[Koha] Securing opac-search
Philippe Blouin
philippe.blouin at inlibro.com
Wed Mar 19 03:01:26 NZDT 2025
Here we're on 24.05, with no issue. But I use drastic measures, an
array of them accumulated over years.
First of all: there are many $$ services that do very well the job, and
would make sense for individual entities. For service providers like
us, that could become expensive.
Many hacks with *MaxMindDB* to redirect all non-canadian traffic
targeting our city (public) libraries. But for institutions
(universities, hospitals) wanting to stay open to the world, I analyse
all IPs in /var/log/apache2/other_vhosts_access.log and group the IPs by
/16 and /24 to catch all the spreaders (1 call from each of 255
different IP for example) and block them automatically with *ufw*.
And very important for a small company like us, not specialized in
security: _I do not care about collateral damages_. If something needs
to be unblocked, I create a new rule manually with ufw.
Part proactive (allowing only CA, or redirecting automatically CN, RU,
etc...), part reactive (waiting for enough calls to come in, and
batch-blocking at midnight). Whatever get through doesn't impact
performance, and that's all that matter to us in the end.
Logo inLibro <https://inLibro.com> Philippe Blouin
Directeur de la technologie
T 833-INLIBRO (465-4276) <tel:833-465-4276>, poste 230
C philippe.blouin at inLibro.com
www.inLibro.com <https://inLibro.com>
On 2025-03-18 09:07, Magnus Enger wrote:
> Kia ora!
>
> Den 18.03.2025 13:59, skrev Fairlamb, Christina:
>> Hello,
>>
>> Koha 24.11.01
>>
>> Not strictly a Koha problem but something I know a lot of Koha users
>> face.
>> After years of running happily with fail2ban and robots.txt blocking
>> bots/crawlers, the security seems to have passed. We've been getting
>> more
>> and more bots of late switching IPs before bans can take place, perhaps
>> they could be ddos, either way grinding koha to a halt. I've had to
>> switch
>> OPACPublic to disable for now. I can't find much about securing a server
>> against these types of hits. Does anyone else running a small server
>> have
>> any guidance on what could be done/the next steps? I'd ideally like
>> to keep
>> the OPAC public.
>
> Not much help, but I know this will be a topic for discussion in
> Marseille, in a couple of weeks. Maybe some good advice can come from
> that.
>
> Best regards,
> Magnus
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
More information about the Koha
mailing list