Technically, you can't. Any DDoS of any worth would take your server offline no matter what precautions you put into place on the server itself. All it takes is a simple saturation of your up/downstream and your server will carry no traffic until the attack is done.
The best thing you can do is to use a datacenter that provides either a hardware firewall that can filter the attack before it enters your network, or uses an upstream filter (like Ev1's FireSlayer).
Software wise, you could look into mod_evasive, which will help to control the number of httpd connections from a single IP, or scrutinizer, which will do the same but runs at a different level. Some suggest using SYN Cookies, which requests verification of all incoming SYN packets before they are accepted. This violates a few protocols though, and will not help a bandwidth overload if someone decides to actually target you. Tweaking your server to accept low numbers of ICMP packets through a system like APF will help to keep that flooding down... I have mine set to only accept 1 ICMP packet per second, and to drop the rest automatically. Only keeping the ports open that you actually use will help to keep attacks down a bit too, as it will drop all traffic destined for the 'un-used' ports. APF will do this, as well.
Check out Chirpy's Firewall script. It works a lot like APF, but plugs directly into WHM.
Don't think that by installing loads of "DDoS Software" on your server that you are safe from it though. As I mentioned, the line to your server will only carry so much traffic, and it's easy these days to overload that line. You'll want a datacenter that can properly filter the attack before it even gets to you. If your Datacenter won't do that, then they're not a very good one to begin with.
