Projects / PHREL

PHREL

PHREL is a per host rate limiter. It will track the rate of incoming traffic on a server and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or block the offending host for a period of time. The inserted chain is automatically removed when the offending host's traffic levels return to normal. PHREL is particularly well suited to protecting nameservers (DNS) from random hosts that flood requests, and to preventing SSH brute force login attempts.

Tags
Licenses
Operating Systems
Implementation

RSS Recent releases

  •  01 Jun 2013 08:29

Release Notes: A compilation failure when NetSNMP was not available was fixed. A number of warnings were cleaned up.

  •  21 Apr 2013 02:11

Release Notes: This release fixes a segfault on startup related to specific server interfaces and a bug related to excluded CIDR prefix ranges.

  •  10 Sep 2011 04:57

Release Notes: Support for IPv6, support for setting the direction of packet monitoring, the ability to syncronize between instances of PHREL via a MySQL database, and a number of security related improvements.

  •  27 Oct 2006 11:01

Release Notes: Command line thresholds are no longer required if they are specified within the configuration file.

  •  15 Apr 2006 00:36

Release Notes: Several incorrect uses of memset() that prevented proper initialization of internal structures, causing seg faults on some systems were fixed. The MIB was updated with an enterprises number assigned by the Internet Assigned Numbers Authority (IANA). Promiscuous mode is now a configurable option, which is disabled by default. The max chain size was lowered to 28 characters and chain names were shortened due to length restrictions in Fedora Core 4. Configuration file support was added.

RSS Recent comments

15 Dec 2012 20:47 Avatar sella Thumbs up

For those of you dealing with your nameserver being attacked and your logs being filled with messages such as "named[xxxx]: client x.x.x.x#yyyy: error sending response: host unreachable", you can use PHREL to block the abuse and stop the log messages. For smaller traffic nameservers, you can set a threshold of 15pps with a rate of 0 to dynamically block the majority of these attacks. Larger traffic nameservers may need to use a slightly higher threshold.

Here's an example command line for phreld to block this:

phreld -p 53 -T 15:0

29 Nov 2006 17:36 dunamin Thumbs up

Works great!
I was getting a brute force attack on an FTP Server. This program helped to stop the attack and gave me confidence that the server is more secure than the vanilla install.

The configuration wasn't as simple as I had hoped. There is not a /etc/phrel.config file yet. I had to add to a script that's run at every reboot to automate the execution of the script.

The other downside is the need for root access. It probably will not work for some VPS environments, but you can always ask the admin. I'm sure once they see the thing, they'll want it installed.

Be very careful on your settings. Try testing it with a small decay (-D) first, like 10 seconds or so. Of course, have a way of getting to the box other than ssh when testing. Otherwise, you may need a reboot. Note, even if you test the FTP port, all ports are closed when you get blocked.

It's definitely worth the effort of learning how this thing works. It's so very cool. After a few failed logins, the entire IP is dropped for a period of time. It can even be throttled down to a certain number of packets/second after an offense.

The cool thing is that its protocol independent. It will work for FTP, SSH, HTTP, DNS, SMTP, and any other protocol tcp or udp. Learn one tool and protect all protocols on your network. Could also work great on a router box.

So very happy for this one. I give it a 10!

Screenshot

Project Spotlight

Flowgrind

A tool to conduct TCP performance analysis.

Screenshot

Project Spotlight

JavaMelody

A program for monitoring JavaEE applications.