authentication
  • Set up fail2ban so if someone tries too many times to get in to SSH, they'll be blocked from the system
  • Another little thing that some might not think of: if you have two or more IP addresses on the system, set up SSH to only listen on one of them. Reduce your surface area, so to speak. If an attacker is just picking IPs at random, they're less likely to pick one that will allow them in to SSH.

As to other vulnerabilities, keep your packages up to date, be careful with client input (e.g. SQL injection), and research stuff before installing it to make sure it's doesn't have any major security loopholes.
Click to expand...
I wouldn't recommend fail2ban (at least not for SSH) due to the issues with spoofing IPs. Plus, it only really helps prevent brute force attacks anyway, and they're not going to succeed against key-based authentication (an alternative option to key-based auth is two-factor authentication - barada isn't bad for that).

If you really want further SSH protection, consider using a modern port knocking/single packet authentication daemon, like fwknop.
 
You must log in or register to reply here.
Top
amuck-landowner