PHREL - Per Host RatE Limiter
  PHREL is a Per Host RatE Limiter written in C to efficiently track the rate of incoming traffic on a per host basis and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or completely block the offending host for a period of time and will be automatically removed when the offending host's traffic levels return to normal. PHREL can be used with any type of traffic, but it is particularly well suited to protecting name servers from random hosts that flood DNS requests and preventing SSH brute force login attempts.
Documentation
  PHREL Install Doc
  PHREL ChangeLog
  phreld Manual
  phreld.conf Manual
  Architecture
  Protecting your DNS Infrastructure
  Support Forum
 
Downloads
  Current Version
  Daily Snapshhot
  CVS
 
About
  Digital Genesis
  Authors
  GPL
Uses for PHREL
Protecting a public nameserver (DNS)
This example uses phreld to listen on port 53 (DNS) for hosts that exceed the threshold of 100 PPS and 200 PPS. The hosts that exceed 100 PPS are rate limited down to 25 PPS. The hosts that exceed 200 PPS are blocked (rate of 0). The blocked or rate limited host will need to stay below the exceeded threshold for 900 seconds (decay) to removed.

# /usr/local/bin/phreld -p 53 -T 100:25 -T 200:0 -D 900

 
Preventing SSH, Telnet and FTP brute force login attempts
This example uses phreld to listen on TCP port 22 (SSH) for hosts that attempt to connect to SSH more than 5 times in 30 secs (interval). Hosts the exceed this threshold will be blocked for 1800 seconds (decay) before being allowed to connect to the server again.

# /usr/local/bin/phreld -A sum -i 30 -D 1800 -T 5:0 'port 22 and tcp[13] & tcp-syn != 0'

 
System Requirements
Supported Platforms
Linux Tested on Linux 2.4.x and 2.6.x
Software Requirements
iptables Tested with 1.2.9
libpcap Tested with 0.8.0, 0.8.3
Net-SNMP Test with 5.1.2