We have already implemented many good rules for you at the hardware firewall level such as
SSH brute-force protection
Protection against port scanning
Limit new TCP connections per second per source IP
Limit RST packets
Limit connections per source IP
Drop fragments in all chains
Block spoofed packets
Block packets with bogus TCP flags
Drop SYN packets with suspicious MSS value
Drop TCP packets that are new and are not SYN
Drop invalid packets
I also recommend that you run this on your vps
| /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP |