phreld

Section: User Commands (1)
Updated: Sep 2011
Index Return to Main Contents

NAME

phreld - Per Host RatE Limiter Daemon

SYNOPSIS

phreld [OPTION] <-T PPS[:RATE[:BURST[:DECAY]]] ...> [expression]

DESCRIPTION

phreld is the Per Host RatE Limiter (PHREL) daemon. It will track the rate of incoming traffic on a server and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or block the offending host for a period of time. The inserted chain is automatically removed when the offending hosts traffic levels return to normal.

This application can be used to protect a public server against abusive hosts and defend against brute force login attempts. It is particularly well suited to protecting nameservers (DNS) from random hosts which flood requests and preventing SSH brute force login attempts. Both IPv4 and IPv6 are supported.

NOTE: phreld will automatically ignore any traffic sourced from the local server.

The newest version of PHREL is available at:

http://www.digitalgenesis.com/software/phrel/

OPTIONS

Options can be given in any order. Options without an argument can be combined after a single dash.

Preferences
-I, --interface=INTERFACE: Monitor incoming traffic on specified interface. (Default: any)
-4, --ipv4=[on|off]: Set IPv4 to on or off. (Default: on)
-6, --ipv6=[on|off]: Set IPv6 to on or off. (Default: on)
-P, --protocol=PROTOCOL: Monitor incoming traffic only for specified PROTOCOL. (Default: any)
-p, --port=PORT: Monitor incoming traffic only on UDP/TCP specified PORT. (Default: any)
-T, --threshold=PPS[:RATE[:BURST[:DECAY]]]: Add threshold of PPS. This option may be specified multiple times to define different thresholds. If the threshold is triggered by a host, a chain will be inserted into iptables using a rate limiter of RATE PPS with a burst of BURST packets. This chain will remain for at least DECAY seconds. If the offending host stays below the threshold, it will be removed or reduced to the lowest threshold it is currently violating. (Default: none)
-R, --rate=PPS: Use PPS as the default RATE. If a configured threshold does not specify RATE, this value will be used. (Default: 0)
-B, --burst=PACKETS: Use PACKETS as the default BURST size. If a configured threshold does not specify BURST, this value will be used. (Default: 5)
-D, --decay=SECONDS: Use SECONDS as the default DECAY. If a configured threshold does not specify DECAY, this value will be used. (Default: 900)
-X, --exclude=PREFIX[/CIDR]: Exclude packets from any host within the specified PREFIX range. This option may be specified multiple times to define different prefix ranges and will take precedence over included prefix ranges. The daemon will not track or take any action against hosts within the specified prefix range. Use this option to exclude source addresses that you trust, such as your mail servers or management network(s). (Default: none)
-Y, --include=PREFIX[/CIDR]: Include packets from any host within the specified PREFIX range. This option may be specified multiple times to define different prefix ranges. The daemon will track and take action against any hosts within the specified prefix range if the host has not already been excluded by a exclude prefix range. Any hosts that are not within the include prefix range(s) will be excluded. (Default: any)
-A, --algo=<avg|sum|max>: The algorithm to use to calculate a hosts Packets Per Second (PPS). Available options are; avg, sum or max. (Default: avg)
-i, --interval=SECONDS: Use an interval of SECONDS to calculate PPS over. Higher interval values will increase memory usage but will minimize the impact of bursts of traffic since there will be more data to average together. (Default: 30)
-c, --check-interval=SECONDS: Use an interval of SECONDS between checking threshold crossings. Higher check interval values will increase CPU usage but will speed up detection of threshold crossings. (Default: 300)
-S, --snmptrap=HOST[:PORT][:COMMUNITY[:VERSION[:INFORM]]]: Send SNMP traps to HOST on PORT using COMMUNITY and VERSION. If INFORM enabled, any SNMP v2 trap will require an acknowledgment from the trap receiver or HOST (Default: none). PORT may be any value between 1 and 65535. (Default: 162) COMMUNITY may be any alphanumeric value. (Default: public) VERSION may be v1 or v2. (Default: v2) INFORM may be 0 or 1. (Default: 0)
-t, --test: Run in test mode. Program will function as normal except no updates to iptables will be made. (Default: off)
-w, --direction=<in|out|inout>: The direction to capture packets from the interface. Available options are; in, out or inout. (Default: in)
-m, --promiscuous: Run with promiscuous mode enabled. Program will enable promiscuous mode on the network interface card (NIC) allowing packets in the same collision domain as the server to be read and processed. This will increase CPU utilization and is usually not needed. (Default: off)
-j, --jump=CHAIN: The DROP action of chains inserted into iptables will be replaced with CHAIN. (Default: DROP)
-x, --iptables=PATH: Use the specified PATH to run the iptables utility. (Default: /sbin/iptables)
-y, --ip6tables=PATH: Use the specified PATH to run the ip6tables utility. (Default: /sbin/ip6tables)
Database
-H, --dbhost=HOST[:PORT]: Connect to the MySQL database at HOST and PORT to provide data syncronization between instances of PHREL. (Default: none)
-K, --dbsock=SOCKET: Connect to the MySQL database on SOCKET to provide data syncronization between instances of PHREL. (Default: none)
-N, --dbname=DATABASE: Use the database named DATABASE to store data. (Default: phrel)
-U, --dbuser=USER: Use the username USER to connect to the database (Default: phrel)
-W, --dbpass=PASSWORD: Use the password PASSWORD to connect to the database (Default: none)
-M, --dbcomp: Use compression protocol to communicate with the database. This is useful over low bandwidth links. (Default: off)
-G, --dbalgo=<avg|sum|max>: The algorithm to use to calculate a hosts Packets Per Second (PPS) for database input. Available options are; avg, sum or max. (Default: max)
-L, --dbthreshold=PPS: Threshold for data to be written to the database. This limits excessive inserts into the database. (Default: 2)
Process
-C, --config=FILE: Use configuration options specified within FILE. Command line options will override options specified within the configuration file. (Default: none)
-u, --user=USER: Run as user USER. (Default: current)
-g, --group=GROUP: Run as group GROUP. (Default: current)
-r, --chroot=DIR: Change root to DIRectory. (Default: none)
-o, --stats[=FILE]: Write statistics information to FILE. (Default: /var/run/phreld.stat)
-z, --dump[=FILE]: Write hash dump to FILE. (Default: /var/run/phreld.stat)
-n, --nice=[+/-]NUM: Run with a nice value of NUM. Values of -20 to 19 are valid. (Default: +5)
-d, --debug[=LEVEL]: Set the debug level to INT. Values of 1 to 9 are valid. (Default: off)
General
-h, --help: Display the help/usage information.
-v, --version: Display the version information.

FILES

/etc/phreld.conf: The configuration file.

EXAMPLES

Listen on port 53. At threshold 50 PPS, rate limit to 5 PPS. At threshold 75 PPS, block traffic.

phreld -p 53 -T 50:5 -T 75

Listen on port 53. At threshold 25 PPS, rate limit to 20 PPS. At threshold 50 PPS, rate limit to 10 PPS. At threshold 75 block traffic. Send SNMP v2 traps for all alarms to 192.168.33.1 using community public.

phreld -p 53 -T 25:20 -T 50:10 -T 75 --snmptrap=192.168.33.1:public:v2

Listen on interface eth0 for TCP traffic on port 25 (SMTP). At threshold 25, rate limit to 20 PPS with a burst size of 10 using a decay of 300 seconds. At threshold 50, rate limit to 10 PPS with a burst size of 5. At threshold 75 PPS, block traffic.

phreld -I eth0 -P tcp -p 25 -T 25:20:10:300 -T 50:10:5 -T 75:0

Listen on interface eth0 on port 53. At threshold 100 PPS, block traffic. Use default burst size of 10 and a decay of 1800 seconds for all thresholds. Exclude host 192.168.33.1, prefix range 192.168.55.0/24 (/24 is 255.255.255.0 in mask notation) and IPv6 prefix range 2001:4870:8000::/64.

phreld -I eth0 -p 53 -T 100 -B 10 -D 1800 -X 192.168.33.1 -X 192.168.55.0/24 -X 2001:4870:8000::/64

At threshold 50 PPS, block traffic. Listen to UDP traffic on port 53 except for host 192.168.33.1, prefix range 192.168.55.0/24 (/24 is 255.255.255.0 in mask notation) and IPv6 prefix range 2001:4870:8000::/64.

phreld -T 50 'udp dst port 53 and not (dst net 192.168.33.1 or 192.168.55.0/24 or 2001:4870:8000::/64)'

COPYRIGHT

Copyright (C) 2005-2011 Digital Genesis Software. All rights reserved.

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License <http://www.gnu.org/copyleft/gpl.html>
for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

AUTHOR

James M. Sella <sella@digitalgenesis.com>

HISTORY

09/09/11 - Released version 1.0.0
01/25/09 - Released version 0.9.8
07/21/08 - Released version 0.9.7
10/26/06 - Released version 0.9.6
04/15/06 - Released version 0.9.5
03/26/06 - Released version 0.9.4
03/22/06 - Released version 0.9.3
03/06/06 - Released version 0.9.2
03/05/06 - Released version 0.9.1
03/02/06 - Released version 0.9.0

This document was created by man2html, using the manual pages.
Time: 06:46:54 GMT, September 11, 2011