Leroy Jenkins

Used when someone needs to be decisive amongst too much planning and inaction

Usage

leroyjenkins reads data from stdin, and assumes each line is an IP address. Use in combination with standard unix tools like tail -F. When an IP address shows up too often before its cache times out, it will be added to the nftables set with the specified timeout.

tail -F /tmp/ips.log | RUST_LOG=info ./target/release/leroyjenkins --bl-period=1m --bl-threshold=100 --ban-base-time=100s --ban-ttl=1d --table=leroy --ipv6-set=leroy6 --ipv4-set=leroy4

Warning

leroyjenkins itself does nothing to your firewall rules. Use nftables rules similar to the ones below.

Note

Must be run with enough privileges to actually modify nftables sets. Otherwise fails with a generic: Error: Os { code: 71, kind: Uncategorized, message: "Protocol error" }

Building

cargo +nightly build --release

You need to install the nightly toolchain with rustup:

rustup toolchain install nightly

Setup

Before running, create the nftables table and sets, leroy expects these to exist:

#!/usr/sbin/nft -f

table inet leroy {
    # Define our sets
    set leroy4 {
        type ipv4_addr;
        timeout 60s;
        size 65536;
        flags timeout;
    }

    set leroy6 {
        type ipv6_addr;
        timeout 60s;
        size 65536;
        flags timeout;
    }

    chain input {
        # accept everybody by default in this chain, with a really
        # high priority so that we can reject them as early as
        # possible in the Netfilter system
        type filter hook input priority -900; policy accept;

        # but if you match, you're out
        ip  saddr @leroy4         counter name leroyed reject with tcp reset
        ip6 saddr @leroy6         counter name leroyed reject with tcp reset
    }

    chain output {
        # accept everybody by default in this chain, with a really
        # high priority so that we can reject them as early as
        # possible in the Netfilter system
        type filter hook output priority -900; policy accept;

        # but if you match, you're out
        ip  daddr @leroy4 reject with tcp reset
        ip6 daddr @leroy6 reject with tcp reset
    }
}

Examples

Because it reads from stdin and this is Unix, you can pipe stuff into it. Use tail -F, use awk, use grep or rg or ag.

Dig some lines out of some application log and use them to ban

tail -F /var/log/app/app.ratelimit.log | ag 'naughty.behaviour' | stdbuf --output=L awk '{print $NF}' | leroyjenkins $LEROY_ARGS

Ban random IPs!

Because it's Unix, use bash and shuf to ban a random IP every second for an hour with:

while sleep 1; do echo `shuf -i1-256 -n1`.`shuf -i1-256 -n1`.`shuf -i1-256 -n1`.`shuf -i1-256 -n1`; done | RUST_LOG=info ./target/release/leroyjenkins --bl-period=10s --bl-threshold=0 --ban-base-time=100s --ban-ttl=1h --table leroy --ipv6-set=leroy6 --ipv4-set=leroy4