A Howto question

Support issues for PHREL, the Per Host RatE Limiter.

A Howto question

Postby nottledim » Mon Dec 12, 2011 10:04 pm

2) Protect SSH from brute force login attempts.
...
# /usr/local/bin/phreld -A sum -D 1800 -T 5:0 'port 22 and tcp[13] & tcp-syn != 0'

What does tcp[13] mean?

Is there any general documentation/explanation about these expressions?

Thanks
nottledim
 
Posts: 1
Joined: Mon Dec 12, 2011 10:00 pm

Re: A Howto question

Postby kimoaliali » Sun Dec 25, 2011 9:48 pm

How to protect httpd protocol or port 80 with PHREL ???
i need the configuration that do what i said please help me ...
kimoaliali
 
Posts: 1
Joined: Sun Dec 25, 2011 9:31 pm

Re: A Howto question

Postby sella » Sat Dec 15, 2012 7:39 pm

What does tcp[13] mean?

Is there any general documentation/explanation about these expressions?


It means the 13th octet of the TCP header, which is where the SYN flag is stored, which is used to identify new TCP sessions.

PHREL uses libcap internally to look at packets, which is also what tcpdump uses. Any rule you can build in tpcudmp, can be used with phrel to rate limit or block packets. The tcpdump man page has a great deal of information on how to look at packets. When you get into complex policies like this, an understanding of TCP headers helps though.

How to protect httpd protocol or port 80 with PHREL ???


This configuration will block any host that is attempting to open more than 10 TCP sessions a second on port 80 (HTTP), averaged over 30 seconds (default window). This rule is looking at port 80 and only the TCP SYN flag, which identifier new TCP sessions:

# phreld -T 10:0 'port 80 and tcp[13] == 2'
User avatar
sella
Site Admin
 
Posts: 81
Joined: Sat Jan 17, 2004 6:53 pm
Location: Denver, CO


Return to PHREL

Who is online

Users browsing this forum: Google [Bot] and 4 guests

cron