PHREL v1.0.0 (09/09/11) - http://www.digitalgenesis.com

Additional information and install help can be found within our forums:

  http://www.digitalgenesis.com/support/forum

Quick Install:

  0. Untar the distribution archive. It will create a phrel-1.0.0 directory.
     Several examples follow:

     For .tar.gz files:
       tar xvzf phrel-1.0.0.tar.gz
        -or-
       zcat phrel-1.0.0.tar.gz | tar xvf -

     For .tar.bz2 files:
       tar xvjf phrel-1.0.0.tar.bz2
        -or-
       tar xvf phrel-1.0.0.tar.bz2 --with-compress-program=bzip2
        -or-
       bzcat phrel-1.0.0.tar.bz2 | tar xvf -

  1. Run './configure' in the phrel directory (you may need extra flags).

     cd phrel-1.0.0

     ./configure

  2. Run 'make all', then 'make install' as root.

     make all
     su -c 'make install'

  3. Optionally, create MySQL database for syncronization across PHREL
     instances. To use this, you must provide additional arguments to 'phreld'
     to access the database.

     Create the database by applying the contents of docs/mysql-phrel.sql:

       > mysql -u root -p < docs/mysql-phrel.sql

     Setup permissions to the phrel database (replace 'mypass'):

       > echo "GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES ON phrel.* TO \
         phrel@'%' IDENTIFIED BY 'mypass';" | mysql -u root -p

  4. Run 'phreld' the PHREL daemon.

     The help menu displays the various configurable options available by
     running:

       > /usr/local/bin/phreld -h

     You will need to be root in order to use phreld. You can su to root by
     running:

       > su -
        -or-
       > sudo -s

     A couple of examples of using PHREL are listed below. See the phreld man
     page for additional examples.

     1) Protect your nameserver (DNS).

        This example uses phreld to listen on port 53 (DNS) for hosts that
        exceed the threshold of 100 PPS and 200 PPS. The hosts that exceed 100
        PPS are rate limited down to 25 PPS. The hosts that exceed 200 PPS are
        blocked (rate of 0). The blocked or rate limited host will need to stay
        below the exceeded threshold for 900 seconds (decay) to removed.

        # /usr/local/bin/phreld -p 53 -T 100:25 -T 200:0

     2) Protect SSH from brute force login attempts.

        This example uses phreld to listen on TCP port 22 (SSH) for hosts that
        attempt to connect to SSH more than 5 times in 30 secs (interval). Hosts
        the exceed this threshold will be blocked for 1800 seconds (decay)
        before being allowed to connect to the server again.

        # /usr/local/bin/phreld -A sum -D 1800 -T 5:0 'port 22 and tcp[13] & tcp-syn != 0'

Common Solutions:

  Problem:

  PHREL fails to build with "undefined referneces to pcap_next_ex" errors.

  Solution1:

  Update (or install) the libpcap library via your distributions package manager.

  eg: yum update libpcap-devel libpcap

  Solution2:

  Download a copy of the libpcap source code from www.traceroute.org. Extract
  and build libpcap in the same directory that you extracted PHREL into. If you
  run the PHREL configure script after building libpcap, PHREL will be able to
  locate the pcap library archive and link against it.

Fini