v2.1.0 · GPL
PHREL
Per Host RatE Limiter. Track incoming traffic per host and insert nftables rules when a threshold is crossed — rate limit or block offenders until traffic returns to normal. Especially well suited to protecting DNS servers and stopping SSH brute-force attempts.
Overview
PHREL supports IPv4 and IPv6. Cross-instance synchronization via Redis is available for load-balanced server farms, or simply to expose the hosts PHREL is currently monitoring.
Uses for PHREL
Protecting a public nameserver (DNS)
When a nameserver is attacked or used in a reflection attack — filling logs with messages like named: client x.x.x.x: error sending response: host unreachable — phreld can block the abuse. For smaller nameservers, a threshold of 15pps with rate 0 on port 53 works well; busier servers may need a higher threshold.
# /usr/sbin/phreld -p 53 -T 15:0
Listen on port 53 for hosts exceeding 50 PPS and 100 PPS. Hosts over 50 PPS are limited to 25 PPS; hosts over 100 PPS are blocked. Offenders must stay below the threshold for 900 seconds (decay) to be removed.
# /usr/sbin/phreld -p 53 -T 50:25 -T 100:0 -D 900
Preventing SSH, Telnet, and FTP brute force
Listen on TCP ports 21–23 for hosts connecting more than 5 times in 30 seconds. Exceeding hosts are blocked for 1800 seconds.
# /usr/sbin/phreld -A sum -i 30 -D 1800 -T 5:0 'portrange 21-23 and tcp[13] == 2'
Protecting web servers (HTTP/HTTPS)
Listen on ports 80 and 443 for hosts opening more than an average of 10 TCP sessions over 30 seconds. Exceeding hosts are blocked for 1800 seconds.
# /usr/sbin/phreld -i 30 -D 1800 -T 10:0 '(port 80 or 443) and tcp[13] == 2'
System requirements
| Component | Notes |
|---|---|
| Linux | RHEL 8+, Ubuntu 22.04+, Debian 12+, Amazon Linux 2023, or any distro with nf_tables as the default firewall backend |
| nftables | Required; libnftables 1.0.x or newer |
| libpcap | Tested with 1.10 |
| Redis | Optional; cross-instance sync via hiredis |