[Koha] Securing opac-search

David Cook dcook at prosentient.com.au
Wed Mar 19 13:38:35 NZDT 2025 

Hi Christina,

Locally for the Koha instances I support, I've been writing some experimental user-friendly Koha-based anti-bot code. 

Firstly, I rate limit the number of visits to opac-search.pl based on IP address blocks. That is, if multiple IP addresses from a /24 or /16 CIDR block perform X visits over Y minutes, they'll get a temporarily block and see a user-friendly Koha page saying too many requests are coming from their device. (However, as you've noted, this won't work against bots that use a different IP address very every request.)

Secondly, for pages like opac-search.pl, opac-detail, etc, I've been working on checks which identify obvious bots (by UserAgent string or other particular HTTP headers), identify mistakes made in the bot request (some bots try to be too clever and give themselves away in the process), etc. At the moment, they mostly just get a very small 404 message, which reduces impact on the Koha server. This takes care of a lot of bots. (However, there are still bots that perfectly mimic real human users, which get past this check. Also, this check can create false positives for legitimate third-party integrations like Discovery systems, which is a problem.)

Thirdly, I have a user-friendly challenge screen produced by Koha, which in theory will let humans prove they're human and not bots. At the moment, the threshold is extremely high, so it doesn't get triggered. But I'm thinking of lowering the threshold. (However, this means that it's very likely that real humans will trigger this check and get the challenge screen. So I need to make sure the "friction" they feel is minimal, so the user experience is still pleasant. This is still a work in progress. I have all the ideas and code in my head, but we've been managing bots well, so this hasn't been a high priority for us.)

--

The first change is "In Discussion" on Bugzilla as Bug 39109. 

I haven't submitted patches for the second and third changes yet, as they depend on other local code at the moment and I'm still fine tuning much of it. But it is my intention to submit patches for them eventually. The "challenge screen" I'll probably wait the longest until it's proven in my local systems. 

Unfortunately, that's not much help in the short term, but hopefully help in the long-term. I'm always happy to discuss this topic with people as well if they have their own changes in mind or want to help out. 

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia

Office: 02 9212 0899

-----Original Message-----
Date: Tue, 18 Mar 2025 13:59:14 +0100
From: "Fairlamb, Christina" <cjf at wmu.se>
To: koha <koha at lists.katipo.co.nz>
Subject: [Koha] Securing opac-search
Message-ID:
	<CANrPTp4D9kONGYxZktMGpvFjdVqdhpPhKD3mau1ceN6S91fkCg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hello,

Koha 24.11.01

Not strictly a Koha problem but something I know a lot of Koha users face.
After years of running happily with fail2ban and robots.txt blocking bots/crawlers, the security seems to have passed. We've been getting more and more bots of late switching IPs before bans can take place, perhaps they could be ddos, either way grinding koha to a halt. I've had to switch OPACPublic to disable for now. I can't find much about securing a server against these types of hits. Does anyone else running a small server have any guidance on what could be done/the next steps? I'd ideally like to keep the OPAC public.

Thank you

Christina

More information about the Koha mailing list