Hi Christina,
Locally for the Koha instances I support, I've been writing some experimental
user-friendly Koha-based anti-bot code.
Firstly, I rate limit the number of visits to opac-search.pl based on IP
address blocks. That is, if multiple IP addresses from a /24 or /16 CIDR block
perform X visits over Y minutes, they'll get a temporarily block and see a
user-friendly Koha page saying too many requests are coming from their device.
(However, as you've noted, this won't work against bots that use a different IP
address very every request.)
Secondly, for pages like opac-search.pl, opac-detail, etc, I've been working on
checks which identify obvious bots (by UserAgent string or other particular
HTTP headers), identify mistakes made in the bot request (some bots try to be
too clever and give themselves away in the process), etc. At the moment, they
mostly just get a very small 404 message, which reduces impact on the Koha
server. This takes care of a lot of bots. (However, there are still bots that
perfectly mimic real human users, which get past this check. Also, this check
can create false positives for legitimate third-party integrations like
Discovery systems, which is a problem.)
Thirdly, I have a user-friendly challenge screen produced by Koha, which in
theory will let humans prove they're human and not bots. At the moment, the
threshold is extremely high, so it doesn't get triggered. But I'm thinking of
lowering the threshold. (However, this means that it's very likely that real
humans will trigger this check and get the challenge screen. So I need to make
sure the "friction" they feel is minimal, so the user experience is still
pleasant. This is still a work in progress. I have all the ideas and code in my
head, but we've been managing bots well, so this hasn't been a high priority
for us.)
--
The first change is "In Discussion" on Bugzilla as Bug 39109.
I haven't submitted patches for the second and third changes yet, as they
depend on other local code at the moment and I'm still fine tuning much of it.
But it is my intention to submit patches for them eventually. The "challenge
screen" I'll probably wait the longest until it's proven in my local systems.
Unfortunately, that's not much help in the short term, but hopefully help in
the long-term. I'm always happy to discuss this topic with people as well if
they have their own changes in mind or want to help out.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
-----Original Message-----
Date: Tue, 18 Mar 2025 13:59:14 +0100
From: "Fairlamb, Christina" <c...@wmu.se>
To: koha <koha@lists.katipo.co.nz>
Subject: [Koha] Securing opac-search
Message-ID:
<canrptp4d9kongyxzktmgpvfjdvqdhpphkd3mau1cen6s91f...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hello,
Koha 24.11.01
Not strictly a Koha problem but something I know a lot of Koha users face.
After years of running happily with fail2ban and robots.txt blocking
bots/crawlers, the security seems to have passed. We've been getting more and
more bots of late switching IPs before bans can take place, perhaps they could
be ddos, either way grinding koha to a halt. I've had to switch OPACPublic to
disable for now. I can't find much about securing a server against these types
of hits. Does anyone else running a small server have any guidance on what
could be done/the next steps? I'd ideally like to keep the OPAC public.
Thank you
Christina
_______________________________________________
Koha mailing list http://koha-community.org
Koha@lists.katipo.co.nz
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
