|
Uses for PHREL
|
|
Protecting a public nameserver (DNS)
|
|
For those of you dealing with a nameserver that's being attacked or used in a reflection attack, which is quickly fill your logs with messages such as "named[xxxx]: client x.x.x.x#yyyyy: error sending response: host unreachable", you can use phreld to block the abuse and stop the log messages. For smaller traffic nameservers, you can set a threshold of 15pps with a rate of 0 on port 53 (DNS) to dynamically block these packets. Larger traffic nameservers may need to use a slightly higher threshold.
# /usr/sbin/phreld -p 53 -T 15:0
|
| |
|
This example uses phreld to listen on port 53 (DNS) for hosts that exceed the threshold of 50 PPS and 100 PPS. The hosts that exceed 50 PPS are rate limited down to 25 PPS. The hosts that exceed 100 PPS are blocked (rate of 0). The blocked or rate limited host will need to stay below the exceeded threshold for 900 seconds (decay) to removed.
# /usr/sbin/phreld -p 53 -T 50:25 -T 100:0 -D 900
|
| |
|
Preventing SSH, Telnet and FTP brute force login attempts
|
|
This example uses phreld to listen on TCP port 21 (FTP), 22 (SSH) and 23 (Telnet) for hosts that attempt to connect more than 5 times in 30 secs (interval). Hosts that exceed this threshold will be blocked for 1800 seconds (decay) before being allowed to connect to the server again. This is an effective way of blocking brute force break in attempts.
# /usr/sbin/phreld -A sum -i 30 -D 1800 -T 5:0 'portrange 21-23 and tcp[13] == 2'
|
| |
|
Protecting web servers (HTTP/HTTPS)
|
|
This example uses phreld to listen on TCP port 80 (HTTP) and 443 (HTTPS) for hosts that are opening more an average of more than 10 TCP sessions over 30 seconds (interval). Hosts that exceed this threshold will be blocked for 1800 seconds (decay) before being allowed to connect to the server again.
# /usr/sbin/phreld -i 30 -D 1800 -T 10:0 '(port 80 or 443) and tcp[13] == 2'
|
| |
