The Three-Pronged Setup

The execution was minimalist but rigorous.

1. The Strict Rationing (PHP-FPM) We stopped trying to scale the application to meet malicious demand. Instead, I forced a hard ceiling. Based on the 1GB physical memory limit, I clamped the PHP-FPM pool:

pm.max_children = 5

The Logic: In a low-spec environment, returning a 502 Bad Gateway to a bot is infinitely better than crashing the server. We ensured the OS and database survived, preserving SSH access for rescue operations.

2. The Tactical Buffer (Nginx) We leveraged Nginx's leaky bucket algorithm to handle traffic bursts with near-zero memory overhead.

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;
limit_req zone=mylimit burst=10 nodelay;

The Logic: The burst and nodelay combination is elegant. It seamlessly permits the occasional concurrent requests from a real human, while instantly returning a 503 to automated scripts hammering the server.

3. The Dimensional Strike (Fail2ban) Finally, true zero-cost defense. If Nginx identified an IP repeatedly violating the rate limits, we handed the problem to the operating system.

# Fail2ban configuration to monitor Nginx 503 logs
# Action: iptables-multiport drop
# Bantime: 3600

The Logic: We locked repeat offenders in an iptables blackout for an hour. Dropping packets at the TCP layer consumes virtually zero CPU.